Stacked VLAN (802.1Q-in-Q)

Similar Messages

• Cisco 7606 stacked VLAN support

  Hi All,
  Does Cisco 7606 GigabitEthernet modules support stacked VLAN (two VLAN tags)?
  If yes, how do I configure it?
  Thanks in advance.
  Regards,
  Sarah

  Hi Sean,
  Yes, it is QinQ tunneling. I am using Cat6k-Sup720.
  Cisco7606(config-vlan)#?
  VLAN configuration commands:
  are Maximum number of All Route Explorer hops for this VLAN (or
  zero if none specified)
  backupcrf Backup CRF mode of the VLAN
  bridge Bridging characteristics of the VLAN
  exit Apply changes, bump revision number, and exit mode
  media Media type of the VLAN
  mtu VLAN Maximum Transmission Unit
  name Ascii name of the VLAN
  no Negate a command or set its defaults
  parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs
  private-vlan Configure a private VLAN
  remote-span Configure as Remote SPAN VLAN
  ring Ring number of FDDI or Token Ring type VLANs
  said IEEE 802.10 SAID
  shutdown Shutdown VLAN switching
  state Operational state of the VLAN
  ste Maximum number of Spanning Tree Explorer hops for this VLAN (or
  zero if none specified)
  stp Spanning tree characteristics of the VLAN
  tb-vlan1 ID number of the first translational VLAN for this VLAN (or
  zero if none)
  tb-vlan2 ID number of the second translational VLAN for this VLAN (or
  zero if none)
  Regards,
  Sarah

• Can the AEBS untag a VLAN (802.1q) on the WAN port?

  My modem (actually a fibre optical network terminal) provides a DHCP ethernet port. I would like to use my airport extreme for routing and wireless. Normally this would be a very simple setup, except the the modem requires all traffic to go over a specific VLAN (802.1q tagged). So, for this to work I would need the Airport to be able to untag/tag a specific VLAN on its WAN port. Is this possible?

  I'll probably try to find the most minimal device that I can get to do transparent untagging of VLAN traffic. Not really sure where I might find that, but will start researching. I'd like to avoid using the current buggy router supplied by my ISP if at all possible!
  I would suggest that you look at the various products provided by Cisco. FWIW I use a Cisco RVS4000 as my "main" router and have set up a number of VLANs for my home network with it.

• SG200-26: dynamic VLAN - 802.1X

  Last week I got my SG200-26 (SLM2024T-EU). The Data Sheet says, that the switch works with dynamic VLAN assignment over 802.1X.
  IEEE 802.1X
  (Authenticator role)
  802.1X: RADIUS authentication and accounting, MD5 hash
  Supports time-based 802.1X
  Dynamic VLAN assignment
  The authentication on freeRADIUS works. I client could get access to the network after entering username and password but the client is not assigned to a VLAN. I used wireshark to sniff the authorisation process between the switch and the freeRADIUS server and the VLAN information were transmitted to the switch.
  I would appreciate if some could give me some help how to configure the switch to work with dynamic VLAN assignment and freeRADIUS. If you need some more information, please let me know. I will add them here as far as possible.
  Thank you very much!
  Alexander
  Edit

  Hello Nico,
  Thank you for your reply.
  I will show you my scenario a little more in detail and explain, what I have configured:
  I have got one server/router with a VLAN capable NIC connected to Port g1 on the switch. On the router I created 2 VLANs with VLAN-ID 5 and VLAN-ID 6.
  Both VLAN "NICs" have a static IP address and there is running a DHCP server for each VLAN. On the same server there is runninga freeRADIUS server.
  Now I did the following configuration on the switch:
  1. I assigned a static IP on the switch.
  2. SECURITY -> RADIUS:
  I added the RADIUS Server IP address and the key string (same on switch and freeRADIUS) and I ticked Usage-Type: 802.1X
  3. SECURITY -> 802.1X -> Properties
  Port-Based Authentication: Enabled is ticked
  RADIUS
  4. SECURITY -> 802.1X -> Port Authentication
  Administrative Port Control: Auto is ticked
  5. VLAN-Management --> Create VLAN
  VLAN-ID 5
  Descr. VLAN5
  VLAN-ID 6
  Descr. VLAN6
  I think, to this point the configuration is correct, isn't it ?
  I would appreciate very much, if you could give me advice for the further steps like Port Mode Access, Trunk or General for the clients which connect to the switch and if tagged or untagged.
  I have port g1 in trunk mode and VLAN5 and VLAN6 is tagged because my NIC is VLAN capable. But the other clients which connect to the switch do not have a VLAN capable NIC and these clients should get their VLAN assigned dynamically.
  I attached the pcap file which contains the authentication between freeRADIUS and the SG200-26 (Port g1)
  Thank you very much in advance!
  Alexander

• Can't apply policy route-map on C3750 stack vlan interface

  Hi All.
  I've come up with this problem and i could see some people have had the same issue. I've tried to overlook and check other replies but it didn't help me. So I'm hoping someone could spot the problem. Here are the details:
  2 x WS-C3750G-24T-E in stack
  Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)
  switch#sh sdm prefe
  The current template is "desktop IPv4 and IPv6 routing" template.
  The selected template optimizes the resources in
  the switch to support this level of features for
  8 routed interfaces and 1024 VLANs.
    number of unicast mac addresses:                  1.5K
    number of IPv4 IGMP groups + multicast routes:    1K
    number of IPv4 unicast routes:                    2.75K
      number of directly-connected IPv4 hosts:        1.5K
      number of indirect IPv4 routes:                 1.25K
    number of IPv6 multicast groups:                  1.125k
    number of directly-connected IPv6 addresses:      1.5K
    number of indirect IPv6 unicast routes:           1.25K
    number of IPv4 policy based routing aces:         0.25K
    number of IPv4/MAC qos aces:                      0.5K
    number of IPv4/MAC security aces:                 0.5K
    number of IPv6 policy based routing aces:         0.25K
    number of IPv6 qos aces:                          0.5K
    number of IPv6 security aces:                     0.5K
  There are 2 ISPs, G1/0/1 and G2/0/1. After creating a route-map i can apply a policy route-map to Vlan5 and it accepts without any errors. But when you do sh run vlan5 the command is not there, it's not applied.
  Any help will be appretiated.
  Thanks.

  Hi Jon.
  Thanks for your reply. I didn't put those configs as they're basic without use of VRF and WCCP. Also i've checked or tried to find the list of unsupported commands and didn't see them in that list. See config below with some extras:
  track 11 rtr 1 reachability
  track 22 rtr 2 reachability
  ip routing
  no ip dhcp use vrf connected
  interface GigabitEthernet1/0/1
  description ISP1
  no switchport
  ip address 9.9.9.2 255.255.255.252
  no ip proxy-arp
  no ip mroute-cache
  speed 100
  duplex full
  ipv6 address 2B01:4B8:0:3::2/64
  ipv6 ospf 1 area 0
  no mdix auto
  no cdp enable
  interface GigabitEthernet2/0/1
  description ISP2
  no switchport
  ip address 9.9.9.5 255.255.255.252
  ip ospf cost 10000
  speed 1000
  duplex full
  ipv6 address 2B01:4B8:0:7::2/64
  ipv6 enable
  ipv6 ospf cost 10000
  ipv6 ospf 1 area 0
  interface Vlan5
  description Company Ext Subnet
  ip address 9.9.8.1 255.255.255.128
  no ip proxy-arp
  no ip mroute-cache
  ipv6 address 2B01:4B8:1:22::1/64
  ipv6 ospf 1 area 15
  access-list 111 permit tcp any any eq www
  route-map pbr1 permit 10
  match ip address 111
  set interface GigabitEthernet2/0/1 GigabitEthernet1/0/1
  route-map pbr1 permit 20
  set interface GigabitEthernet1/0/1 GigabitEthernet2/0/1
  route-map pbr2 permit 10
  match ip address 111
  set ip next-hop verify-availability 9.9.9.6 1 track 11
  set ip next-hop 9.9.9.1
  route-map pbr2 permit 20
  set ip next-hop verify-availability 9.9.9.1 1 track 22
  set ip next-hop 9.9.9.6
  I've tried to apply both policies pbr1 and pbr2, it allowed to do that without errors but at the end it wasn't there.
  Cheers,

• Catalyst 3850 Stack VLANs, layer 2 vs. layer 3 design question

  Hello there:
  Just a generic, design question, after doing much reading, I am just not clear as when to use one or the other, and what the benefits/tradeoffs are:
  Should we configure the switch stack w/ layer 3, or layer 2 VLANs?
  We have a Catalyst 3850 Stack, connected to an ASA-X 5545 firewall via 8GB etherchannel.
  We have about 100 servers (some connected w/ bonding or mini-etherchannels), and 30 VLANs.
  We have several 10GB connections to servers.
  We push large, (up to) TB sized files from VLAN to VLAN, mostly using scp.
  No ip phones, no POE.
  Inter-VLAN connectivity/throughput and security are priorities.
  Originally, we planned to use the ASA to filter connections between VLANs, and VACLs or PACLs on the switch stack to filter connections between hosts w/in the same VLAN.
  Thank you.

  If all of your servers are going to the 3850 then I'd say you've got the wrong switch model to do DC job.  If you don't configure QoS properly, then your servers will start dropping packets because Catalyst switches have very, very shallow memory buffers.  These memory buffers get swamped when servers do non-stop traffic. 
  Ideally, Cisco recommends the Nexus solution to connect servers to.  One of the guys here, Joseph, regularly recommends the Catalyst 4500-X as a suitable (and financial) alternative to the more expensive Nexus range.
  In a DC environment, if you have a lot of VM stuff, then stick with Layer 2.  V-Motion and Layer 3 don't go hand-in-hand.

• Potential Security Hole with 802.1x and Voice VLANs?

  I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
  If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
  Has anyone done any research into this potential security hole?
  Thanks
  Andy

  Thanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
  As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
  Andy

• Does Cisco7200VXR support feature Q-in-Q VLAN tag termination?

  There is only 10000ESR platform support announced in feature guide and no information in Feature Navigator tool...
  http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0f4a.html

  Hi there,
  Well.. it seems this feature has several names:
  "Cisco IOS Software Releases 12.3 T - IEEE 802.1Q-in-Q VLAN Tag Termination"
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801f0f4a.html
  "Cisco IOS Software Releases 12.0 S - Stacked VLAN Processing"
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a008021b9ee.html
  But I can't find any reference to the 7200 having support for it... though many others has it.. mainly switches.. not too surprising.. :)
  Did it help?

• Dynamic VLAN assignment issue with ACS & WLC

  I have configured an ACS (v4.2) & a WLC 4402 (5.2.193.0) according to the document listed at: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  When I attempt to authenticate a user in the ACS local user database, I receive an auth failure.  I have enabled debugging in the WLC's CLI and I see that I get an authentication failure from the ACS.  Upon reviewing the ACS's 'failed attempts' log, I see the username I attempt to authenticare with but it reports 'CN user unknown' even though this user is the local database.
  During troubleshooting, I discovered that if I modify the AAA client for the WLC and change it to 'Cisco Aironet' rather than 'Cisco Airespace', authentication works perfectly, the proper user is authenticated to the local database and I am able to connect to the SSID.  The only issue is that because I'm now using Aironet instead of Airespace, the IETF attributes 064, 065, and 081 (VLAN, 802, and the VLAN ID respectively) do not properly assign the VLAN that the user needs to be on.
  Am I missing something?

  I determined that a NAP was blocking my authentication using Airespace and can successfully authenticate with both Aironet and Airespace now.  I also reviewed the debug output of both types of connections and I can see the proper attributes coming through, but the wireless clients just won't assign to the right VLAN interface.
  I've reviewed all of the configuration settings per the document about 40 or 50 times now and I am certain I'm not missing anything.  I do indeed have override enabled but the configured interface 'management' is still the one the user is assigned to every time, even in the client connection details under the monitor tab.  ARGH!!

• Policy based routing to host in same vlan/subnet

  Hello i have nexus 7k that i have a policy based routing setup as follows for 2 vlans, 802 and 803, to set default route out to a host in vlan 802. i have applied my policy to the vlans and everything works fine for a host in vlan 803, it routes over and out properly. However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1. I can see the pbr statistics incrementing indicating that i am initially hitting the policy but im not sure where my traffic goes after that. I can talk to .237 direct in the vlan but i would like this to work through pbr to utilize all of my other routes and default gateway.
  vlans 802
  172.21.1.1/24
  ip policy route-map West
  vlan 803
  172.21.17.1/24
  ip policy route-map West
  route-map West permit 10
    match vlan 802-803
    set ip default next-hop 172.21.1.237
  Im thinking there is some kind of hairpinning problem or maybe im creating some kind of blackhole.
  any help is appreciated.
  thanks, scott

  Scott
  If the destination IP is in the same subnet as source IP then it won't be routed it will be L2 switched so it would never use the default gateway ie.
  src IP 172.21.1.10 255.255.255.0
  dst IP 172.21.1.237 255.255.255.0
  src compares it's own IP with it's subnet mask and sees it is on the 172.21.1.x network. src then compares the destination IP with it's own subnet mask and sees it is also on the 172.21.1.x network so it simply arps out for that address and when it gets the mac address it sends it direct to the destination. It would only use the default gateway if the destination IP was on a different network.
  So i don't see how you will be able to do this and i'm not sure why you are seeing hits in your PBR acl for the host in the 172.21.1.x network.
  Edit - what exactly do you mean when you say -
  However when im in vlan 802 my host traffic never gets to 172.21.1.237 when pointed at the gateway 172.21.1.1.
  How are you doing this ie. pointing it to the default gateway because as i say it should always be able to communicate with 172.21.1.237 as it is in the same subnet.
  Jon

• VLAN on SRW2024 help

  Hi there,
  here's my setup and what i want to do.
  I want to have 2 networks on my SRW2024 :
  192.168.18.0
  192.168.17.0
  servers will have 2 NIC (1 on .17 and the other one on .18)
  The .17 networks will only serve to backup data.
  I'll put the .18 network on the default vlan (vlan1) and create another vlan for network .17
  I know how to create the vlan 2 but where i'm not sure it's how I tell him : port 13-24 goes to VLAN 2 and port 1-12 goes to VLAN 1
  is it in Ports to vlan tab??
  Do I need to do anything in Ports settings?
  What's the difference betweek : Access - General - Trunk ?
  Thanks
  Message Edited by ser_98 on 01-06-2010 06:48 AM

  Access mode: the switch port sends and receives only untagged (standard) ethernet frames. All frames belong to a single VLAN. You can only assign a single VLAN to a port in access mode.
  Trunk mode: the port uses one VLAN untagged and all other VLANs 802.1q tagged. Usually, it's the default VLAN which is untagged. You make the port member of all VLANs you want to use on that port.
  General mode: allows you to define any combination of tagged and untagged VLANs. It is usually not necessary to use this mode. Avoid it if possible.
  As your servers have two NICs and you want to use a single VLAN on each switch port only, you have to configure all ports in access mode. Make ports 1-12 member of VLAN1 and port 13-24 member of VLAN2.
  You have to alternative how to define membership: either you assign port membership for each VLAN (i.e. you choose a VLAN and then configure which of your 24 ports is member of that VLAN) or you assign VLAN membership for each port (i.e. you choose the port to configure first and then add/remove VLANs to that port). You can use either alternative, the only difference is the amount of work you have to do. In your case, it is better to use the first alternative as it allows you to change membership of ports 13-24 to VLAN 2 very quickly.
  Of course, if your server has NICs which can be configured for 802.1q and teaming you are able to join both NICs together and connect them like a single logical connection to the switch. The link then has double bandwidth and the differentiation between VLANs is by 802.1q tags. To use teaming, it is usually necessary that both server ethernet ports are on a single interface card.

• ACS + VMWare thin clients with dynamic vlans

  Good afternoon,
  I need to deploy a solution with thin clients and dynamic vlans (802.1x). All switches are catalyst 3560 and superior
  Can I do this using only de ACS? Will it work?
  Thank you

  Hi,
  Dynamic Vlan assignment can be configure on the ACS.
  Please see the configuration example on the link below, this configuration example is for WLC but the ACS configuration is the same.
  http://tinyurl.com/2oxg32
  If you have any doubts do not hesitate to contact me

• Connecting 3750 stacks

  Hi,
  I have an existing stack of 9 x 3750 switches (stack1).  Due to a proposed data centre move I will need to create a new stack in the new DC (Stack2) and slowly migrate all the switches over to it.  Both stacks will need to be fully active during the migration process.
  I have emptied 5 of the existing 3750's and removed them from Stack 1 in preparation.  I know I can connect the two stacks using etherchannel, but that is about it.  I've been searching for any documentation, or best practices but can't find anything relevant to my scenario.
  I have multiple VLANs so my questions are -
  What is the best method of connecting the two stacks initially?
  Stack 1 has an IP address for each VLAN that is the default gateway, so how would I IP the second stack VLANs?
  I believe the VLAN Db on Stack1 will be shared when I connect the stacks, what will happen when I retire stack1?
  Any help or relevant links greatly appreciated.  I've posted this in the getting started forum as although I have done very basic Cisco admin this is a step up for me, if the mods think it should be moved elsewhere please do so.
  Dave

  What is the best method of connecting the two stacks initially?
  If resources allow, etherchannel is a no-brainer.
  Stack 1 has an IP address for each VLAN that is the default gateway, so how would I IP the second stack VLANs? HSRP with the default gateway for each VLAN as the Virtual IP Address.I believe the VLAN Db on Stack1 will be shared when I connect the stacks, what will happen when I retire stack1?
  Depends if VTP mode, password and domain is configured correctly.

• MSI 6367 / NForce Chipset / VLAN support ?

  hi everybody,
  I currently have about 200 computers with NForce Chipset on MSI 6367, and I need to know if they wil support VLAN (802.1q tagging)....
  thanks for your answers !
  Batdan.

  Hi all
  nobody tried to use VLAN or nobody know if it will work ???
  any idea where I can find any info ?
  Thanks.

• IPv6 dual stack Host Problem

              Hello...
  I have configured a dual stack VLAN on cisco 6500 switch and assign a ipv6 address on my LAPTOP and connected to the VLAN .but my laptop is not identifying the ipv6 address and gateway is also not pinging from the laptop. rest configuration on swich is ok . what may be the issue . can anyone suggest waht may be the issue.

  Dear Sunny,
  thank you for your answer.
  I've already tried this method. Unfortunately it didn't help, because the upgrade tool is not searching for those packages in other directories.
  In the meantime I found out a possible reason of the problem. It seems the usage type of the JAVA is not correct. In configtool I saw it is DW. The list of the problematic components contains all of the XSS components and one other.
  I will try the following workaround:
  - Undeploy all 'wrong' components before the upgrade
  - Remove the components from the stack xml
  - Deploy the missing components
  BR,
  Veronika