Trunking and the management VLAN
I have gotten my 5010's up and can get to them from mgmt0. The ip address for mgmt0 resides in VLAN 2 for me. I am getting ready to trunk my 5010's back to my 6500's. Do I need to make sure that VLAN 2 cannot be seen through the trunk ports since it resides on mgmt0?
I don't think this is technically right- the MGMT and the data-path aren't actually connected. The MgmT 0 port doesn't have any concept that it's on "vlan 2"- it's just an access port.
Similarly, if VLAN 2 is on the trunk port, the IP address you assigned to MGMT0 isn't going to respond.
If you configured "feature interface vlan" and then put an IP address on VLAN 2, you could mange this box that way- on two separate IP addresses, via the two separate connections.
With the current lack of ability to wrap ACLs around the Interface VLANs, I'm more comfortable NOT using interface-vlan commands, and using a single uplink to mgmt0. Loss of the mgmt0 port is now only loss of the ability to manage the switch, not a data-path impacting event. (unless you need to configure the switch to correct an data-path issue, in which case you've got problems.)
The shift to out-of-band is a nice feature, but it's going to require a big shift in thinking from an implementation standpoint.
Similar Messages
-
Clustering 3500 and changing management VLAN
I have a cluster of 3 3500XL switches. All have the latest rev of IOS. The cluster is fine when on default vlan. When I change the managment VLAN to VLAN 9 using "cluster management vlan 9" the 2 member switches fail to change to vlan 9 and the cluster breaks. THANKS
Changing the Management VLAN
Access to all switch management facilities is through the switch IP address, and the switch IP address always belongs to the management VLAN, VLAN 1, by default. This section describes how to configure a cluster to support management connectivity when the management VLAN is other than the default.
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35xu/scg/kiclust.htm#34921 -
Big Fish Games stop working in Mavericks. What do I do? I have re-installed them and the manager app, and nothing. I have not gotten an answer from Big Fish tech staff. Thought the problem might be with Maverick. all the games worked with Snow Leopard
Any body have this kind of problem. What was done to correct it. . .I can't wait to get a new phone as well. LG Revolution owners should be comped for this phone if Verizon intends to keep them as customers.
-
When I use the
"dsmgmt" command to add a user to the local administrators account of a RODC I can actually see the user when I use the "Show Role Administrators" parameter. However, I can't see the members of the
group added to the "Managed By" tab of the RODC object in AD. Even though, the users added using
"dsmgmt" and by the "Managed By" tab can all log in locally and have admin rights to the RODC. Are there any differences between these two ways of adding users to the local administrators account?Hi,
For groups, managedBy is an administrative convenience to designate “group admins”. Whatever principal listed in
managedBy gets permission to update a group’s membership (the actual security is updated on the group’s AD object to allow this).
In Win2008 and later managedBy also became the way you delegated local administration on an RODC, allowing branch admins to install patches, manage shares, etc. (http://technet.microsoft.com/en-us/library/cc755310(WS.10).aspx).
On the RODC, this is updating the RepairAdmin registry value within RODCRoles.
So the difference between them should be only the way they do the same thing.
For more details, please refer to the below article:
http://blogs.technet.com/b/askds/archive/2011/06/24/friday-mail-sack-wahoo-edition.aspx
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
SCOM 2012 SP1 Update Rollup 5 - DB and DW SQL script and the Management Packs
Hi,
I am applying SCOM 2012 SP1 update rollup 5 from KB article : 2904680.
Step# 4 and 5 from the "Installation Information" sections says to run the SQL queries(UR_Datawarehouse.sql and Update_rollup_mom_db.sql) located at "%SystemDrive%\Program Files\System Center 2012 SP1\Operations
Manager\Server \SQL Script for Update Rollups\."
But I do not have "System Center 2012 SP1\Operations Manager\Server \SQL Script for Update Rollups\." folder location on my SCOM Management Servers. Similarly I do not have the MPs given in Step #6.
Can someone please let me know from where else can I get these SQL scripts and the MPs. What if I don't run these SQL scripts. Is that OK?You will find it on below path%SystemDrive%\Program Files\System Center 2012\Operations Manager\Server \SQL Script for Update Rollups\.
inside system center 2012 folder> search to Server folder and inside it you will find SQL Script
Please remember, if you see a post that helped you please click (Vote As Helpful" and if it answered your question, please click (Mark As Answer). -
The same SSID used at 3 sites and the same vlan for client IP assignment?
we are deploying 5508 controller and LW APs for wireless IP phone 7925G
Controller is installed at site A and there are APs and wireless phones at site B and C as well.
1. can I use the same SSID for all three sites for wireless phones? or have to use 3 distinct SSIDs?
2. If I can use the same SSID, can I associate one subnet e.g 10.10.131.0/24 for wireless IP phones at 3 sites? (our Cisco UCM is fine with this)
3. if I have use 3 distinct SSIDs, do I have to assign three subnets for IP phones at three sites?
thanks for the help!
Ericyes.. this is done by HREAP mode.. the below link will help you out!!
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml
That is, by default the WLAN will get pushed to all APs.. so if you have a single wlan then this will broadcast the SSID and the remotre site clients will connect to it..
Lemme know if this answered your question!!
Regards
Surendra -
How to obtain a list of a manager's direct employees and the manager
Hi
Currently I am using the evalutaion path "MSSDIREC" for various reports, i.e. phonelist. We now want the reports extended so they not only shows the employees directly under the manager, but also the manager him-/herself.
Is there a standard evaluation path for this purpose. I have tried with O-S-P, but it also returns the employees of organizations under the manager, which is not what we want. We only want the first level under the manager.
Any suggestions?
/JakobHi Jakob,
Go to SM30 - T778A table.
Create a new evaluation path as follows:
01 S A 003 O
02 O B 003 S
03 S A 008 P
Regards,
Dilek -
Reset JSF session and the managed beans with sesison scope
Hi,
this is a very general question and maybe stupid for most of you. I have my jsf/facelets web application and i use inside of this application some managed beans, which are session beans. I want to know how is it possible to reset this beans. I'm asking this question beacuse i have this kind of problem: i built my web application which has a login form and i use the browser to test it. When i browse to the login page and I login with my credentials i get my customized home page. Then i open another istance of the browser and i browse to the login page again but this time i login as a different user. The result home page is the same as i got before with my login credentials, so the session is always the same. Instead i want the session and all its objects to be resetted for the new user! Do youn know which is the solution?The fact is that i want to have two sessions in parallel, so using the same browser and opening two tabs, i want to browse to the login page and access as two totaly different users and using in parallel the application without the problem of one user's action affecting the other user beacuse of session sharing. So I want to force the application to create two different session for the two users logins, because as i told you before as it is now, they are sharing the same sesison. And i think that if i at the login time I iterate thorugh the session and delete all the objects i will be able to have only one session per time. Isn't it?
-
Autonymouse AP1121 - Management Vlan and SSID Vlan
Hello,
We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
current switch port config ap is plugged into.
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 500
switchport mode trunkDo you have sub interfaces for vlan 10 being brigged through the radio interface?
Example config below...
interface Dot11Radio0.10
description Secure Wireless access
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk" -
1300 bridge with native and management vlan in different vlans
Hello,
We are going to set up a wireless bridge between two 1300 accesspoints. In our network the native vlan and the management vlan are different vlan's. Will we be able to manage the ap and switch at the "remote" site? Do we have to set up two ssid's, one for native and one for management?
regards,
RutgerToo answer my own question:
I don't think it is possible. Things work fine by making our management vlan the native vlan on switches and ap's involved. Management IP address on the BVI1 interface and everything works!
Rutger -
Native VLAN, Management VLAN
Is the Native VLAN only used to communicate 802.1q information? Does CDP go over the Native VLAN? Is there a breakdown of what traverses the Native VLAN and the Management VLAN? I have a customer that has their management vlan different than the native vlan.
I think it does more than what you say:
802.1Q standard is more than just a tagging mechanism. It also defines a unique spanning tree instance running on the native VLAN for all the VLANs in the network.
Here is the link:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008012ecf3.shtml#basic_char
I just suspect there is more to the Native VLAN and I want a document that will provide more information on Cisco's Website. -
VLAN trunking, native vlan and management vlan
Hello all,
In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
Regards,
Leo -
How to configure a port channel with VLAN trunking (and make it work..)
We're trying to configure a port channel group with trunked ports to connect a NetApp HA pair. We want to create two data LIFs and connect them to the switch stack. We are trying to create 2 data lifs, one for cifs and one for nfs that are on different vlans.
We want the same ports to be able to allow multiple vlans to communicate. (trunked)
These data lifs should be able to fail over to different nodes in the HA pair and still be able to communicate on the network.
What this means is that we have to connect 4 ports each for each node in the NetApp HA Pair to the switches and create a port channel of some type that allows for trunked vlans. When we configure the ports, the configuration is as follows (below):
We are only able to configure an IP on one of the vlans.
When we configure an IP from another vlan for the data lif, it does not respond to a ping.
Does anyone have any idea what I'm doing wrong on the Cisco switch?
interface GigabitEthernet4/0/12
description Netapp2-e0a
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet4/0/13
description Netapp2-e0c
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet6/0/12
description Netapp2-e0b
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet6/0/13
description Netapp2-e0d
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface Port-channel20
description Netapp2-NFS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
spanning-tree portfast
spanning-tree bpduguard enable
endOur problem was fixed by the storage people. They changed the server end to trunk, and the encapsulation / etherchannel.
I like all the suggestions, and they probably helped out with the configuration getting this to work.
Thanks!
interface Port-channel20
description Netapp2-NFS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
interface GigabitEthernet4/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet4/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet6/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet6/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active -
Wireless AP Management VLAN and BVIs
Hi All,
I've been looking around and I can't find a solution to what I am trying to achieve and I was hoping the community may have had more luck than I have.
I'm looking to have my management VLAN for my AP setup as a tagged BVI but I'm struggling to get it setup. I can set it up fine using BVI1 and having it just accessed on the native VLAN but I see this as a security flaw, I don't really want direct access into my management network on the switch.
Now there may be a better way of preventing this but I am, at least compared to many, still fairly new to Cisco and this seems to be the best approach. Please see below for my current config, hopefully you can let me know where I am going wrong.
Also, as a note, at the moment I am mainly focusing on the management security of the AP before I check the wifi config, hence the radios still being shutdown so there may also be small errors in this. I have also removed some elements which are not relevant.
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP01
no ip source-route
no ip cef
dot11 syslog
dot11 ssid <Guest secure network SSID>
vlan 30
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <key>
dot11 ssid <Internal Secure SSID>
vlan 10
authentication open
authentication key-management wpa version 2
wpa-psk ascii <key>
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
packet retries 64 drop-packet
channel 2437
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
peakdetect
no dfs band block
packet retries 64 drop-packet
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
interface GigabitEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 spanning-disabled
no bridge-group 30 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 spanning-disabled
no bridge-group 100 source-learning
interface GigabitEthernet0.101
encapsulation dot1Q 999 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
no ip address
no ip route-cache
shutdown
interface BVI100
mac-address <Actual ethernet address>
ip address 10.33.100.101 255.255.255.0
no ip route-cache
ip default-gateway 10.33.100.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
bridge 100 protocol ieee
bridge 100 route ip
line con 0
logging synchronous
line vty 0 4
transport input ssh
end
As you can see I am using BVI100 as the management VLAN for the device and BVI1 is shutdown with vlan 999/int gi0/101 holding bridge group 1.
With this setup I can't get any IP communication, send or receive but I can see the MAC address on the switch in the MAC address table on vlan100. There is also no entries in the ARP table of the AP.
The switch is setup with vlan 999 untagged and vlans 10,30,100 as tagged.
Hope you can help! Thanks for any advice in advanced.
Many thanks,
Martin.Yea that would work and I have set it up like this without issue but I'm trying to limit access to the management VLAN, I don't want someone to be able to plug directly into the switch and be on the same broadcast domain as alll of the other equipment.
There are otherways of achieving this but I felt like I was so close with the above config but I was just missing something. -
Management VLAN Design and Implementation
Greetings, friends. I'm having trouble getting a clear picture of how a management VLAN ought to look. I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches. I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).
Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN. Are you able to point me in the right direction to find such documentation? Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
What is the best practice for accessing the management VLAN? Inter-VLAN routing + ACLs? Multi-homed PCs or servers? Additional PCs to be used as access stations?
Thank you for your wisdom, experience, and advice!
Kevin1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.
2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.
3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.
4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall, but the hardcore customer insist on a second pc connected to the management lan.
Points to consider are as always,
Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.
Find the right balance between security, costs, easy of access for the business your in.
Cheers,
Michel
Maybe you are looking for
-
hello, I am developing web application with subdomain domain: www.mydomain.com subdomain: cms.mydomain.com in the subdomain is an a xx.jsp and I try to get I get the absoulute path in it String myPath = request.getSession().getServletContext().ge
-
Can't open Raw files after transferring CS5 to my new computer
I just transferred cs5 to my new imac computer using my time machine backup. I now get a "photoshop does not recognize this file type" when I try to open a raw file from photoshop. When I try to open my raw files through bridge I get the message "you
-
Using classes from another jar?
Hello, Could anybody show me an example for how to put a shared library of classes in one jar file, and put an applet in another jar while the applet can use classes in the first jar file? Is this even possible at all??? Thanks!
-
Logical column using data source from 2 generations of same hierarchy
Hi experts, I'm using Essbase as my data source in CEIM physical layer, and I have a hierarchy called "Entity" which contains different level of companies, in Generation 2 I have only one member called "group totals" and in Generation 3 are 5 members
-
Unable to use Solaris Management Console to administer Disks - CIM_ERR_FAIL
Hi Guys, I am trying to use the SMC but whenever I try to access the disk I get the following error: Unexpected CIM error: CIM_ERR_FAILED. Do anyone have an idea why I am getting this error? Thanks, JavaMoh Edited by: JavaMoh on Oct 10, 2009 2:03 AM