Srss over vlan

Similar Messages

• Implementing MPLS over VLAN trunk

  We are investigation the options of running MPLS between our two core switches (C6509 with dual Sup720s) with the aim of introducing MPLS VPNs. These two core switches are linked via a Layer 2 trunk in a collapsed backbone topology.
  Is it possible to create a point-to-point MPLS-enabled link between these switches on a VLAN interface between these switches, rather than an a dedicated physical port? It is anticipated that these two core switches will be PE routers (also acting as RRs, if required).

  Its possible to run MPLS on any media with IP configurable for it. So till you have IP reachbility on a media, you can run MPLS.
  As in your case you can very well run MPLS on an SVI reachable both sides over a trunk.
  But as a after thought, why do you want to do this, although its possible, why do you want to carry other vlans on the same trunk which also carrier the internconnect vlan for the PE's.
  HTH-Cheers,
  Swaroop

• PPPoE over VLANs -- VDSL

  Hey,
  I have the same issue like described at http://discussions.apple.com/thread.jspa?messageID=8383489
  I want to connect a Mac with the internet over a DSL Modem (without Router)
  There for the Mac have to dial up a PPPoE connection via vlan 132.
  I tried it with Linux and Windows - it works
  Is there a solution for it on OS X?
  thx
  Franz

  Hi there,
  I have exactly the same issue with 10.7 Lion Server. It looks like the problem is still present in Lion and it is quite a big annoyance, let's hope someone at Apple sees this and helps us out.

• Dynamic WDS Discovery over VLAN-Trunk

  Hi i have two wds ap each connected to a trunk-port. each has its bvi 1 interface connected to int f0.201 which is mapped to vlan 201. i can access the accesspoint by telnet, but the either do not exchange wlccp information, so everyone ends up as Standalone WDS. If i send updates on f0.201 they exchange wlccp information, but they stock in INIT-Phase. Here my config and the sh wlccp wds:
  dot11 vlan-name SVL-WDSC24 vlan 201
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  interface FastEthernet0.201
  encapsulation dot1Q 201
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.0.201.2 255.255.255.0
  no ip route-cache
  wlccp wds priority 2 interface f0.201
  WDSP57-1U-11-03#sh wlccp wd
  MAC: 0013.7f24.36e2, IP-ADDR: - , Priority: 2
  Interface FastEthernet0, State: INITIALIZATION
  Does anyone have a guess?
  thanks, regards dave

  Unfortunately the Aironet's Cisco IOS supports BVI interface only on native VLANs.
  You have to configure "encapsulation dot1Q 201 native" on the FastEthernet0.201 subinterface and then you should modify coherently the configuration on the switching infrastructure.
  Regards,
  Fabrizio

• Unable to connect to Access Point over VLAN

  I have a Cisco Aironet 1142 that I am unable to ping or connect to in order to manage and unable to connect to the SSIDs .  I have changed the native VLAN to 318 on the 1142.  I have also set the port on my 3750X to trunk with the native VLAN set at 318.  The 1142 can ping its IP address but not the Default Gateway.  The switch is able to ping the Default Gateway but not the 1142.  Any suggestions based upon the configs included below?  Many thanks!
  Aironet 1142:
  interface Dot11Radio0.318
   encapsulation dot1Q 318 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface Dot11Radio1.318
   encapsulation dot1Q 318 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface GigabitEthernet0.318
   encapsulation dot1Q 318 native
   no ip route-cache
   bridge-group 1
   no bridge-group 1 source-learning
   bridge-group 1 spanning-disabled
  interface BVI1
   ip address 172.17.18.200 255.255.255.0
   no ip route-cache
  ip default-gateway 172.17.18.1
  3750X:
  interface GigabitEthernet1/0/30
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 318
   switchport trunk allowed vlan 3,318,956
   switchport mode trunk
   switchport nonegotiate
   switchport voice vlan 220
   srr-queue bandwidth share 1 30 35 5
   priority-queue out
   mls qos trust device cisco-phone
   mls qos trust cos
   auto qos voip cisco-phone
   spanning-tree portfast
   service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

  Yes, unable to ping 172.17.18.1.  BVI interface is up
  #sh int bvi1
  BVI1 is up, line protocol is up
    Hardware is BVI, address is e8b7.48f5.0f7e (bia e8ba.70e7.d430)
    Internet address is 172.17.18.200/24
    MTU 1500 bytes, BW 54000 Kbit/sec, DLY 5000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 03:18:25, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       133 packets input, 9926 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       1610 packets output, 189086 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out

• PPPoE over VLAN

  I'm trying to set up a MacBook as a PPPoE client.
  The provider requests me to send vlan tagged pppoe packets,
  so I have set up a vlan interface (vlan0) for the ethernet
  device (eth0) and added a pppoe interface to the vlan device.
  I have connected the dsl modem to the macs eth0.
  When clicking "connect" the ppp daemon starts, but after a while it gives up
  without a connection. The log says, it cant find a pppoe server.
  9/12/08 2:23:02 PM macbook pppd[1860] pppd 2.4.2 (Apple version 314) started by root, uid 501
  9/12/08 2:23:02 PM macbook pppd[1860] PPPoE connecting to service '' [access concentrator '']...
  9/12/08 2:24:07 PM macbook pppd[1860] PPPoE connection failed, No route to host
  If I attach the modem to a vlan capable router, the connection comes up instantly.
  Does anyone know if Mac OS X is really able to tagg pppoe packets? Linux and Vista do.
  Any comment is very appreciated, thank you.

  There seems to be a bug in Apples pppd or in PPPoE.ppp plugin.
  When I try to setup the pppoe-connection this way:
  pppd plugin PPPoE.ppp device vlan0 noauth defaultroute user username password pw
  packets of ethertype PPPoE should go to vlan0. But tcpdumps didnt show any PPPoE packets
  on that interface. Instead, all PPPoE communication is beeing sent to the standard ethernet interface en0.
  Here is an excerpt of packet headers from the vlan0 dump:
  tcpdump -nevv -XX -i vlan0 >tcpdump-vlan0.txt:
  No ethertype of PPPoE in vlan, only DNS broadcasts...
  14:53:55.485917 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 14:54:03.986736 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 14:54:12.933303 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 14:54:21.292128 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 14:55:30.249114 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl
  14:59:04.535913 00:16:cb:cd:1f:df > 33:33:00:00:00:fb, ethertype IPv6 (0x86dd), length 93: (hlim 14:59:04.635579 00:16:cb:cd:1f:df > 33:33:00:00:00:fb, ethertype IPv6 (0x86dd), length 131: (hlim 15:02:38.235331 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl
  15:04:20.721812 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 15:04:29.003659 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl
  tcpdump -nevv -XX -i en0 >tcpdump-en0.txt:
  There is some vlan communication on en0, but these are only BootP/DHCP requests.
  The PPPoE packets all seeme to go without vlan taggs...
  15:08:44.894534 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 7, p 0, ethertype IPv4, (tos 0x0, ttl 255, id 41394, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:cb:cd:1f:df, length 300, xid 0x7bc5028f, secs 24, Flags [none] (0x0000)
  Client-Ethernet-Address 00:16:cb:cd:1f:df [|bootp]
  0x0000: ffff ffff ffff 0016 cbcd 1fdf 8100 0007 ................
  0x0010: 0800 4500 0148 a1b2 0000 ff11 18f3 0000 ..E..H..........
  0x0020: 0000 ffff ffff 0044 0043 0134 6314 0101 .......D.C.4c...
  0x0030: 0600 7bc5 028f 0018 0000 0000 0000 0000 ..{.............
  0x0040: 0000 0000 0000 0000 0000 0016 cbcd 1fdf ................
  0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
  15:08:46.890680 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype PPPoE D (0x8863), length 32: PPPoE PADI [Service-Name] [Host-Uniq 0x04348D04]
  0x0000: ffff ffff ffff 0016 cbcd 1fdf 8863 1109 .............c..
  0x0010: 0000 000c 0101 0000 0103 0004 0434 8d04 .............4..
  15:08:49.891668 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype PPPoE D (0x8863), length 32: PPPoE PADI [Service-Name] [Host-Uniq 0x04348D04]
  0x0000: ffff ffff ffff 0016 cbcd 1fdf 8863 1109 .............c..
  0x0010: 0000 000c 0101 0000 0103 0004 0434 8d04 .............4..
  15:08:52.892753 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype PPPoE D (0x8863), length 32: PPPoE PADI [Service-Name] [Host-Uniq 0x04348D04]
  0x0000: ffff ffff ffff 0016 cbcd 1fdf 8863 1109 .............c..
  0x0010: 0000 000c 0101 0000 0103 0004 0434 8d04 .............4..
  15:08:53.209108 00:16:cb:cd:1f:df > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 7, p 0, ethertype IPv4, (tos 0x0, ttl 255, id 41395, offset 0, flags [none], proto UDP (17), length 328) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:cb:cd:1f:df, length 300, xid 0x7bc5028f, secs 33, Flags [none] (0x0000)
  Client-Ethernet-Address 00:16:cb:cd:1f:df [|bootp]
  0x0000: ffff ffff ffff 0016 cbcd 1fdf 8100 0007 ................
  0x0010: 0800 4500 0148 a1b3 0000 ff11 18f2 0000 ..E..H..........
  0x0020: 0000 ffff ffff 0044 0043 0134 630b 0101 .......D.C.4c...
  0x0030: 0600 7bc5 028f 0021 0000 0000 0000 0000 ..{....!........
  0x0040: 0000 0000 0000 0000 0000 0016 cbcd 1fdf ................
  0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
  Any comments would be appreciated, thank you very much (Apple, are you listening?)
  Mr. Z.

• Windows Server 2008r2 Printer Sharing over vlan

  Hi folks,
  I have a Windows Server 2008r2 set up as my workstation and I'd like to share the printer with 4 new macs. I've set up Printing Services on WS2008r2 and enabled IPP, LPD and everything else I could think of.
  The printer sharing works, our other laptop which is Win7 can use it normally, but setting up the share on a Mac is a whole new kettle of fish.
  I couldn't get it to connect via IPP, Mac keeps insisting on port 631 even though IPP is running on port 80 here. I have no idea what to put into the address field, if I copy/paste the URL the Mac doesn't recognise it. If I just put in the server name it's happy but insists on connecting to port 631.
  Next came LPD which seems to work, Mac connects to the server and picks up the printer. Which brings me to the next problem. If I use standard generic postscript driver then nothing happens, printer gets switched on on the server and stops. An event log entry reports an LPD error:
  "The Line Printer Daemon (LPD) service received commands in an invalid format from 172.16.8.106 and refused the print job. This can occur if the Line Printer Remote (LPR) client is incompatible with the Windows LPD service and Request for Comments (RFC) 1179. Try printing using a different LPR client."
  The printer is a Brother hl-6050D/DN series. If I switch the printer options from generic postscript to a Brother printer it will print but it only uses about 60% of the space, so everything is shrunk on the page. It does print the full content of the page, just makes everything smaller. I managed to get this far by selecting one of the BJC (Bubblejet) models from the drop-down list.
  I've installed Brother's driver for 5060D/DN from their site but it's not available anywhere on the Mac. How do I tell the Mac to use a different driver?
  I feel I'm getting close to fixing this, but now the problem is in Macland and I'm not too familiar with it.
  Anyone got any suggestions? Any help would be appreciated!+
  Thanks!

  I'm going to apologize first because I don't have a real solution and my post will sound negative, but my experience may give some insight.
  My experience is that Apple didn't get Windows printing "done right" until 10.5. Prior to that, I could never print to a Canon S800 printer attached to a Vista Ultimate machine. With the printer attached to a XP machine, I could print, but it would often fail. (Just no output and OSX saying printer was offline.) This was with a G3 B&W with 10.3 and a iMac with 10.4. And like you, I did try the IPP and LPD settings but just never got a usable setup.
  Then I got a Macbook Pro with 10.5. Printing worked fine straight out of the box to the same S800 printer on Vista. Mac Mini with 10.5 worked also. Upgraded both to 10.6 and printing still works. Even a clean reload of 10.6 on the Macbook, Windows printing is fine. Also to a Epson R280 attached to the same Vista machine.
  Windows 2008, having more in common with Vista and Win7, I'd guess that you may be having similar issues to me. I don't know of any fix, other than 10.5. If you have a friend with a newer Mac, then you can test it. (Otherwise, if you can upgrade your Mac to 10.5 or 10.6. But testing with a friend's Mac would save the cost of buying an OSX upgrade if it didn't work.)
  Like I said, no real solution, other than possibly upgrading to 10.5/10.6. So maybe just a pointer to a different line of thinking. Good luck!

• Aggregates, VLAN's, Jumbo-Frames and cluster interconnect opinions

  Hi All,
  I'm reviewing my options for a new cluster configuration and would like the opinions of people with more expertise than myself out there.
  What I have in mind as follows:
  2 x X4170 servers with 8 x NIC's in each.
  On each 4170 I was going to configure 2 aggregates with 3 nics in each aggregate as follows
  igb0 device in aggr1
  igb1 device in aggr1
  igb2 device in aggr1
  igb3 stand-alone device for iSCSI network
  e1000g0 device in aggr2
  e1000g1 device in aggr2
  e1000g2 device in aggr3
  e1000g3 stand-alone device of iSCSI network
  Now, on top of these aggregates, I was planning on creating VLAN interfaces which will allow me to connect to our two "public" network segments and for the cluster heartbeat network.
  I was then going to configure the vlan's in an IPMP group for failover. I know there are some questions around that configuration in the sense that IPMP will not detect a nic failure if a NIC goes offline in the aggregate, but I could monitor that in a different manner.
  At this point, my questions are:
  [1] Are vlan's, on top of aggregates, supported withing Solaris Cluster? I've not seen anything in the documentation to mention that it is, or is not for that matter. I see that vlan's are supported, inluding support for cluster interconnects over vlan's.
  Now with the standalone interface I want to enable jumbo frames, but I've noticed that the igb.conf file has a global setting for all nic ports, whereas I can enable it for a single nic port in the e1000g.conf kernel driver. My questions are as follows:
  [2] What is the general feeling with mixing mtu sizes on the same lan/vlan? Ive seen some comments that this is not a good idea, and some say that it doesnt cause a problem.
  [3] If the underlying nic, igb0-2 (aggr1) for example, has 9k mtu enabled, I can force the mtu size (1500) for "normal" networks on the vlan interfaces pointing to my "public" network and cluster interconnect vlan. Does anyone have experience of this causing any issues?
  Thanks in advance for all comments/suggestions.

  For 1) the question is really "Do I need to enable Jumbo Frames if I don't want to use them (neither public nore private network)" - the answer is no.
  For 2) each cluster needs to have its own seperate set of VLANs.
  Greets
  Thorsten

• VLAN's in Oracle VM 3.0.1

  hi all
  i have made a trunk on the cisco switch for my port eth1. i trunk vlan16 and vlan20. when i create this two vlan segments in oracle vm, i have no connect. when i make a untagged vlan than it works with both networks. but i want split it in 2 segments. can oracle vm 3.0.1 work with this function / trunk from a cisco switch? or what must i do that i can define 2 segments over vlan on oracle vm?
  greetz
  franco

  francok wrote:
  i go to the hardware tab - vlan groups - create a VLAN with 2 Segments - VLAN16 Segment and VLAN20 Segment. This VLAN is running on the second networkinterface / eth1. eth0 is bonded / original / for Management. on ifconfig i see eth1 and eth1.16 and eth1.20. but i get no network contact on the vm's. when i make the vlan with a untagged vlan than i can give ip adresses from vlan16 and vlan20! what can i do that i can work with this two segments?If your IP addresses work with an untagged VLAN, then the VLAN stuff isn't working properly on your switch. Once you enable the VLAN stuff, it'll start tagging the packets with those VLAN IDs. I have several VLANs working in my OVM 3.0.1 install, so I know it works. :)

• SF300 Daisy Chain VLAN Question

  OK, this is a complicated setup, and myself and my fellow IT staff have been beating our heads on a wall trying to get this to work, at this point we do not even know if we have this configured right, so any input on this would be most appreciated.
  We are in the process of adding some new buildings to our network via some AirMax wireless bridges.  On the either end of the bridges will be a series of SF300 switches.
  For clarification, here is how our setup will go equipment wise....
  Cisco 3550 Switch -> SF300-08 Switch -> Airmax Bridge ---------- AirMax Bridge -> SF300-08 -> SF300-24
  The 3550 is "inside" our corporate network, from the first SF300-08 to the 2nd SF300-08 will be "outside" our network, and the final SF300-24 will be consiered "inside" our network.
  For all intents and purposes, we are trying to build this out correctly without the AirMax bridges in place at the start since they are just a bridge and should function as a cable once in place.  Since the segment from one SF300-08 to the other will be considered external equipment, we need to have the feed from the 3550 to the SF300-24 as an isolated VLAN through this chain to be able to give the remote office network access.  We want the SF300-24 to think that it is basically trunked directly into the 3550 once all is said with all our internal VLANS available at the opposite end.
  Right now, based on documentation and things we have read in various forums, we have it currently setup as follows :
                     IN                                                                         OUT
  1)                                                                                  3550 dot1q Trunk
  2)  SF300-08 Customer QinQ Trunk (vlan 3000)                  SF300-08 Trunk (vlan 3000)
  3)  SF300-08 Trunk  (vlan 3000)                                      SF300-08 Customer QinQ Trunk (vlan 3000)
  4)  SF300-24 Trunk
  So, we are trunking the 3550 into the SF300 chain, passing the internal information over vlan 3000 while in transport, then coming out the other end on the SF300-24 trunk port.
  Is this in any way remotely correct for what we are trying to do?  I know that if we stuck with all 3550s throughout the chain that we would have some dot1q-tunnel ports configured for an easier setup, but from the limited knowledge I have on these 300 series switches they are not capable of being configured this way, and I may well be totally wrong in that.
  I will be happy to clarify more on certain parts if needed, but with so many pieces of equipment in this chain screenshotting everything would be a hellish mess.
  Any suggestions or input on this would be greatly helpful at this point.

  check the mtu's of the AirMax Bridges, lol... this made us beat our heads for way too long

• SLM2008 to SG200-08 VLAN

  Hi,
  I have the following setup:
  Service Provider connected to SLM2008 port 2
  SLM2008 connected to SG300-20 using LAG2
  SG300-20 connected to SG200-08 using LAG1
  SG200-08 port 1 connected to PC
  I have configured VLAN 4 to isolate this (port-to-port)​ traffic from the rest of the network, however I can't obtain an IP address from the SP.
  SLM2008 : port 2 PVID 4 all frame types accepted, VLAN ID 4 assigned to port 2 and LAG 2 (consisting of port 5&6)
  on the SG300-20, the Port VLAN Membership Table shows LAG1 & 2 with 1UP, 4T (so supposed to transport VLANs 1 & 4, 1 being the default)
  SG200-08 shows Port VLAN Membership Table port 1 in access mode with PVID 4 and operational VLAN membership 4U. I can't put it to 4T except in generic mode, but this doesn't work either.
  What am I missing here ?
  Any input/feedback would be highly appreciated.
  Christophe

  Hi chrebert,
  Thanks for your answer. You're right in concluding the VLAN 1 is my default VLAN. The problem is that the switch should contact my DHCP server over VLAN 1 and since the traffic on port 1 is not tagged, the traffic DHCP request will never reach my DHCP server. As a consequence, the switch always ends up with its factory default IP address (192.168.1.254) instead of the IP address assigned by the DHCP server. And yes, that's a problem
  So to summarize, when I configure tagged access for VLAN 1 on port 1 and write this to the startup config, it is indeed present in the startup config afterwards. However, the switch ignores this upon reboot, causing VLAN 1 on port 1 to feature untagged access.
  By the way, I completely set up the switch from scratch after restoring the config to factory defaults. It would be great if you could try to reproduce the issue and hopefully come with a fix. In case you need more information, please don't hesitate to contact me.

• Guest Vlan on umnaged network

  I've bought some unifi wifi access points which I want to add to our network. We use a mix of cisco and netgear switches (I'll be phasing out the netgears over time). I'd like to make a guest vlan for the wifi, I'm just not sure how is best to do it, there are some details on a possible setup here.
  At the moment we have an unmanaged network so everything is using vlan1
  We use 2 Cisco Pix 515e firewall's (One as backup), they go directly to a switch, then we use a Windows server for DHCP. The config for firewall (fw1) the interface that connects to a switch is:
   speed 100
   duplex full
   nameif inside
   security-level 100
   ip address 192.168.135.248 255.255.192.0 standby 192.168.135.249
  on the switch it connects to called sw1 (C2950-I6Q4L2-M) the port is configured like so:
  interface FastEthernet0/15
   switchport mode trunk
   switchport nonegotiate
   speed 100
   duplex full
  Port Gi/02 connects to the next switch which is a netgear GS748T (sw2) which then connects to various other switches
  interface GigabitEthernet0/2
   description Netgear GS748T
   switchport trunk allowed vlan 1-4
   switchport mode trunk
   switchport nonegotiate
   speed 1000
   duplex full
   flowcontrol receive desired
  (There are some other vlans created, not sure what they are for yet, I'm new here!)
  We've just bought a Cisco WS-C3650-24PS - sw3
  I was thinking of only plugging in the wifi access points into cisco switches only and creating a Vlan - Vlan20 and only allowing Vlan20 to specific ports if this is possible?
  I'm a beginner at this so the theory is there but not sure how to execute it!
  I'm thinking on the firewall fw1
  eth2
   speed 100
   duplex full
   nameif guest
   security-level 90
   ip address 192.168.0.248 255.255.255.0 standby 192.168.0.249
  on sw1 connect Gi0/2 to sw3 Gi1/1/1
  config to be
  switchport trunk allowed vlan 20
  switchport mode trunk
  switchport nonegotiate
  speed 1000
  duplex full
  sw3 will already have vlan1 going to it as part of the unmanaged network as it is connected to another switch on another port already.
  So my question is how do I setup the dhcp server on sw3 for vlan20 (192.168.0/24)
  And how would both vlans get sent to the wifi access points which are patched into sw3 but without vlan 20 traffic being sent other ports which do not have the ap's connected to them? I would also like to allow vlan20 to another cisco switch.
  Or if is the wrong way of doing it let me know a better solution
  Apologies in advanced if this is not making much sense!

  I actually use UniFi APs in our environment too, great little APs as long as you buys the Pro models (the standard ones have their short falls).
  I think your PIX config looks good (it's been a while since I've touched one so I'd have to login to the 525 I have at home to confirm) Just ensure it's configured to disallow traffic from your guest VLAN to the internet network, if memory serves there's an option that's on by default to disallow traffic from a higher security if to a lower.
  It may be better to configure Sw1/0/2 and Sw3/1/1/1 with all of your VLANs, if you want redundancy you can create a LAG between the two with multiple ports. If you use different links for different VLANs and down the road something happens and both of those ports become active on the same VLAN (I/E you or someone else forgets that you're using different uplinks for different VLANs) if STP isn't setup properly you'll create a loop on that VLAN potentially flooding the network with broadcast traffic.
  As for the UniFi config, you configure the ports that the APs connect to as trunks, I assume you'll be managing the APs over VLAN 1 so the ports should be VL1 untagged, VLAN 20 tagged.
  The UniFi Controller software is used setup and manage the APs if you haven't already done so install it. Once you have it installed you want to create two SSIDs one without VLAN tagging enabled which will be your internal SSID, and another with VLAN tagging enabled for VL20 which will be your guest SSID. This way when a client connects to the Guest SSID the AP(s) will tag their traffic VLAN 20, so on ingress to SW3 the traffic will be tagged with the correct VLAN.
  The attached is a screen from my UniFi guest SSID config, you can also assign guests to a user group, which allows you to limit the bandwidth at the AP.

• Cisco SG300 VLAN rate-limit

  I have a Cisco SG300 small business switch and 541 APs. There are 2 VLANs in our network. One must be limited by bandwidth. Does anyone have an idea for configure vlan rate-limiting on SG300? And please describe CIR & CBS for me. Thanks.

  http://www.cisco.com/en/US/partner/products/ps10898/prod_command_reference_list.html
  Cisco Small Business 300 Series Managed Switches Command Line Interface Guide Release 1.3
  Select CIR and CBS according to your design. You can use a larger CBS when performance is not ideal.
  49.23 rate-limit (VLAN)
  Use the Layer 2 rate-limit (VLAN) Global Configuration mode command to limit the
  incoming traffic rate for a VLAN. Use the no form of this command to disable the
  rate limit.
  Syntax
  rate-limit vlan-id committed-rate committed-burst
  no rate-limit vlan
  Parameters
  • vlan-id—Specifies the VLAN ID.
  • committed-rate—Specifies the average traffic rate (CIR) in kbits per second
  (kbps). (Range: 3-57982058)
  • committed-burst—Specifies the maximum burst size (CBS) in bytes.
  (Range: 3000-19173960)
  Default Configuration
  Rate limiting is disabled.
  Committed-burst-bytes is 128K.
  Command Mode
  Global Configuration mode
  User Guidelines
  Traffic policing in a policy map takes precedence over VLAN rate limiting. If a
  packet is subject to traffic policing in a policy map and is associated with a VLAN
  that is rate limited, the packet is counted only in the traffic policing of the policy
  map.
  This command does not work in Layer 3 mode. It does not work in conjunction with
  IP Source Guard.
  Example
  The following example limits the rate on VLAN 11 to 150000 kbps or the normal
  burst size to 9600 bytes.
  switchxxxxxx(config)# rate-limit 11 150000 9600

• 881 - How to configure inter-VLAN routing

  I hesitate to post here -- I know that I should know my job. But here goes...
  Small business wants to use an ASA 5505 firewall on the edge connected to VDSL modem, and then an 881 to route internally (see attachment). The 881 has a downstream link to a 2960.
  Want the following "blocks":
  VLAN 33 - CLIENTS
  VLAN 55 - SERVERS
  VLAN 101 - CDLAB
  The lab is for testing, and will be connected via Cisco 2500 series router. The server farm (Server 2008 domain +) will be connected via layer 2 switch over VLAN. A DMZ is anticipated after basic connectivity is established. Connectivity is already verified from a client connected to the INSIDE interface of the ASA going to the OUTSIDE and back.
  Before I started I wiped the devices in order to start clean. Both the router and the switch are in vtp mode transparent.
  To build a trunk link, I connected the 881 and the 2960 using a crossover cable from int fa0 to int fa0/8 respectively.
  On both devices' interfaces I set switchport mode trunk.
  I configured the 3 VLANs on the 881, assigned IP addresses to them, and used switchport trunk allowed vlan add 33,55,101 to assign them to the trunk but that doesn't appear in the sh run output under the interface.
  I set both devices' to switchport nonegotiate (best practices?). Once again, on the 881 this command doesn't appear in the running config.
  I configured the 3 VLANs on the 2960, then used the same switchport commands as above to assign them to the trunk.
  Here's the deal.
  From a client connected to a VLAN 33 access port on the 2960, I can't ping, for example, the VLAN 55 IP address. I can ping the VLAN 33 IP address. I also can't ping the IP address of the interface on the far side of the router headed to the ASA (int fa4).
  What am I doing wrong? I'll gladly post the running configs if anyone wants to see. I've spent most of the day on this racking my brain and literally scouring the Internet. I'd be very grateful for some assistance.
  Help!

  Thanks, Mike.
  Yeah, I might not have been too clear. But on the router, each VLAN was created using the vlan 33 command (for example) and given a name. Then I went to int vlan 33 (for example) and used ip address 10.0.33.xx 255.255.255.0 for the address and subnet mask. Those have been in place since I started. And like I said, I can ping the SVI for VLAN 33, which is mapped to the client access port I'm on.
  The problem is, I still can't ping inter-VLAN and I still can't ping the far side interface.
  Bummer...

• WRVS4400n v1.1 VLAN on WAN interface

  Hi,
  Been trying to figure out howto create VLAN's on the WAN interface of the WRVS4400n. Is this even possible with the factory firmware?

  Dear Steve,
  Thank you for your reply.
  The router already has the lastest firmware, 1.1.13
  The situation is as follows. Our office gets several services over fiber which is switched to coper over an end node (not protocol just light <-> electric) so essentially we are connected to the internet over ethernet.
  Anyway, our provider is rather mysterious over how their services work and preffer that everybody uses the equipment provided by them. The equipment is rather cheap and limited in functionality, also we're having a few problems because the equipment doesn't allow us to switch certain functions off.
  We get 3 services from our provider.
  1. Internet (VLAN tagged 12)
  2. VPN like closed connection between locations (VLAN's tagged 123 and tagged 124)
  3. SIP (VLAN untagged 13)
  So I did A little investigation and came up with the following.
  * For internet services they're using a PPPoE tunnel, this tunnel is established over a tagged VLAN 12.
  * VLAN's 123 and 124 are for ourselves, so just connection between our offices. I don't know what the infrastructure/setup is behind this service but it somehow magically works.
  * Then finally there's the SIP services which is done over VLAN 13 untagged.
  So what I need todo is create a PPPoE tunnel over VLAN 12 (for internet access) and also setup VLAN's 13, 123 an 124 to be forwarded to specific ports on the the router.
  /edit:
  When I look at the settings in the web interface I only get the VLAN settings for ports 1 to 4 and WLAN (no port 0). I'm pretty sure this router does support it and I could set it if I had a shell on the device but I don't and I'm not seeing it in the webinterface either.