VLAN and DHCP

While this isn't always the case, using vlans also implies using subnetting and routing. In this case each vlan needs to have its own subnet, or the L3 router won't know where to send the data.

Hi,
Ok so i'm racking my brain here and not getting anywhere. I'm trying to set up up VLAN so it gets DHCP. Here is some back story:
Core Switch:
IP 172.16.250.250
VLAN 400
IP Address 172.161.250.250
IP Helper Address 172.16.1.3
End Switch:
IP 172.16.250.6
VLAN 400
IP Address 172.161.250.250
IP Helper Address 172.16.1.3
DHCP Server
IP 172.16.1.3
DHCP Scope
Router IP 172.161.250.250
Am I missing something here?
This topic first appeared in the Spiceworks Community

Similar Messages

Wirless Vlans and DHCP

I am trying to configure my Aironet 1121G acess points with several vlans, got the vlans all working fine with wired devices, but the wirless devices don't get DHCP.
Basically, I have the BVI on my managment vlan and two other vlans that pass through, trying to have the public WiFi on 1 vlan and two corporate vlans with seperate wifi. can't get IPs on any of them though.
Vlnas are routed by a catlayst 3550 with helper addresses configured on all the vlan interfaces.
DHCP comes from 2 windows server 2003 boxes on a further vlan
any Ideas?

Vinod,
Here is the AP config, I'm confused, so any help would be useful, got to get a wireless course under my belt.
Cheers,
Peter
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname IT_AP1121G_01
no logging console
enable secret
ip subnet-zero
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 vlan-name Corporate vlan 3
dot11 vlan-name Default vlan 1
dot11 vlan-name Managment vlan 2
dot11 ssid stosWIFI
vlan 1
authentication open
guest-mode
mbssid guest-mode
infrastructure-ssid optional
mobility network-id 1
dot11 ssid stoswaldsWIFI
vlan 3
authentication open eap eap_methods
mobility network-id 3
username admin privilege 15 secret 5 $1$.dBF$jstGCUjGPaD6OQ/JVmZEY1
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
encryption key 1 size 128bit 7 0D1A262E215F252C7E5A2D6A6498 transmit-key
encryption mode wep mandatory
encryption vlan 1 key 1 size 128bit 7 DA303E012047F6068707FC131B4A transmit-key
encryption vlan 1 mode wep mandatory
encryption vlan 3 mode wep mandatory
ssid stosWIFI
ssid stoswaldsWIFI
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
channel 2412
station-role root
world-mode dot11d country GB both
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3
interface FastEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.2.33 255.255.255.0
no ip route-cache
ip default-gateway 192.168.2.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging trap notifications
logging
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
password
line vty 0 4
password
line vty 5 15
end

SonicWALL = Guest Wireless, VLANs, and DHCP

All,I'm going to attempt to set up corporate and guest WIFI using Ubiquiti UniFi APs. I'm new to VLANs in general but understand that this is the likely approach. The equipment that I will be using is below- SonicWALL TZ-400 configured for PTP VPN to a SonicWALL E6500.- Ubiquiti toughswitch just for the APs- 4 Ubiquiti APsThe SonicWALL E6500 (central location) does DHCP over VPN to all of the remote offices such as where this TZ-400 will be. I'm struggling with how to handle DHCP. If I set up VLANs say VLAN 10 for corporate to pull DHCP as normal and VLAN 20 for guest WIFI. How can I tell VLAN 20 to get a different range of IPs so that I can restrict from the corporate network range? The toughswitch would be using its own interface on the TZ400. Does what I'm trying to accomplish make sense and is it possible?
This topic first appeared in the Spiceworks Community

Setup:Sonicwall TZ205Created a sub-interface – X0:V100 with an IP address of10.45.1.1.Created a DHCP scope for said IP ranged associated withX0:V100 within Sonicwall.Three Netgear switches:A.24 Port + 4 SFPB.24 Port + 4 SFPC.48 Port + 4 SFP1.Sonic wall connected to switch C on port 12.Switch C connected to switch B using port 473.Switch B connected to switch C using port 234.Switch B connected to switch A using port 25 –(GB SFP over fiber)5.Switch A connected to switch B using port 25 –(GB SFP over fiber)6.Ubiquiti AP connected to switch A on port 2VLAN 1 – default·All ports on all switches are untagged fordefault VLAN 1VLAN 100 – meant for wireless guests·Ports 2 and 25 are Tagged for V100 on switch A –all other ports are blank for V100·Ports 23 and 25 are Tagged for V100 on switch B– all other ports are blank for V100·Ports 1 and 47...
This topic first appeared in the Spiceworks Community

Cisco aironet 1310G non_native vlan and dhcp

hi evrybody
i have problem with my cisco aironet 1310G
non-native vlan can not get(dynamicly)ip address from cisco aironet 1310G
this is all my configuration please can someone help me
ip dhcp excluded-address 20.20.20.20
ip dhcp excluded-address 20.0.0.0
ip dhcp excluded-address 30.0.0.0
ip dhcp excluded-address 30.30.30.30
ip dhcp excluded-address 10.0.0.0
ip dhcp excluded-address 10.0.0.10
ip dhcp excluded-address 10.1.0.0
ip dhcp excluded-address 10.1.0.10
ip dhcp pool d01
network 10.0.0.0 255.255.255.0
default-router 10.0.0.10
ip dhcp pool d02
network 20.0.0.0 255.255.255.0
default-router 20.20.20.20
ip dhcp pool d03
network 30.0.0.0 255.255.255.0
default-router 30.30.30.30
no aaa new-model
dot11 ssid vlan01
vlan 1
authentication open
dot11 ssid vlan02
vlan 2
authentication open
dot11 ssid vlan3
vlan 3
authentication open
username cisco password xxx
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
broadcast-key vlan 2 change 100
broadcast-key vlan 3 change 100
ssid vlan01
ssid vlan02
ssid vlan3
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
interface BVI1
ip address 10.0.0.10 255.255.255.0
no ip route-cache
interface BVI2
ip address 20.20.20.20 255.255.255.0
no ip route-cache
interface BVI3
ip address 30.30.30.30 255.255.255.0
no ip route-cache
control-plane
bridge 1 priority 9000
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 priority 10000
bridge 2 protocol ieee
bridge 3 priority 3100
bridge 3 protocol ieee
line con 0
line vty 0 4
login local
end

hi friend
i did what you sugested but it is styl not working so plz find below the show run and debug ip dhcp server in ordr to help us thanks for all your suport
ip subnet-zero
ip dhcp excluded-address 20.0.0.20
ip dhcp excluded-address 30.0.0.30
ip dhcp excluded-address 10.0.0.10
ip dhcp pool d01
network 10.0.0.0 255.255.255.0
default-router 10.0.0.10
ip dhcp pool d02
network 20.0.0.0 255.255.255.0
default-router 20.0.0.20
ip dhcp pool d03
network 30.0.0.0 255.255.255.0
default-router 30.0.0.30
aaa new-model
dot11 ssid vlan01
vlan 1
authentication open
guest-mode
dot11 ssid vlan02
vlan 2
authentication open
dot11 ssid vlan03
vlan 3
authentication open
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
broadcast-key vlan 2 change 100
broadcast-key vlan 3 change 100
ssid vlan01
ssid vlan02
ssid vlan03
station-role root access-point
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
interface BVI1
ip address 10.0.0.10 255.255.255.0
no ip route-cache
interface BVI2
ip address 20.0.0.20 255.255.255.0
no ip route-cache
interface BVI3
ip address 30.0.0.30 255.255.255.0
ip helper-address 30.0.0.0
no ip route-cache
and debug ip dhcp server {events | packets | linkage}
*Mar 1 01:06:37.054: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0011.a304.2b65 Reason: Sending station has left the BSS
*Mar 1 01:06:40.140: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0011.a304
.2b65 Associated KEY_MGMT[NONE]

Wrvs4400n vlans/ssid/dhcp issue

Hi all,
it will be great if someone will help me with my problem.
the problem is : our wrvs4400n wifi router configuration.
network description: we need 2 separated wifi networks one for guests and one for internal access, and i configured them on router, and also configured each one of them to different vlan, guests to vlan 200 and internal use default vlan 1.
vlan 1 configured as dhcp relay and its working pritty well.
vlan 200 configured as dhcp and the problem begins here.
somehow on vlan 200 i get dhcp from our externam dhcp server,
wrvs4400n conected as follow> lan port1/vlan 200 connected to firewall port(configured as vlan 200) and lan port 4/vlan1 conected to our main switch wich connected to firewall also.
i guess that my knowlege in networking its not so good......
how can i prevent from our internal dhcp to comunicate with vlan 200 ,
any help will be very appreciated.

Hi Rich,
You cannot have different L3 VLANs sharing the same subnet.
Each VLAN must have it's own subnet and then you have a routing device routing between both VLANs.
You should have a DHCP pool also for VLAN 111 configured on the DHCP server.
Even if you have ip helper address configured and this should be done on the VLAN111 interface of the switch, you still need a DHCP pool for VLAN 111 because the DHCP discovery is coming on VLAN 111.
Please take a look into this document:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.
Here it explains how to configure 2 ssids on 2 vlans and dhcp pool (on the switch itself) for each vlan.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Wireless VLANs and WLC

Hello,
Designing a configuration for a Wireless solution. Have a 2951 with SRE-WLC and 4 port switch module. The documentation at
http://www.cisco.com/en/US/docs/wireless/controller/controller_modules/sre/installation/guide/wlcsreinst.html#wp1072942 arised couple of questions. Exact part of diagram from documentation is attached.
The question is that VLANs configured on SRE-WLC and ones configured on local switched belong to different subnets. Why? For example on SRE-WLC VLAN 20 - 55.20.0.0/24, but on switch - VLAN 20 - 20.1.1.0/24. Why?
Thanks!

Hi George,
Today i tried implementing APs on different VLAN than MGMT. Here is what I got:
1. New out-of-box APs didnt join to WLC once placed directly to APs VLAN. However they were able to join the WLC once I put them back to MGMT Vlan. They upgraded their IOS from WLC, joined compeletely. After that I moved them back to APs VLAN and they started to join. So, here is the procedure - Open new AP from box, connect it to MGMT VLAN, wait for joining to WLC and then move them to APs VLAN. This is a little bit strange. Also I noticed that they were unable to join teh WLC even on MGMT vlan if MGMT vlan is tagged on WLC and that tagged vlan is allowed on trunk. I have WLC on SRE, MGF trunk, VLANS and DHCP pools with option 43 configured. Will continue to investigate tomorrow.
2. What was the most difficult and problematic issue is that the LED was disabled on all APs after joining the WLC. I have been thinking that there is an error but only then found that APs by default turned off LED after joining the WLC. Issuing config ap led-status enable all on wlc solved the problem.
3. Also I regularly have been receiving
%PARSER-4-BADCFG: Unexpected end of configuration file.
during the AP joining to WLC. Dont know why. My APs are LAP1041n.
ANyways, will continue digging tomorrow, hopefully will find a stable solution. My ideal solution will be:
1. WLC Management is on MGMT VLAN - tagged vlan 20, static IP assignments.
2. APs on separate AP VLAN - tagged vlan 15 - dynamic IP assignments from DHCP pool on ISR with option 43.
3. Clients are on separate USERS VLAN - tagged vlan 10
The native VLAN will be other VLAN - VLAN 25.

Dynamic VLAN assignment and DHCP

Hello
I have just upgraded our WLC from 4.0 to 7.0 (via 4.2).
Before the upgrade we had our ACS returning a VLAN based on user group. This seemed to be working without an issue. Now that the WLC is on version 7 this is no longer working correctly. The ACS is returning a VLAN and passing the user but the client can not get an IP from the DHCP server configured.
Example configuration:
SSID-----VLAN
PN-CSC-----CSCVlan: Works
PN-Others------OthersVlan: Works
PN-Others-----CSCVlan: No DHCP
When users are trying to be allocated to a vlan that is different from the native one the DHCP fails however both WLANs are configured to point to the management interface so dont have any real connection to the vlan other than by name.
Have there been any changes I haven't seen in the way the dynamic vlan allocation works in version 7?

Yes, DHCP proxy could be the culprit here. In 4.0 it was only a CLI command to enable/disable the proxy feature. In 5.2, I think, and later it is in the GUI
as well.
There is a defect filed against the behavior of the WLC DHCP funtion out there currently. If all of your DHCP is coming from external resources than you can disable proxy. If, however, you are using the WLC as DHCP server for guest access, then proxy must be enabled. If the later is true, you should contact TAC, as there is an engineering special available that has the defect resolution.
Sorry I can't provide the defect ID, my CCO account is acting up.
Cheers,
Steve
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

VLANs, IPs and DHCP

This may be a silly question but here goes:
I have to set up two VLANs that do not speak to each other but use one uplink to the internet. I know how to set up VLANs and I know how to set it up so that it does not talk to each other. However, I only have one DHCP server. Is there any way to make that server assign IP addresses to both VLANS (i.e. VLAN01 IP block 192.168.1.0 and VLAN02 IP block 192.168.2.0)?
Thank you.

Hello,
there are several options available.
First you can setup a trunk to the server, if the server NIC is capable of doing this.
Second you could use two ethernet interfaces on the server and attach it into the two VLANs. In both cases configure a matching IP address in each VLAN on the server.
Third you could use a router with an "ip helper-address " command on a VLAN subinterface to operate as DHCP proxy. In the latter case you should apply additional access-lists to prevent inter-VLAN traffic. The router could even be operated as DHCP server itself, in case this would be interesting to you.
In any case you have to configure your DHCP server to support both address ranges.
Hope this helps! Please rate all posts.
Regards, Martin

1242AG Bridge, VLAN and Multiple SSIDs

I have two buildings that I'm trying to configure a bridge in between them using 2 1242AG APs.
Building A
PCOFFICE SSID on VLAN 200 Radio G
ROOT_1 SSID on Native VLAN 1 Radio A
Root Bridge
Building B
FDAPC SSID on Native VLAN 1 Radio G
ROOT_1 SSID on Native VLAN 1 Radio A
We are using directional antenna. I know they are lined up properly because I have them both down and in front of me. I'm getting an error on the Building B AP that says "
No SSID with VLAN configured. Dot11Radio1 not started." and I'm unable to get this to work. The bridge was working before I added the VLAN and encryption/WPA information for the PCOFFICE and FDAPC SSIDs
Any assistance would be amazing. Thanks! Please see attached files for configurations. I know the switch is configured properly because I had this working before and forgot to save the damn configuration off the devices. I'm not having to do it over from scratch.

That did not work.
I've managed to fix the ROOT_1 and FDAPC... now I'm having an issue where I can attempt to connect to the PCOFFICE SSID but I'm unable to get a DHCP address from the server.
Here is the config for the AP with PCOFFICE on it and the switch.
SWITCH
interface GigabitEthernet3/2
switchport trunk allowed vlan 1,200
switchport mode trunk
interface Vlan1
ip address 192.168.3.4 255.255.255.0
interface Vlan200
ip address 192.168.30.2 255.255.255.0
ip helper-address 192.168.3.98
ip default-network 192.168.3.0
ip route 0.0.0.0 0.0.0.0 192.168.3.1
no ip http server
ACCESS POINT
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP1_ROOT_AP
enable secret 5 REMOVED
ip subnet-zero
no aaa new-model
dot11 vlan-name VLAN1 vlan 1
dot11 vlan-name pcCopper vlan 200
dot11 ssid PCOFFICE
   vlan 200
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 REMOVED
dot11 ssid ROOT_1
   vlan 1
   authentication open
   authentication key-management wpa
   infrastructure-ssid optional
   wpa-psk ascii 7 REMOVED
dot11 network-map
dot11 arp-cache optional
power inline negotiation prestandard source
username Cisco password 7 REMOVED
username admin privilege 15 password 7 REMOVED
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
encryption vlan 200 mode ciphers tkip
ssid PCOFFICE
speed basic-2.0 5.5 11.0 12.0 18.0 24.0 36.0 48.0 54.0
no power client local
power client 17
power local cck 17
power local ofdm 17
channel 2462
station-role root access-point
antenna receive right
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
bridge-group 200 subscriber-loop-control
bridge-group 200 block-unknown-source
no bridge-group 200 source-learning
no bridge-group 200 unicast-flooding
bridge-group 200 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode ciphers tkip
encryption vlan 1 mode ciphers tkip
ssid ROOT_1
dfs band 3 block
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
no power client local
power client 11
power local 11
channel 5180
station-role root bridge
antenna receive right
antenna transmit right
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface FastEthernet0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
bridge-group 200 spanning-disabled
interface BVI1
ip address 192.168.3.241 255.255.255.0
no ip route-cache
ip default-gateway 192.168.3.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
control-plane
bridge 1 route ip
line con 0
line vty 0 4
login local

802.1x and DHCP

we have an issue with DHCP and the guest VLAN, what basically happens is while waiting for authorisation from the Radius server the XP client gets put into the guest vlan where it leases an ip address from the Guest VLAN DHCP Server. Once the client has Been authorised it gets switched across to the secure VLAN but then does not attempt to aquire a new lease with the DHCP for the secure VLAN. I thought that the switching process would trigger The DHCP discover process again, but it seems to just sit there with the wrong ip!!
Any Views would be welcomed
thanks

Jason thanks for your reponse, we know that we have an issue with the radius timing out which is being looked into as a seperate issue , i'll try to expain the setup a little better
The guestVlan as i have called it is really our old network Vlan and is basicly for legacy pc's.We are currently rolling out a new infrastructure and pc's so 801.1x is being used to authenticate the MAC addresses of the new pc's basicaly creating a auto switching system between the old and new Vlans, as a large amount of users have notebooks this saves on port config tasks
the system is not wireless and runs on cat6500 switches.
so you can see when the users connect thier new pc or notebooks they often get serviced by the Legacy DHCP Server because of the radius taking time to authenticate causing the notebook to be placed on the legacy Vlan until the authentication is recieved.
this would not be a problem if we could get the notebook to start DHCP discovery again to obtain the correct ip once the 802.1x authentication has taken place and the pc is on the correct VLAN.
it would be good to know how the NIC of the PC sees the switch between vlans, as it seems to be transparent which is why it mantains a DHCP lease obtained before the switch over which is essentially our problem.

School me on Vlans and subnets

I am in the process of planning the design for a voip rollout. Here is the scenario. We have 1 3560-e series at our core and 2 4506-e series switches in our wiring closets(we are a small school). When I installed them a couple years ago I did not create vlans and everything is running off of the native vlan 1. What I want to do is create 1 new vlan for voice. We are small enough that I don't think it warrants going much farther than that with vlans. The problem I am running into is understanding the IP scheme.
Currently our network is 172.16.x.x with a subnet of 255.255.0.0
What I want is our data to be 172.16.2.1-172.16.3.254
and our voice to be 172.16.5.1-172.16.5.100
Can both of these be on the same subnet mask or not?

Hi Dan,
Both can have the same subnet mask but that doesn't matter in your case. Subnet mask has more to do with the size of networks or segments and obviously the system depends on how many hosts will be in each subnet, not forgetting to take in account future when sizing.
Back to your scenario, it seems you were having a flat design up to know. Know that you want to integrate voice in your lan you have to better the design by taking the following actions.
     1)Create a new VLAN for Data, give it a number name it "DATA" or whatever suits you. If your data subnet range is 172.16.2.1-172.16.3.254 (or 172.16.2.0/23) then a mask of 255.255.254.0 encompassing 172.16.2.0/24 and 172.16.3.0 will do, but that implies all your host are in the same broadcast domain. That will work but it is not a good design practice to have too many host in the same broadcast domain.
     2) Create another VLAN for Voice, name it VOICE if you want.
     3) Configure your lan swithches access ports as follows:
          3.a: access vlan = "Data vlan number"
          3.b: voice vlan = "Voice vlan number"
     Once that configuration is done, both vlans can operate simultaneously on any access port with no probl, but routing betwen the vlan has to be configured.
        For smooth ip addressing of IP Phones, you will the set up DHCP for the voice network with the appropriate required details and make sure CDP (IP Telephony systems CDP for communication) is active on your LAN switches
Good luck
HTH!

VLANs and VoIP on the same port

Hello, we want to move our VoIP system on its own vlan. We currently have everything on one big broadcast domain. I have been doing some reading and have head about Voice Vlans and switchport modes. All of our computers are connected to our ip phones so they are on the same physical line. The phones are Aastra 480i and they run on a sphericall phone system. The phones can tag the phone data with 802.1p/q. If im using static port based vlans how would i configure the ports to accepts these 2 diffrent vlans?

Hi Friends,
I have tried many a times with Avaya Ip phones and Cisco swiches and it works fine.
Actually what I think CDP is used for inline power negotation so if you dont have Cisco switches you have to use external power supply. Also now a days switches are coming which internal power supply which supoprt IEEE standard so if we have those switches we can use other vendors ip phones without external power supply.
Anoher thing I will always recommend not to configure trunk especially cause tht may result in pc getting DHCP ip adress later. I have experienced many a times this situation. When you configure switchport voice vlan command on the switch it automatically forms an internal trunk which is not displayed on the switch but internally it works.
Right now I was not able to find one cisoc doc which especially says no need for trunk if you configure switchport voice vlan command on switch.
So just 2 commands
switchport voice vlan
switchport access vlan
Works perfectly fine.
HTH
Ankur

How to synchronize between DHCP binding table and DHCP snooping table ?

I clear DHCP snooping table with command "clear ip dhcp snooping binding " , and PC can't communicate with other any more. So how to synchronize between DHCP binding table and DHCP snooping table ?
dhcp-test#sh ip dhcp bind
IP address Client-ID/ Lease expiration Type
Hardware address
99.1.65.32 0100.1125.353c.25 Mar 02 1993 01:05 AM Automatic
99.1.65.33 0100.1438.059f.85 Mar 02 1993 12:01 AM Automatic
dhcp-test#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
Total number of bindings: 0
thanks!

ip dhcp snooping binding mac-address vlan vlan-id ip-address interface interface-id expiry seconds
Add binding entries to the DHCP snooping binding database. The vlan-id range is from 1 to 4904. The seconds range is from 1 to 4294967295.
Enter the above command for each entry that you add
To delete the database agent or binding file, use the no ip dhcp snooping database interface configuration command. To reset the timeout or delay values, use the ip dhcp snooping database timeout seconds or the ip dhcp snooping database write-delay seconds global configuration command.To renew the database, use the renew ip dhcp snooping database privileged EXEC command.

IPoE BNG and DHCP on the ASR9K

Hi,
can some one tell me if this is possible.
I have a bundle Interface -using ambiguous VLANS:
interface Bundle-Ether100.1
vrf customers_1
ipv4 unnumbered lo2
ipv4 point-to-point
arp learning disable
service-policy type control subscriber UFB_DHCP
ipsubscriber ipv4 l2-connected
initiator dhcp
encapsulation ambiguous dot1q any second-dot1q any
I have two loopback interfaces:
interface lo2
vrf customers_1
ipv4 address 100.64.0.1 255.255.128.0
interface lo3
vrf customers_1
ipv4 address 200.200.200.1 255.255.254.0
I am authenticating users using option82 remote-id, and DHCP for address allocation. I want to use RADIUS to send back attributes, to set the users template, and, somehow set the dhcp giaddr so that the user gets an address from the correct pool.
ie. put the user into this template:
dynamic-template
type ipsubscriber CUSTOMER
vrf customers_1
ipv4 unnumbered Loopback3
and have them then given an address in the lo3 (200.200.200.0) range. No matter what i do the dhcp giadd remains the address of the Bundle Interface.
I have tried all sorts of radius attributes:
Cisco-AVPair = 'subscriber:service-name=CUSTOMER'
Cisco-AVPair = 'subscriber:command=activate-service'
I have tried:
Cisco-AVPair= 'ipv4:ip-unnumbers=Loopback3'
Cisco-AVPair= 'subscriber:classname=lo192' - and creating a dhcp class to set giaddr
I get a "aaa_type invalid attribute, flags 0x21"
I am at a bit of loss, and am not sure if what I am wanting to do is even possible.
though if set the template statically via an onboard policy things seem to work, and my user gets an address from the correct loopback.
any help would be appreciated.
ta.

Alexander,
thanks for your reply,
If I use
Cisco-AVPair = 'subscriber:sa=UFB_CUSTOMER' -> sets dynamic template
Cisco-AVPair += 'ipv4:ipv4-unnumbered=Loopback3' -> sets ipv4 loopback
I get the following form the RADIUS debug (showing template, and loopback understood by RADIUS)
RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: Radius packet decryption complete with rc = 0
RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: RADIUS: Received from id 195 202.74.33.109:1812, Access-Accept, len 121
RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: RADIUS:   Vendor-Specific    [26]    34
RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: RADIUS: authenticator F2 4D D3 E7 B1 E8 90 D3 - F8 77 F1 1C 28 36 E9 6C
RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: RADIUS:   Vendor-Specific    [26]    41
RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: RADIUS: Reply-Message       [18]    26      User authenticated - UBA
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: pack_length = 121 radius_len = 121
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: rad_nas_reply_to_client: Received response from id : 195,packet type 2
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Total len = 121, Radius len = 121
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: filter not found
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Vendor-Specific, aaa_type invalid attribute, flags 0x21
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Vendor-Specific, aaa_type invalid attribute, flags 0x21
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: This is sub-string of the Loopback interface name
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Loopback attribute value: Loopback3
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Decoding the attribute: Reply-Message, aaa_type reply-message, flags 0x100
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: Reply-Message fragments, 24
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: , total 24 bytes
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: RADIUS: parsing sevice 'UFB_CUSTOMER' (len 12)
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: (rad_nas_reply_to_client) Successfully decoded the response No error: PASS
RP/0/RSP0/CPU0:Nov 28 13:33:11.479 : radiusd[1120]: (rad_nas_reply_to_client) Successfully stored the preferred server info
RP/0/RSP0/CPU0:Nov 28 13:33:11.478 : radiusd[1120]: Freeing server group transaction_id (B1000047)
output from show subscriber running:
Subscriber Label: 0xff
% No such configuration item(s)
dynamic-template
type ipsubscriber UFB_CUSTOMER
vrf customers_1
The subscriber shows up as a session:
RP/0/RSP0/CPU0:tpisp-cr02-h#show subscriber session all
Thu Nov 28 13:38:05.389 UTC
Codes: IN - Initialize, CN - Connecting, CD - Connected, AC - Activated,
       ID - Idle, DN - Disconnecting, ED - End
Type         Interface                State     Subscriber IP Addr / Prefix
                                                LNS Address (Vrf)
IP:DHCP      BE100.1.ip71             AC        100.64.0.98 (customers_1)
However..
the ip address range is from the loopback 2 address, (this is the loopback bound to the unbundled BNG interface)
My understanding is that the giaddr address should have been changed to the ip address of lo3, which is the loopback specified in the RADIUS attribute.
dhcp debug: (this is the dhcp debug that follows directly after the RADIUS debug)
RP/0/RSP0/CPU0:Nov 28 13:33:11.484 : dhcpd[1080]: DHCPD PACKET: TP1225: Process packet event, client mode: PROXY
RP/0/RSP0/CPU0:Nov 28 13:33:11.484 : dhcpd[1080]: DHCPD PROXY: TP1955: FSM called for chaddr 000c.4270.6e7c with event DPM_SUCCESS state INIT_DPM_WAIT
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PROXY: TP1917: Process client request called for chaddr 000c.4270.6e7c
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PACKET: TP1883: Giaddr not present, Set giaddr 100.64.0.1, chaddr 000c.4270.6e7c
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD PACKET: TP571: L3 packet TX unicast to dest 202.74.33.108, port 67, source 100.64.0.1, vrf 0x60000003 (1610612739), tbl 0xe0000012 (3758096402)
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: ---------- IPv4 DHCPD --- dhcpd_iox_l3_unicast_packet -------
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: VRF name (id): customers_1 (0x60000003)
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 src: 100.64.0.1
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 dst: 202.74.33.108
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: L3 dst port: 67
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: L3 input Intf: Bundle-Ether100.1
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Output Intf: Null
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: FROM: L3
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: NETWORK_ORDER
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Info
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan EtherType 1: 0x8100
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Priority 1: 0 (0x0)
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Format 1: 0 (0x0)
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan ID 1: 101 (0x65)
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan EtherType 2: 0x8100
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Priority 2: 0 (0x0)
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan Format 2: 0 (0x0)
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: metadata: Vlan ID 2: 23 (0x17)
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666:
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: op:     BOOTREQUEST
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: chaddr: 000c.4270.6e7c
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: xid:    0x303751ed
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: flags: 0x8000 (broadcast)
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: ciaddr: 0.0.0.0
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: yiaddr: 0.0.0.0
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: siaddr: 0.0.0.0
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: giaddr: 100.64.0.1
RP/0/RSP0/CPU0:Nov 28 13:33:11.485 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: cookie: 0x63825363
RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: MESSAGE_TYPE: DISCOVER
RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: PARAMETER_REQUEST data: "0x01-79-03-21-06-2a"
RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: CLIENT_IDENTIFIER data: "0x01-00-0c-42-70-6e-7c"
RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: HOST_NAME data: "MikroTik"
RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: RELAY_INFORMATION
RP/0/RSP0/CPU0:Nov 28 13:33:11.486 : dhcpd[1080]: DHCPD_PACKET: pktTx id 666: option: RELAY_INFORMATION: CIRCUIT_ID: 0x01-0f-43-48-4f-52-55-53-31-30-30-30-30-30-34-35-33
I tried changing the dynamic template to service rather than ipsubscriber, this did not make a difference. You make a reference to DHCP classname. I have defined a DHCP class, however do not know how to match or force the use of a particular class by using a RADIUS attribute.
Thanks,
Mike

Help config vlan and inter routing vlan on 2 switches SF300-24 ???

Dear Cisco!
now we have 2 switches: SF300-24
on one SF300-24 we config it at layer 3 mode with VLAN configuration same as following
VLAN ID 2 (ports: 2 -6) have ip interface 192.168.2.254/24
VLAN ID 3 (ports: 7 - 10) have ip interface 192.168.3.254/24
VLAN ID 4 (ports 11- 15 ) have ip interface 192.168.4.254/24
and VLAN 1 default have IP address: 192.168.1.200
DHCP relay - DHCP server 192.168.3.1
- DHCP relay: VLAN2; VLAN3; VLAN4
ip route: 0.0.0.0 0.0.0.0 192.168.3.1
all ports of VLAN2, VLAN3, VLAN4 set access mode.
and another SF300-24
was configed at layer 2. We config VLAN ID 2 ̣̣̣have ports 2 -6; VLAN ID 3 ports 7 -10; VLAN ID 4 port 11-15 ,too.
And we use port 26 on 2 switches SF300-24 is trunk mode then we connect both SF300-24 switches.
But on SF300-24 layer 2 cann't inderstand VLAN from Sf300-24 layer 3!!!
Could you please help me check this situation?
How to config VLAN on 2 switches SF300-24 Layer 3 and SF300-24 layer 2?
Thanks!
See you soon!

Son Nquyen,
First i would upgrade to 1.1.8 since the 1.0.0.27 was beta code.
Next when when connecting both switches together each port will need set via Trunk mode with proper native vlan and tagged vlan traffic. What's the configuration of your trunk ports on each switch?
Thanks,
Jasbryan.

VLAN and DHCP

Similar Messages

Maybe you are looking for