Trunking and the management VLAN

Similar Messages

• Clustering 3500 and changing management VLAN

  I have a cluster of 3 3500XL switches. All have the latest rev of IOS. The cluster is fine when on default vlan. When I change the managment VLAN to VLAN 9 using "cluster management vlan 9" the 2 member switches fail to change to vlan 9 and the cluster breaks. THANKS

  Changing the Management VLAN
  Access to all switch management facilities is through the switch IP address, and the switch IP address always belongs to the management VLAN, VLAN 1, by default. This section describes how to configure a cluster to support management connectivity when the management VLAN is other than the default.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35xu/scg/kiclust.htm#34921

• Big Fish Games stop working in Mavericks.  What do I do? I have re-installed them and the manager app, and nothing.  I have not gotten an answer from Big Fish tech staff.  Thought the problem might be with Maverick.  all the games worked with Snow Leopard

  Big Fish Games stop working in Mavericks.  What do I do? I have re-installed them and the manager app, and nothing.  I have not gotten an answer from Big Fish tech staff.  Thought the problem might be with Maverick.  all the games worked with Snow Leopard
  Any body have this kind of problem.  What was done to correct it. . .

  I can't wait to get a new phone as well. LG Revolution owners should be comped for this phone if Verizon intends to keep them as customers.

• What is the difference between using the command "dsmgmt" and the "Managed By" tab when adding users to the local administrators Account on a Read-Only Domain Controller?

  When I use the
  "dsmgmt" command to add a user to the local administrators account of a RODC I can actually see the user when I use the "Show Role Administrators" parameter. However, I can't see the members of the
  group added to the "Managed By" tab of the RODC object in AD. Even though, the users added using
  "dsmgmt" and by the "Managed By" tab can all log in locally and have admin rights to the RODC. Are there any differences between these two ways of adding users to the local administrators account? 

  Hi,
  For groups, managedBy is an administrative convenience to designate “group admins”. Whatever principal listed in
  managedBy gets permission to update a group’s membership (the actual security is updated on the group’s AD object to allow this).
  In Win2008 and later managedBy also became the way you delegated local administration on an RODC, allowing branch admins to install patches, manage shares, etc. (http://technet.microsoft.com/en-us/library/cc755310(WS.10).aspx). 
  On the RODC, this is updating the RepairAdmin registry value within RODCRoles.
  So the difference between them should be only the way they do the same thing.
  For more details, please refer to the below article:
  http://blogs.technet.com/b/askds/archive/2011/06/24/friday-mail-sack-wahoo-edition.aspx
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• SCOM 2012 SP1 Update Rollup 5 - DB and DW SQL script and the Management Packs

  Hi,
  I am applying SCOM 2012 SP1 update rollup 5 from KB article : 2904680.
  Step#  4 and 5 from the "Installation Information" sections says to run the SQL queries(UR_Datawarehouse.sql and Update_rollup_mom_db.sql) located at "%SystemDrive%\Program Files\System Center 2012 SP1\Operations
  Manager\Server \SQL Script for Update Rollups\."
  But I do not have "System Center 2012 SP1\Operations Manager\Server \SQL Script for Update Rollups\." folder location on  my SCOM Management Servers. Similarly I do not have the MPs given in Step #6.
  Can someone please let me know from where else can I get these SQL scripts and the MPs. What if I don't run these SQL scripts. Is that OK?

  You will find it on below path%SystemDrive%\Program Files\System Center 2012\Operations Manager\Server \SQL Script for Update Rollups\.
  inside system center 2012 folder> search to Server folder and inside it you will find SQL Script
  Please remember, if you see a post that helped you please click (Vote As Helpful" and if it answered your question, please click (Mark As Answer).

• The same SSID used at 3 sites and the same vlan for client IP assignment?

  we are deploying 5508 controller and LW APs for wireless IP phone 7925G
  Controller is installed at site A and there are APs and wireless phones at site B and C as well.
  1. can I use the same SSID for all three sites for wireless phones? or have to use 3 distinct SSIDs?
  2. If I can use the same SSID, can I associate one subnet e.g 10.10.131.0/24 for wireless IP phones at 3 sites? (our Cisco UCM is fine with this)
  3. if I have use 3 distinct SSIDs, do I have to assign three subnets for IP phones at three sites?
  thanks for the help!
  Eric

  yes.. this is done by HREAP mode.. the below link will help you out!!
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml
  That is, by default the WLAN will get pushed to all APs.. so if you have a single wlan then this will broadcast the SSID and the remotre site clients will connect to it..
  Lemme know if this answered your question!!
  Regards
  Surendra

• How to obtain a list of a manager's direct employees and the manager

  Hi
  Currently I am using the evalutaion path "MSSDIREC" for various reports, i.e. phonelist. We now want the reports extended so they not only shows the employees directly under the manager, but also the manager him-/herself.
  Is there a standard evaluation path for this purpose. I have tried with O-S-P, but it also returns the employees of organizations under the manager, which is not what we want. We only want the first level under the manager.
  Any suggestions?
  /Jakob

  Hi Jakob,
  Go to SM30 - T778A table.
  Create a new evaluation path as follows:
  01 S A 003 O
  02 O B 003 S
  03 S A 008  P
  Regards,
  Dilek

• Reset JSF session and the managed beans with sesison scope

  Hi,
  this is a very general question and maybe stupid for most of you. I have my jsf/facelets web application and i use inside of this application some managed beans, which are session beans. I want to know how is it possible to reset this beans. I'm asking this question beacuse i have this kind of problem: i built my web application which has a login form and i use the browser to test it. When i browse to the login page and I login with my credentials i get my customized home page. Then i open another istance of the browser and i browse to the login page again but this time i login as a different user. The result home page is the same as i got before with my login credentials, so the session is always the same. Instead i want the session and all its objects to be resetted for the new user! Do youn know which is the solution?

  The fact is that i want to have two sessions in parallel, so using the same browser and opening two tabs, i want to browse to the login page and access as two totaly different users and using in parallel the application without the problem of one user's action affecting the other user beacuse of session sharing. So I want to force the application to create two different session for the two users logins, because as i told you before as it is now, they are sharing the same sesison. And i think that if i at the login time I iterate thorugh the session and delete all the objects i will be able to have only one session per time. Isn't it?

• Autonymouse AP1121 - Management Vlan and SSID Vlan

  Hello,
  We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
  current switch port config ap is plugged into.
  interface FastEthernet1/0/48
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 500
  switchport mode trunk

  Do you have sub interfaces for vlan 10 being brigged through the radio interface?
  Example config below...
  interface Dot11Radio0.10
  description Secure Wireless access
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface FastEthernet0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  no bridge-group 10 source-learning
  bridge-group 10 spanning-disabled
  Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk"

• 1300 bridge with native and management vlan in different vlans

  Hello,
  We are going to set up a wireless bridge between two 1300 accesspoints. In our network the native vlan and the management vlan are different vlan's. Will we be able to manage the ap and switch at the "remote" site? Do we have to set up two ssid's, one for native and one for management?
  regards,
  Rutger

  Too answer my own question:
  I don't think it is possible. Things work fine by making our management vlan the native vlan on switches and ap's involved. Management IP address on the BVI1 interface and everything works!
  Rutger

• Native VLAN, Management VLAN

  Is the Native VLAN only used to communicate 802.1q information? Does CDP go over the Native VLAN? Is there a breakdown of what traverses the Native VLAN and the Management VLAN? I have a customer that has their management vlan different than the native vlan.

  I think it does more than what you say:
  802.1Q standard is more than just a tagging mechanism. It also defines a unique spanning tree instance running on the native VLAN for all the VLANs in the network.
  Here is the link:
  http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008012ecf3.shtml#basic_char
  I just suspect there is more to the Native VLAN and I want a document that will provide more information on Cisco's Website.

• VLAN trunking, native vlan and management vlan

  Hello all,
  In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
  We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.

  To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
  Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
  When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
  I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
  Regards,
  Leo

• How to configure a port channel with VLAN trunking (and make it work..)

  We're trying to configure a port channel group with trunked ports to connect a NetApp HA pair. We want to create two data LIFs and connect them to the switch stack.  We are trying to create 2 data lifs, one for cifs and one for nfs that are on different vlans.
  We want the same ports to be able to allow multiple vlans to communicate. (trunked)
  These data lifs should be able to fail over to different nodes in the HA pair and still be able to communicate on the network.
  What this means is that we have to connect 4 ports each for each node in the NetApp HA Pair to the switches and create a port channel of some type that allows for trunked vlans. When we configure the ports, the configuration is as follows (below):
  We are only able to configure an IP on one of the vlans.
  When we configure an IP from another vlan for the data lif, it does not respond to a ping.
  Does anyone have any idea what I'm doing wrong on the Cisco switch?
  interface GigabitEthernet4/0/12
  description Netapp2-e0a
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface GigabitEthernet4/0/13
  description Netapp2-e0c
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface GigabitEthernet6/0/12
  description Netapp2-e0b
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface GigabitEthernet6/0/13
  description Netapp2-e0d
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  channel-protocol lacp
  channel-group 20 mode active
  end
  interface Port-channel20
  description Netapp2-NFS
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  spanning-tree portfast
  spanning-tree bpduguard enable
  end

  Our problem was fixed by the storage people.  They changed the server end to trunk, and the encapsulation / etherchannel.
  I like all the suggestions, and they probably helped out with the configuration getting this to work.
  Thanks!
  interface Port-channel20
  description Netapp2-NFS
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  interface GigabitEthernet4/0/12
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active
  interface GigabitEthernet4/0/13
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active
  interface GigabitEthernet6/0/12
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active
  interface GigabitEthernet6/0/13
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 10,20,511,519
  switchport mode trunk
  channel-protocol lacp
  channel-group 20 mode active

• Wireless AP Management VLAN and BVIs

  Hi All,
  I've been looking around and I can't find a solution to what I am trying to achieve and I was hoping the community may have had more luck than I have.
  I'm looking to have my management VLAN for my AP setup as a tagged BVI but I'm struggling to get it setup. I can set it up fine using BVI1 and having it just accessed on the native VLAN but I see this as a security flaw, I don't really want direct access into my management network on the switch.
  Now there may be a better way of preventing this but I am, at least compared to many, still fairly new to Cisco and this seems to be the best approach. Please see below for my current config, hopefully you can let me know where I am going wrong.
  Also, as a note, at the moment I am mainly focusing on the management security of the AP before I check the wifi config, hence the radios still being shutdown so there may also be small errors in this. I have also removed some elements which are not relevant.
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP01
  no ip source-route
  no ip cef
  dot11 syslog
  dot11 ssid <Guest secure network SSID>
     vlan 30
     authentication open
     authentication key-management wpa version 2
     guest-mode
     wpa-psk ascii <key>
  dot11 ssid <Internal Secure SSID>
     vlan 10
     authentication open
     authentication key-management wpa version 2
     wpa-psk ascii <key>
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   shutdown
   encryption vlan 10 mode ciphers aes-ccm tkip
   encryption vlan 30 mode ciphers aes-ccm tkip
   ssid <Guest secure network SSID>
   ssid <Internal Secure SSID>
   antenna gain 0
   packet retries 64 drop-packet
   channel 2437
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 port-protected
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.10
   encapsulation dot1Q 10
   no ip route-cache
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  interface Dot11Radio0.30
   encapsulation dot1Q 30
   no ip route-cache
   bridge-group 30
   bridge-group 30 subscriber-loop-control
   bridge-group 30 spanning-disabled
   bridge-group 30 block-unknown-source
   no bridge-group 30 source-learning
   no bridge-group 30 unicast-flooding
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   encryption vlan 10 mode ciphers aes-ccm tkip
   encryption vlan 30 mode ciphers aes-ccm tkip
   ssid <Guest secure network SSID>
   ssid <Internal Secure SSID>
   antenna gain 0
   peakdetect
   no dfs band block
   packet retries 64 drop-packet
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 port-protected
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1.10
   encapsulation dot1Q 10
   no ip route-cache
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  interface Dot11Radio1.30
   encapsulation dot1Q 30
   no ip route-cache
   bridge-group 30
   bridge-group 30 subscriber-loop-control
   bridge-group 30 spanning-disabled
   bridge-group 30 block-unknown-source
   no bridge-group 30 source-learning
   no bridge-group 30 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0.10
   encapsulation dot1Q 10
   no ip route-cache
   bridge-group 10
   bridge-group 10 spanning-disabled
   no bridge-group 10 source-learning
  interface GigabitEthernet0.30
   encapsulation dot1Q 30
   no ip route-cache
   bridge-group 30
   bridge-group 30 spanning-disabled
   no bridge-group 30 source-learning
  interface GigabitEthernet0.100
   encapsulation dot1Q 100
   no ip route-cache
   bridge-group 100
   bridge-group 100 spanning-disabled
   no bridge-group 100 source-learning
  interface GigabitEthernet0.101
   encapsulation dot1Q 999 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   no ip address
   no ip route-cache
   shutdown
  interface BVI100
   mac-address <Actual ethernet address>
   ip address 10.33.100.101 255.255.255.0
   no ip route-cache
  ip default-gateway 10.33.100.254
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  bridge 100 protocol ieee
  bridge 100 route ip
  line con 0
   logging synchronous
  line vty 0 4
   transport input ssh
  end
  As you can see I am using BVI100 as the management VLAN for the device and BVI1 is shutdown with vlan 999/int gi0/101 holding bridge group 1.
  With this setup I can't get any IP communication, send or receive but I can see the MAC address on the switch in the MAC address table on vlan100. There is also no entries in the ARP table of the AP.
  The switch is setup with vlan 999 untagged and vlans 10,30,100 as tagged.
  Hope you can help! Thanks for any advice in advanced.
  Many thanks,
  Martin.

  Yea that would work and I have set it up like this without issue but I'm trying to limit access to the management VLAN, I don't want someone to be able to plug directly into the switch and be on the same broadcast domain as alll of the other equipment.
  There are otherways of achieving this but I felt like I was so close with the above config but I was just missing something.

• Management VLAN Design and Implementation

  Greetings, friends.  I'm having trouble getting a clear picture of how a management VLAN ought to look.  I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches.  I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).
  Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
  Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
  There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN.  Are you able to point me in the right direction to find such documentation?  Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
  What is the best practice for accessing the management VLAN?  Inter-VLAN routing + ACLs?  Multi-homed PCs or servers?  Additional PCs to be used as access stations?
  Thank you for your wisdom, experience, and advice!
  Kevin

  1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.
  2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.
  3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.
  4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall,  but the hardcore customer insist on a second pc connected to the management lan.
  Points to consider are as always,
  Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.
  Find the right balance between security, costs, easy of access for the business your in.
  Cheers,
  Michel