Trunk port changes assigned VLANs spontaneously

Hello,
I have problem with GE2 port VLAN membership in trunk mode.
When I set GE2 port as a trunk for VLAN 11 tagged, VLAN 48 tagged
and VLAN 666 untagged+PVID, it stays so only untill reboot.
After reboot there are 11, 48 and 666 tagged, while VLAN 1
untagged+PVID. Everything works somehow, but there are warnings.
Default VLAN 11. The other side is 2960G with no vtp on port
and vtp is globally off.
Thank you
SF 200-24 24-Port 10/100 Smart Switch
Model Description:  24-Port 10/100 Smart Switch  Firmware Version:  1.1.1.8 
Serial Number:  DNI15330085  Firmware MD5 Checksum:  0b73c744e12a6f93c711867b1188736e 
PID VID:  SLM224GT V01  Boot Version:  1.0.0.1 
  Boot MD5 Checksum:  81359f6e6c7e640b53df27c4f05b8d60 
  Locale:  en-US 
  Language Version:  1.1.1.6 
  Language MD5 Checksum:  N/A

Hi Igor
Just out of interest, I see no mention that you saved the configuration in your problem description.
As the administrators guide says on page 30,  Configurations will be lost if not saved.
Just in case you didn't save your configuration, here is a 6 minute video that shows,  in the last minute,  how to save the configuration of a 300 series switch, but it should be identical for a 200 series product..
https://cisco.webex.com/ciscosales/lsr.php?AT=pb&SP=MC&rID=56220782&rKey=5fc47a1c7b566b8c
or try from the GUI
Click Administration > File Management > Copy/Save Configuration
Copy the running configuration to the startup configuration.
If you have saved your configuration but still lose VLAN assignment, yes please follow the advice in the previous posting.
regards Dave

Similar Messages

  • Trunked port active in vlan

    Maybe there's an obvious answer, but I have this strange thing;
    Switchport config
    interface GigabitEthernet0/2
     description Trunk to CORE02
     switchport mode trunk
     shutdown
     srr-queue bandwidth share 10 10 60 20
     queue-set 2
     priority-queue out
     mls qos trust cos
     auto qos voip trust
    sh vlan brie
    VLAN Name                             Status    Ports
    1    default                          active    Gi0/2
    Why is it that this port, which is configured as a trunk port, shows up as active in vlan1? Also when I do a show interfaces trunk, this specific port is not listed as a trunked port. By the way I had to shutdown the port because it was causing issues. It's a redundant link, when enabled I would expect spanning tree to do it's magic, but somehow it does not and instead causes half of our lan to become unreachable. Not sure why.

    in my switch I can not delete it
    Switch Ports Model              SW Version            SW Image                 
    *    1 52    WS-C2960S-48TS-L   12.2(58)SE2           C2960S-UNIVERSALK9-M     
    interface GigabitEthernet1/0/41
     description 2960_24_POE_5_24
     switchport mode trunk
     spanning-tree portfast
    _Cat_2960s_5_1#sh vla br
    VLAN Name                             Status    Ports
    1    default                          active    Gi1/0/41, 
    _Cat_2960s_5_1#
    _Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
    interface GigabitEthernet1/0/41
     description 2960_24_POE_5_24
     switchport
     switchport access vlan 1
     switchport private-vlan trunk encapsulation dot1q
     switchport private-vlan trunk native vlan tag
     switchport mode trunk
     no switchport nonegotiate
     no switchport protected
     no switchport block multicast
     no switchport block unicast
     switchport port-security maximum 1
     no switchport port-security
    _Cat_2960s_5_1#conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    _Cat_2960s_5_1(config)#interface GigabitEthernet1/0/41
    _Cat_2960s_5_1(config-if)#no switchport access vlan 1
    _Cat_2960s_5_1(config-if)#^Z
    _Cat_2960s_5_1#
    _Cat_2960s_5_1#
    _Cat_2960s_5_1#
    _Cat_2960s_5_1#
    _Cat_2960s_5_1#
    _Cat_2960s_5_1#
    _Cat_2960s_5_1#sh runn all | b interface GigabitEthernet1/0/41
    interface GigabitEthernet1/0/41
     description 2960_24_POE_5_24
     switchport
     switchport access vlan 1
     switchport private-vlan trunk encapsulation dot1q
     switchport private-vlan trunk native vlan tag
     switchport mode trunk
    another trunk port with native vlan configured is not in vlan 1

  • Authenticating Trunk Ports - VLAN list

    I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
    My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
    cisp enable
    interface FastEthernet0/2
     description *** Client Device ***
     switchport access vlan 2
     switchport mode access
     no logging event link-status
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 3
     authentication event server alive action reinitialize
     authentication order mab dot1x webauth
     authentication priority mab dot1x webauth
     authentication port-control auto
     authentication fallback GUEST_FALLBACK
     mab eap
     dot1x pae authenticator
     dot1x timeout tx-period 3
     dot1x timeout supp-timeout 10
     dot1x max-reauth-req 1
     dot1x timeout auth-period 600
     no cdp enable
     spanning-tree portfast
    Any help will be greatly appreciated. 
    Thanks
    John

    Hello
    I would suggest the following:
    >> Arrange for some physical enclosure (locked) or  any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.
    >> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.
    >> Change the NATIVE VLAN from the default (VLAN 1)
    >> Disable Trunk negotiation (ON mode)
    Regards
    Farrukh

  • How to add VLAN to trunk port on Cisco SF200-24

    Hello All,
    I have question want to ask: 
    I have Cisco switch SF200-24 I want to configuration VLAN as below:
    Port 1 to 10 = Vlan 100
    Port 11 to 21 = Vlan 200
    Port 22 to 24 = Vlan 300
    Port GE1 = Trunking (Primary)
    Port GE2 = Trunking (Secondary)
    How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
    Which port can I connect for management switch?
    Thanks 

    > How to add all VLAN 100, 200, 300 go through Trunking Primary and Secondary?
    firstly set those ports as trunks via "VLAN Management" -> "Interface settings" - click on corresponding port, click on "edit.." button and select "Trunk" from list.
    Once those ports (GE1 and GE2) are as trunks, you can now assign them all desired VLANs via "VLAN Management" -> "Port VLAN Membership". Select first port (GE1), click "join VLAN" and select all desired VLANs from left list and put them to right list.
    and you are done.
    > Which port can I connect for management switch?
    by default, switch management IP is a part of default VLAN1. If you wanted to keep access to your switch, assign "VLAN1" to one of access ports, or change management VLAN to different number than 1 - but in this case dont forget to apply correct IP settings in order to meet subnet assigned in new VLAN.

  • How to configure a port channel with VLAN trunking (and make it work..)

    We're trying to configure a port channel group with trunked ports to connect a NetApp HA pair. We want to create two data LIFs and connect them to the switch stack.  We are trying to create 2 data lifs, one for cifs and one for nfs that are on different vlans.
    We want the same ports to be able to allow multiple vlans to communicate. (trunked)
    These data lifs should be able to fail over to different nodes in the HA pair and still be able to communicate on the network.
    What this means is that we have to connect 4 ports each for each node in the NetApp HA Pair to the switches and create a port channel of some type that allows for trunked vlans. When we configure the ports, the configuration is as follows (below):
    We are only able to configure an IP on one of the vlans.
    When we configure an IP from another vlan for the data lif, it does not respond to a ping.
    Does anyone have any idea what I'm doing wrong on the Cisco switch?
    interface GigabitEthernet4/0/12
    description Netapp2-e0a
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10,20,511,519
    channel-protocol lacp
    channel-group 20 mode active
    end
    interface GigabitEthernet4/0/13
    description Netapp2-e0c
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10,20,511,519
    channel-protocol lacp
    channel-group 20 mode active
    end
    interface GigabitEthernet6/0/12
    description Netapp2-e0b
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10,20,511,519
    channel-protocol lacp
    channel-group 20 mode active
    end
    interface GigabitEthernet6/0/13
    description Netapp2-e0d
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10,20,511,519
    channel-protocol lacp
    channel-group 20 mode active
    end
    interface Port-channel20
    description Netapp2-NFS
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10,20,511,519
    spanning-tree portfast
    spanning-tree bpduguard enable
    end

    Our problem was fixed by the storage people.  They changed the server end to trunk, and the encapsulation / etherchannel.
    I like all the suggestions, and they probably helped out with the configuration getting this to work.
    Thanks!
    interface Port-channel20
    description Netapp2-NFS
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10,20,511,519
    switchport mode trunk
    interface GigabitEthernet4/0/12
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10,20,511,519
    switchport mode trunk
    channel-protocol lacp
    channel-group 20 mode active
    interface GigabitEthernet4/0/13
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10,20,511,519
    switchport mode trunk
    channel-protocol lacp
    channel-group 20 mode active
    interface GigabitEthernet6/0/12
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10,20,511,519
    switchport mode trunk
    channel-protocol lacp
    channel-group 20 mode active
    interface GigabitEthernet6/0/13
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 10,20,511,519
    switchport mode trunk
    channel-protocol lacp
    channel-group 20 mode active

  • Dynamic Vlan-Trunk port

    Hi,
    Is posible to configure a Switchport like dynamic vlan port and in the same time to be trunk port?

    Hi,
    Static ports that are trunking cannot become dynamic ports. You must turn off trunking on the trunk port before changing it from static to dynamic.
    You can find more info here.
    http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007f2ec.html
    HTH,
    Sundar

  • Private VLAN Promiscuous Trunk Port - Switches which support this function

    Can anyone confirm if the "Private VLAN Promiscuous Trunk Port" feature is supported in any lower end switches such as Nexus 5548/5672 or 4500X? According to the feature navigator support seems to be restricted to the Catalyst 4500 range (excluding the 4500X) as shown below. If the feature is going to be supported in the Cat 3850 this would be good to know, thanks

    4500x Yes
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/release/note/OL_26674-01.html
    Nexus 5k Yes
    http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/521_n1_3/b_5k_Layer2_Config_521N13/b_5k_Layer2_Config_521N13_chapter_0100.html
    3850s
    They dont support pvs at all yet
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/vlan/configuration_guide/b_vlan_3se_3850_cg/b_vlan_3se_3850_cg_chapter_0100.html
    Restrictions for VLANs
    The following are restrictions for VLANs:
    The switch supports per-VLAN spanning-tree plus (PVST+) or rapid PVST+ with a maximum of 128 spanning-tree instances. One spanning-tree instance is allowed per VLAN.
    The switch supports IEEE 802.1Q trunking methods for sending VLAN traffic over Ethernet ports.
    Configuring an interface VLAN router's MAC address is not supported. The interface VLAN already has an MAC address assigned by default.
    Private VLANs are not supported on the switch.
    You cannot have a switch stack containing a mix of Catalyst 3850 and Catalyst 3650 switches.

  • Problems with vlan and dot1q trunking port

    Dear Folks,
    i have problems with my AccessPoint Konfiguration.
    Even when i set the Catalyst Port to trunk, i can only connect to VLAN 1 but not to VLAN 10.
    and if i change the port to statik vlan 10 i can not connect to the ap but it works...
    config below:
    User Access Verification
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname 1200_PP_1
    logging queue-limit 100
    enable secret xxxx
    clock timezone A 1
    ip subnet-zero
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    ssid DEPACNGLW0HS
    vlan 10
    authentication shared
    infrastructure-ssid
    mobility network-id 10
    speed basic-1.0 2.0 5.5 11.0
    rts threshold 2312
    channel 2412
    antenna receive right
    antenna transmit right
    station-role root
    interface Dot11Radio0.1
    no ip route-cache
    interface Dot11Radio0.10
    encapsulation dot1Q 10 native
    no ip route-cache
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 port-protected
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    speed 100
    full-duplex
    ntp broadcast client
    interface FastEthernet0.1
    encapsulation dot1Q 1
    no ip route-cache
    bridge-group 254
    no bridge-group 254 source-learning
    bridge-group 254 spanning-disabled
    interface FastEthernet0.10
    encapsulation dot1Q 10 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 10.2.2.222 255.255.255.0
    no ip route-cache
    ip default-gateway 10.2.2.2
    ip http server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/122-15.JA/1100
    ip radius source-interface BVI1
    bridge 1 route ip
    line con 0
    line vty 0 4
    login local
    line vty 5 15
    login
    end
    it would be fine if anyone could help me....

    You configure Layer 3 Mobility with WLSM. No trunking is required on the CAT switch. However, you need to set the switch port on the CAT switch as access port in VLAN 10.
    Please post the WLSM and SUP720 configuration. Also, which VLAN do you want to access the AP?
    The following URL may be useful for you to verify the configuration:
    http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_technical_reference09186a00802a86a7.html

  • Unable to add allowed VLANs to TenGig trunk port

    Hi,
    I've got a ten gig interface on a 6509 running 12.2(33) configured as a trunk, but I've not been able to add any allowed VLANs as I've done before on other ten gig ports on different 6509 chassis. Am I missing something obvious?
    I'm assuming that the reason I'm unable to set the encapsulation to dot1q is because the new hardware doens't support ISL, hence no need. The command to add the VLANs however doesn't get rejected, it just doesn't appear to do anything.
    I've tried adding single VLANs and multiples, but no joy. Any ideas?
    Here's what I've done:
    SWITCH_1631(config)#default int t4/1
    Interface TenGigabitEthernet4/1 set to default configuration
    SWITCH_1631#sh ru int t4/12
    Building configuration...
    Current configuration : 65 bytes
    interface TenGigabitEthernet4/12
     no ip address
     shutdown
    end
    SWITCH_1631(config)#int t4/1
    SWITCH_1631(config-if)#switchport
    SWITCH_1631(config-if)#switchport mode trunk
    SWITCH_1631(config-if)#switchport trunk allowed vlan ?
      WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
      add     add VLANs to the current list
      all     all VLANs
      except  all VLANs except the following
      none    no VLANs
      remove  remove VLANs from the current list
    SWITCH_1631(config-if)#switchport trunk allowed vlan add 700
    SWITCH_1631(config-if)#
    SWITCH_1631#sh vlan id 700
    VLAN Name                             Status    Ports
    700  VLAN_NAME                        active    <snip>
    SWITCH_1631#sh ru int t4/1
    Building configuration...
    Current configuration : 74 bytes
    interface TenGigabitEthernet4/1
     switchport
     switchport mode trunk
    end

    Steve,
    Thanks for getting back to me. You're right that it is by default a dot1q trunk allowing all VLANs, therefore it should work for what I want to do.
    Port                Mode         Encapsulation  Status        Native vlan
    Gi3/39              on           802.1q         trunking      1
    Te4/1               on           802.1q         trunking      1
    Po1                 on           802.1q         trunking      50
    Po2                 on           802.1q         trunking      50
    Po3                 on           802.1q         trunking      50
    Po4                 on           802.1q         trunking      50
    Po5                 on           802.1q         trunking      50
    Port                Vlans allowed on trunk
    Gi3/39              15-16,20-23,30,401,608
    Te4/1               1-4094
    Po1                 10,13,20-21,25,30,50,52,61,70,600,700-701,950
    Po2                 10,20,30,50,52,61,70,600,700-701,950
    Po3                 10,20,30,50,61,70,600,700-701,950
    Po4                 10,20,30,50,61,70,600,700-701,950
    Po5                 2-3,10-23,25-26,30,35-36,40,50-53,56,58,61,65,70,77,101-102,145-146,155-158,401-402,600-602,608,700-701,800,950
    The problem was that I've always been advised that best practise is to only allow the VLANs that are actually required on a trunk to avoid broadcasting traffic unnecessarily. I worked out what the issue was though, and it was a pretty simple one!
    Once I saw that 1-4094 was allowed I tried "switchport trunk allowed vlan remove 700" which worked and left me with 1-699,701-4094.
    Then I realised what the problem was  trying to use the "add" command when all possible VLANs had already been added. As soon as I got rid of it and used "switchport trunk allowed vlan 700" followed by "switchport trunk allowed vlan add 701" I was back in business.
    So it was a very simple issue, but thank you Steve for pointing me in the right direction and confirming that all the VLANs were already allowed!

  • Wlc management port can't trunk other than native vlan

    Hello,
    Ihave installed my first WLC 5508 with this topology :
    WLC Connected trought distrubtion SFP 1Gb port to Core Switch port configured as Trunk port permetting 3 Wireless VLAN :
    - Management WLC, Wireless Voice and Wireless Data Vlan (native Vlan is management WLAN).
    - I have created 2 dynamic interface on WLC regarding my Wireless VLAN :
    10.7.1.0/24 : Defaut Management Virtual Interface when installing WLC +
    10.7.6.0/24 : Voice Virtual Interface and
    10.7.2.0/24 : Wireless Data Virtual Interface trought GUI.
    DHCP configured on each dynamic interface is the L3 vlan interface for equal VLAN subent for CORE SWITCH contining IP DHCP Pool.
    WLC Management Inerface IP adress is : 10.7.1.10/24
    I Have  create 2 WLAN with SSID named Data  ID 1 & Voice ID2.
    I have create and AP Groupe named APGRP1 containing the AP registered on WLC and using both SSID WLAN.
    Both AP are connected to Switch acess port configured as access port to native management WLC VLAN.
    I have create 3 IP DHCP pool on Core switch with related L3 Interfaces for Inter VLAN routing.
    Problem: when I try to connect from laptop to Data SSID  I get IP Address from management WLC VLAN a non DATA VLAN.
    the same case from Wireless IP Phone configured with Voice SSID.
    What can I modifie that permet to both device to get IP address from the correct VLAN?
    Thnks

    Hi Adil,
    Q1 >> AP access port on the switch must be configured on an Access port mode or trunk mode?
    ANS - The  LWAPP/ CAPWAP APs connected to the switchport should be a Access port not trunk.
    Q2>> if the first case, setting the port on, the same VLAN like WLC Management VLAN will support other WLAN Vlans (voice and data)?
    ANS - Yes it does support, since the traffic which involes the WLAN will be inside the LWAPP/CAPWAP logical tunnel.
    Q3>> I will verify the interface mapping between WLAN and Dynamic Interfaces and i will tell you.
    ANS - I will be waiting for your response!!
    lemme know if this answered your question..
    Regards
    Surendra
    ====
    Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

  • Dedicated VLAN ID's on trunk ports

    I was reading the SAFE:Security Blueprint for Enterprise Networks. This document addresses in its "Switches are targets" section on Page 6 that "Always use a dedicated VLAN ID for all trunk ports"...
    I am trying to understand this concept fully.
    If I consider my trunk ports, most are physical fiber "links" that interconnect the switches. Some trunk links connect Distribution L to Access L; some Distribution to Core.
    Where do I put the VLAN ID on thes?? Should I translate this to mean that on Gig0/0 on SW.1 i place this interface in VLAN 23 and on the switch on the other end of the link I also place the Gig0/0 in VLAN 23 as well??
    Also I am not sure why this helps secure the switch. Can someone pls assist. I am grateful.

    Hi,
    This is not actually the VLAN pruning.This is just specifically allowing some vlans on the trunk ports and removing other unwanted vlans.
    Prunning works in a diff way and it will save the bandwidth on the trunk links by prunning the unwanted broadcast on the trunks for a particular vlan if no host is active on that vlan on a particular switch. I.e If you dont have any active host on a vlan on a particular switch and if there is a broadcast on that vlan which will come over the trunk so if no host is active that broadcast is prunned on the trunk where no host is active on the switch.
    HTH,
    -amit singh

  • Can I 'monitor session' trunk ports to a Cisco IDS?

    I ran across an existing config that has two trunk ports on a 3560 being port monitored to another port which is plugged in to a port on an ids 4515. Will the IDS be able to interpret that trunk traffic? The customer is complaining that they aren't able to see events on a local network (VLAN 1) and this is suppose to be the port they get that traffic from.
    Not sure why they chose to monitor trunk ports and I'm not sure it's even possible. I want to change the monitored port to some other local VLAN port that makes sense.
    Here are the existing lines:
    interface G0/47
    switchport turn encap dot1q
    switchport mode trunk
    interface G0/48
    switchport turn encap dot1q
    switchport mode trunk
    monitor session 2 source interface Gi0/47 - 48
    monitor session 2 destination interface Gi0/20
    ...port 20 goes to the ids.

    There are 3 modes of sensing supported on the sensors: promiscuous, inline interface pair, and inline vlan pair.
    Each mode interacts with vlan headers slightly differently.
    Promiscuous:
    A promiscuous sensor is fully capable of analyzing 802.1q trunk packets. The vlan will also be reported in any alerts generated.
    The trick when monitoring using a trunk is to ensure the span (or vacl capture) configuration is correct on the switch to get the packets you are expecting.
    Many types of switches have special caveats when a trunk is a source or destination port in the span.
    We also even support Vlan Group subinterfaces on the promiscuous interface.
    This allows sets of vlans on the same monitoring port to be monitored by different virtual sensors.
    So you could take vlans 1-10 and monitor with vs0, and then take vlans 11-20 and monitor with vs1, etc....
    However, to use this feature the switch must be very consistent in how packets are sent to the sensor. When monitoring a connection the sensor needs to see both client and server traffic. And when using Vlan Groups the sensor needs to see the client and server traffic ON THE SAME VLAN. It is this on the same vlan requirement that is not always possible with some span configurations when the switch itself is routing between vlans. Most switches are deployed with routing between vlans by the switch, and so in many cases you won't see the client and server traffic on the same vlans. This is very switch code dependant so you would need to do some research on your specific switch.
    Inline Interface Pair:
    With an inline interface you are pairing 2 physical interfaces together. A common deployment is to place the inline interface pair in the middle of an existing 802.1q trunk port. Interface 1 would be plugged into the switch, and interface 2 plugged into the other switch or other type of device (like router or firewall).
    In this setup the sensor is fully capable of monitoring these packets with 802.1q headers.
    However, there is something to keep in mind in these deployments. Often that other device (router, firewall, or switch) will route packets between vlans. So a packet going through the sensor on vlan 10 could be routed right back through the sensor again on vlan 20. Seeing the same packet again can cause TCP tracking confusion on the sensor (especially when the other device is doing small modifications to the packet like sequence number randomization).
    To address these we have 2 features.
    On InLine Interface Pairs we have the same Vlan Group feature as I discussed above in Promiscuous mode. (Do not confuse Vlan Groups with InLine Vlan Pairs discussed later in this response).
    So with Vlan Groups you could separate the vlans across virtual sensors. So if the packet gets routed back into the sensor you could configure it so that packet gets monitored by a separate virtual sensor and it will prevent the sensor confusion with state tracking.
    However, there will still be some situations where the packet may still need to cross the same virtual sensor twice. For this deployment scenario we have a configuration setting where you can tell the sensor to track tcp sessions uniquely per vlan. So long as the return packet is on a different vlan this should prevent the tcp tracking confusion. BUT there is a bug this code right now. It should be fixed in an upcoming service pack. The workaround is to go ahead and create a unique Vlan Group for each vlan (one vlan per group instead of multiple vlans in a group), and assign all of the Vlan Groups to the virtual sensor(s).
    And then you InLine Vlan Pairs:
    With InLine Vlan Pairs the monitoring interface Must be an 802.1q trunk port.
    Instead taking packets in one interface and passing to the next interface, the sensor actually takes packets in on one vlan and then sends it back on the other vlan of the pair on the same interface. It does this by modifying the vlan number in the 802.1q header.

  • Assign Vlan to SSID

    I have a few Cisco 1141n that are stand alone AP's that have one SSID on them. I would like to assign the ssid to vlan 2 but also be able to keep the native vlan 1 as a trunk port on it for snmp graphing as well as management of the ap. My router is going to route the traffic and my switch is the dhcp server for both vlan's. How would I go about putting ssid J&B2 on vlan 2 but keeping the 10.10.1.0 network (vlan 1) as the ip address for management? I'm guessing it would be something along the lines of a sub interface but I am lost on do I create the sub interface on the gigabit port or the dot11radio0 interface or both?
    I've attached a copy of my current config. Thank you for helping me figure this out. 

    Hi JK,
    Following config will do it for you
    dot11 ssid J&B2
       vlan 2
       authentication open
       authentication key-management wpa version 2
       guest-mode
       wpa-psk ascii 7 14141D061C113E2E662F2627370054455B5817
    interface Dot11Radio0
     encryption mode ciphers aes-ccm
     ssid J&B2
     no shut
    interface Dot11Radio0.1
     encapsulation dot1Q 1 native
     bridge-group 1
    interface Dot11Radio0.2
     encapsulation dot1Q 2
     bridge-group 2
    interface GigabitEthernet0.1
     encapsulation dot1Q 1 native
     bridge-group 1
    interface GigabitEthernet0.2
     encapsulation dot1Q 2
     bridge-group 2
    interface BVI1
     ip address 10.10.1.252 255.255.255.0
    ip default-gateway 10.10.1.253
    ******* SWITCH PORT ******
    interface GigabitEthernetx/x
     switchport trunk encapsulation dot1q
     switchport trunk native vlan 1
     switchport trunk allowed vlan 1-2
     switchport mode trunk
    Initial config used for this post will help you  as well.
    http://mrncciew.com/2013/11/14/autonomous-ap-with-external-radius/
    HTH
    Rasika
    **** Pls rate all useful responses ***

  • Trunking and the management VLAN

    I have gotten my 5010's up and can get to them from mgmt0. The ip address for mgmt0 resides in VLAN 2 for me. I am getting ready to trunk my 5010's back to my 6500's. Do I need to make sure that VLAN 2 cannot be seen through the trunk ports since it resides on mgmt0?

    I don't think this is technically right- the MGMT and the data-path aren't actually connected. The MgmT 0 port doesn't have any concept that it's on "vlan 2"- it's just an access port.
    Similarly, if VLAN 2 is on the trunk port, the IP address you assigned to MGMT0 isn't going to respond.
    If you configured "feature interface vlan" and then put an IP address on VLAN 2, you could mange this box that way- on two separate IP addresses, via the two separate connections.
    With the current lack of ability to wrap ACLs around the Interface VLANs, I'm more comfortable NOT using interface-vlan commands, and using a single uplink to mgmt0. Loss of the mgmt0 port is now only loss of the ability to manage the switch, not a data-path impacting event. (unless you need to configure the switch to correct an data-path issue, in which case you've got problems.)
    The shift to out-of-band is a nice feature, but it's going to require a big shift in thinking from an implementation standpoint.

  • Trunk port as a destination for SPAN session

    Can we make a trunk port as a destination for SPAN session? If yes, how

    Of course you can. It will be configured the same as an access port:
    monitor session 1 destination int g0/24
    However be aware of the following:
    Destination Port
    Each local SPAN session destination session must have a destination port (also called a monitoring port) that receives a copy of traffic from the source port.
    The destination port has these characteristics:
    •It must reside on the same switch as the source port (for a local SPAN session).
    •It can be any Ethernet physical port.
    •It cannot be a source port or a reflector port.
    •It cannot be an EtherChannel group or a VLAN.
    •It can be a physical port that is assigned to an EtherChannel group, even if the EtherChannel group has been specified as a SPAN source. The port is removed from the group while it is configured as a SPAN destination port.
    •The port does not transmit any traffic except that required for the SPAN session.
    •If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2.
    •It does not participate in spanning tree while the SPAN session is active.
    •When it is a destination port, it does not participate in any of the Layer 2 protocols (STP, VTP, CDP, DTP, PagP, or LACP).
    •No address learning occurs on the destination port.
    •A destination port receives copies of sent and received traffic for all monitored source ports. If a destination port is oversubscribed, it could become congested. This could affect traffic forwarding on one or more of the source ports.

Maybe you are looking for