VLAN and Networking

Similar Messages

• VLAN and Networking and Virtual NIC

  HI,
  I have installed Oracle VM 3.2.2, the problem we are getting is when we change the VLAN network for the VM guest OS (OEL 5.5) from Oracle VM Server. the changes doesn't effect. I have shutdown the guest OS and remove the virtual network interface and need to add a new NIC with different MAC to modify the VLAN.
  e.g.
  there are two VLAN (segment 10 and 20) 192.168.10.0/24 and 192.168.20.0/24. defined in Oracle VM Server and assigned to all physical hosts.
  if I assign segment 10 initially to the guest OS it works fine, but If we want to modify the segment it needs to remove the virtual NIC and have to add a different NIC with different MAC address to fix the issue.
  Need to change the vlan segment without removing the NIC/MAC.

  I don't think you can do this in rc.conf because you can't have colons (:) in bash variable names I don't believe...
  You can just add it to rc.local like:
  ip a a x.x.x.x/yy dev eth0
  Replace x.x.x.x/yy with the appropriate IP address and CIDR mask.

• Deploying vlan and limiting traffic from not reaching network core

  Folks:
  I am reading CCNP Switch 642-813 official Certification Guide (isbn=978-1-58720-243-8) and I’m a little confused as to the following on page.71 –
  “You should not allow VLANs to extend beyond the Layer 2 domain of the distribution switch. In other words, the VLAN should not reach across the network’s core and into another switch block. The idea again is to keep broadcasts and unnecessary traffic movement out of the core block”.
  Can anyone offer a different way of stating this or offer a picture or a diagram? I am having a hard time visualizing what this is trying to say – is this refereeing to two different switch blocks/stacks on either side of a switch core if I were to the draw the topology flat?
  Thanks
  JJ

  JJ
  This is referring to the 3 tier design where you have a separate access layer/distribution layer and core layer.
  So imagine a campus where you have multiple buildings and a main site. All the other buildings connect to the main site and to get from one building to another they go via the main site.
  The main site would have a pair of core switches and a pair of distribution switches + access layer switches. The other buildings would have a distribution pair of switches and access layer switches. Each buildings distribution switches would connect back to the core switches usually with L3 links. In the past you used L2 links but with L3 switching you now generally route, or more precisely, L3 switch through the core.
  What that extract from your book is saying is that each building has it's own vlans and they are routed on the distribution switches in each building. Only traffic destined for a vlan or more specifically a subnet that is not within the building should be sent to the core switches which then route them to the correct place.
  What you shouldn't do is have a vlan in a building that also extends to the core and possibly to other buildings. This is because a vlan is a broadcast domain so a broadcast in a vlan would be sent to all hosts in that vlan. So if you allow a vlan to extend through the core you are allowing broadcasts from one building to go through the core to other buildings.
  The core switches should be left to L3 switch traffic between buildings and pretty much nothing else.
  There is usually no need to extend vlans to or across the core  ie. each set of vlans is terminated on the distribution switches so broadcasts are contained within each building or again more specifically within each vlan within the building.
  One other thing to note is that if you have a single building with maybe just a WAN connection the 3 tier design is not necessarily the best way to go and a common solution is a collapsed core where the core and dsitribution switches are the same physical switches. It saves on cost and within a single building there is often very little need for a high speed core.
  I have used the terms route and L3 switch interchangeabley here but technically all L3 capable switches route in hardware so to be precise it is L3 switching.
  Finally the above about a single building setup does not refer to a DC where the rules are somewhat different.
  Hope that helps and i haven't confused you more.
  Feel free to ask further if needed.
  Jon

• What's the easiest way to create a new VLAN and then move all existing devices to it?

  One of our locations was implemented using VLAN1 as the main (native) VLAN. My goal is to create a new sub-interface on the router and then move all the existing switches (all Layer 2) into the new VLAN, without disrupting the network (and remotely). I am trying to determine the best way to proceed. Thanks.

  I wanted to shed a little more light on the situation. The "new" VLAN has actually been in existence since the network was initially setup. The network runs VTP and the new VLAN already has an interface on the router and already shows up on all the switches when you do a "sh vlan" command. We have about 10 VLANs in all. In reality, I am simply trying to migrate about 8 switches from VLAN1 (which they never should have been on) to the new VLAN. I know that I need to create an interface for the new VLAN on each of the switches and then swap the management IP to that interface. If I could connectly directly into each switch via the console port, this would be a simple task. However, the switches are in extremely remote locations with special circumstances, thus I have no physical access to them. This fact has me a little reluctant to making the changes, as we can't afford any mistakes that would potentially cause network downtime. I am looking for some guidance on exactly the steps to take to achieve my goal. Let's call the new vlan, VLAN2. During testing, I logged into a local switch that was on VLAN1 (that's where it had it's management address). It did have VLAN2-VLAN10 as well, via VTP. I created an interface for VLAN3 on the switch and then accessed it via VLAN3 to swap the main management interface from VLAN1 to VLAN2. The changes took, but I couldn't access it via VLAN2. I am assuming this is because the router still has VLAN1 listed as the native vlan and the VLAN2 IP address is still assigned to VLAN1 on the router. What would be the best way for me to make the required changes on the 8 switches that need swapped, without losing remote access? It wouldn't hurt if the network went down for 5 minutes or less, but we can't have a big outage. Thanks.

• NEED HELP PLEASE Setting up 2 VLANS and a redundant WAN connection

  I have a remote branch office which is actually a huge bar/lounge. The bar wants to enable patrons to access the Internet with their wireless laptops. I want to prevent those patrons from accessing our private network, and also prevent them from traversing our static VPN tunnel back to HQ.
  The bar processes all credit cards via the T1 connection, and this has caused us to lose money every time the T1 goes down while we're open, since there is no WAN redundancy right now.
  Here is my current hardware configuration:
  1) one PIX 501 50-user 3des.
  2.) two Dell 3024
  3.) one Aironet 1100(g) AP.
  Current LAN Network: 10.35.35.0
  (internal employees only, static VPN tunneled to remote HQ network)
  Current Wireless SSID's:
  SSID1=PRIVATESSID
  SSID2=PUBLICSSID (not currently in use, waiting to figure this out)
  Current WAN: one T1 connection.
  WHAT I WOULD LIKE TO DO AND NEED HELP FIGURING OUT:
  #1a) I want to create two separate VLAN's that are able to share the WAN connection, but not be able to "see" each other.
  #1b) These VLAN's would be mapped to their respective SSID's on the AP (PRIVATESSID>10.35.35.0 and PUBLICSSID>192.168.1.0).
  #1c) The 192.168.1.0 network should not be able to traverse the static tunnel between the branch site and HQ.
  #2) I would like to install a backup WAN connection such as a modem 56k dial-up to an ISP or a cable modem to an ISP. In case the primary T1 goes down, I would like the router to automatically dial out over the modem conection and route all Internet bound traffic over that backup WAN connection, until the primary comes back online.
  Question 1:
  I'm assuming I need a router to do the intervlan routing. Could this router also do the on-demand WAN backup dialing to an ISP via analog modem?
  What IOS version and flavor (IP base, IP+, etc.) would I need? What is the cheapest router I can do all that with (i.e. 2620/2621/1720/3600 series)? What WIC's or NM's would I need?
  Question Two:
  I would like to prioritize PRIVATESSID's traffic over PUBLICSSID's traffic, which I know I can do on the access point. Can I do this on the router so that any 10.35.35.0 traffic takes priority over any 192.168.1.0 traffic?
  Question Three
  If the primary T1 WAN connection goes down, I don't want the router to re-route the 192.168.1.0 traffic over the backup 56k dial-up WAN connection. That traffic can wait until the T1 comes back up.
  Any help you can provide would be very much appreciated.

  Assuming your access points can place SSID into separate vlans and support 802.1q trunks then I can attempt to answer your questions. There are seperate secuity issues with both SSID for protection and VLANs for seperation but in your case in may be minimal.
  q1
  Any cisco router that will run 802.1q trunking will work. Since you are looking at older routers you will need IP+ to get it. Even 2610's will support 802.1q on their 10m ethernet at the correct code level but 10m and 802.1q is sorta nonstandard. Since your backup is only 56k you can use the internal modem port as a dial backup. A wic-2a/s will also work if you prefer not to use the modem port. You will need some wic to run your t1 line. If you are planning to leave the t1 on another router it makes the next 2 questions much harder.
  q2
  This is fairly simple and depends on your ios level. "priority queing" is supported on even the older software. I assume you do not control the far end of the t1 line since it sounds as if this goes to a ISP.
  You will need to have them do the QoS since most issues with the internet are inbound and not outbound. You can only control outbound traffic.
  q3
  If the T1 is on the same router then this is fairly simple. You can just put a floating static default route in that will cause the dialer to come up if the the t1 goes down. There is no easy way to protect against the line being up but no traffic passing. This is also why it would be best to have the t1 on the same router. If its not you will need to get very creative to solve this. You could build a GRE tunnel to a remote location and montior the tunnel or run a routing protcol over the tunnel. In the newest software you could use SAA and policy routing to force the traffic over the dialer but the router must support ios 12.4.
  3a. You mentioned a cable modem as a backup. That can be much easier sometimes since it is all routing and no dialer interfaces with nasty modem issues. This does not make the issue of the t1 not on the same router easier.

• Setting Up VLAN and QoS for VOIP on SG200-18

  We recently purchased the SG200-18 smart switch to replace a Netgear unmanaged switch. We're moving our phone service to VOIP through our local ISP as well. 
  I've currently got the VOIP phone plugged into Port 17 on the SG200-18 (it's a Grandstream cordless VOIP phone).
  I want to put the VOIP phone on a separate VLAN from the rest of the network and optimize the QoS settings so that the VOIP phone has exceptional audio quality even during intense network traffic.
  Here's my questions:
  1. Do I need to adjust anything on the type of port for Port 17 (since it looks like some form of Combo port)?
  2. How do I go about isolating the VOIP phone on it's own VLAN (I'm seeing VLAN and Voice VLAN settings, not sure which one to use; I tried setting a VLAN and broke Internet connectivity to the phone until I went in and removed it)?
  3. Do I need to adjust any QoS settings on the switch to better optimize the VOIP phone?
  A couple of additional questions about the GS200-18 in general:
  1. Do I need to adjust any of the System Time Settings on the switch? I'm in Central Time.
  2. Do I need to adjust any of the Green Ethernet/Energy Saving settings or should I stick with the defaults?
  Also, a couple of "getting started" side questions to Cisco:
  1. I've registered a My Cisco account. What do I need to do to register my switch with Cisco and associate it with my My Cisco account?
  2. What are the benefits of taking out a Cisco Small Business Support Contract, and about how much would it cost on the SG200-18 (I ordered it from Provantage)? I'm curious to see if it's worth the money.
  Here's my "specs":
  Switch: SG200-18
  VOIP phone: Grandstream DP715 and 710 expandable handsets
  Plugged into: Port 17 on the SG200-18
  ISP: Local ISP (Direclynx)
  Connection type: 3M down/500k up DSL, moving to a wireless connection coming up which will give us faster speeds
  VOIP backend provider: VOIP Innovations
  Router: Apple Airport Extreme AC model (I run all Macs and iOS devices and OS X Server on the network, so using the Apple router makes setup easier, since it doesn't QoS, trying to QoS and VLAN at the switch level)
  Thanks everyone!

  Hello,
  Lots of different questions here so I'll try to make sure I don't miss anything.
  1. Do I need to adjust anything on the type of port for Port 17 (since it looks like some form of Combo port)?
     The way the combo ports work is you can either use the SFP slot for a fiber connection or the copper ethernet port, but not both at the same time.  Other then that they just function as normal network ports.
  2. How do I go about isolating the VOIP phone on it's own VLAN (I'm seeing VLAN and Voice VLAN settings, not sure which one to use; I tried setting a VLAN and broke Internet connectivity to the phone until I went in and removed it)?
     It sounds like you created the VLAN correctly and assigned the phone, however there wasn't anything doing any routing for that VLAN.  You would need to have a VLAN capable router or a layer 3 switch so that something would act as the default gateway for the voice VLAN and route the traffic for you.  Since there was nothing like this your phone lost it's connectivity to the internet when you placed it in the new VLAN.  I don't think the Airport is VLAN capable, but we will come back to that.
  3. Do I need to adjust any QoS settings on the switch to better optimize the VOIP phone?
     Once you have a seperate VLAN setup for the phone properly you only have to tell the switch what your Auto Voice VLAN is going to be and it will automatically apply recommended QoS settings for the Voice VLAN and prioritize the voice traffic.  There are ways to do this manually and even with the phone in the same VLAN however the are considerably more complicated.
  1. Do I need to adjust any of the System Time Settings on the switch? I'm in Central Time.
     The system time isn't always very important.  You can set the correct time zone, however you should know the switch does not have a battery in it to keep track of time, so if/when it reboots or loses power the clock will reset.  If you would like the switch to maintain accurate time you should setup an NTP server so the time is automatically updated from the internet.  The switch will keep your timezone settings once you save them.  Time is mostly important for logging and things like that, so you can configure it if you like but it is not necessary.
  2. Do I need to adjust any of the Green Ethernet/Energy Saving settings or should I stick with the defaults?
     Green ethernet simply reduces the power usage of the switch slightly, so unless you are having odd issues where ports are disconnecting, I would just leave them at the defaults.
  1. I've registered a My Cisco account. What do I need to do to register my switch with Cisco and associate it with my My Cisco account?
     There isn't really a way to associate your Small Business devices with your Cisco account.  If you ever call in for technical support we will use your Cisco account and your serial number to create a support case, but even then they aren't linked together.  If you decide to buy a support contract, that will be linked to your switch's S/N and your Cisco ID, so in a way that would associate them together.  Devices being associated with Cisco accounts is something more common with Enterprise equipment, and mainly has to do with technical support cases.
  2. What are the benefits of taking out a Cisco Small Business Support Contract, and about how much would it cost on the SG200-18 (I ordered it from Provantage)? I'm curious to see if it's worth the money.
     There are a few advantages to a Support Contact.  Your switch comes with a Limited Lifetime warranty that includes 1 year of technical support and return to factory hardware.  With a service contract you get 3 years of technical support and next business day Advanced Replacement of the switch if it need to be replaced.  I just did a quick google search, and it looks like a contract (part #CON-SBS-SVC2) costs about $50.
  So there are a few other things to consider however.
  As a frame of reference the average VOIP call uses about 64 - 128 kbps max.
  Since you don't have a VLAN capable router or a layer 3 switch, a separate voice VLAN may not be an option.   You also mention that the Apple Airport does not do QoS, meaning we will only be prioritizing the voice traffic while it is on the switch.  When it is passed off to the Airport to be routed out to the internet all of the QoS settings will be lost, and normal network traffic will get the same priority as voice, since that is all up to the Airport.
  With one phone the hassle of getting more equipment and setting up advanced QoS isn't really worth it, especially if the link to the internet isn't going to be participating in QoS.
  One last thing I wanted to mention is you are switching to a wireless internet connection.  I would ask them how their latency and jitter is, as these two network statistics greatly effect voice quality, and usually wireless performs worse when it comes to voice traffic.
  I hope this information helps, if you have any more questions just let me know.
  Thank you for choosing Cisco,
  Christopher Ebert - Network Support Engineer 
  Cisco Small Business Support Center

• Oracle RAC Interconnect, PowerVM VLANs, and the Limit of 20

  Hello,
  Our company has a requirement to build a multitude of Oracle RAC clusters on AIX using Power VM on 770s and 795 hardware.
  We presently have 802.1q trunking configured on our Virtual I/O Servers, and have currently consumed 12 of 20 allowed VLANs for a virtual ethernet adapter. We have read the Oracle RAC FAQ on Oracle Metalink and it seems to otherwise discourage the use of sharing these interconnect VLANs between different clusters. This puts us in a scalability bind; IBM limits VLANs to 20 and Oracle says there is a one-to-one relationship between VLANs and subnets and RAC clusters. We must assume we have a fixed number of network interfaces available and that we absolutely have to leverage virtualized network hardware in order to build these environments. "add more network adapters to VIO" isn't an acceptable solution for us.
  Does anyone know if Oracle can afford any flexibility which would allow us to host multiple Oracle RAC interconnects on the same 802.1q trunk VLAN? We will independently guarantee the bandwidth, latency, and redundancy requirements are met for proper Oracle RAC performance, however we don't want a design "flaw" to cause us supportability issues in the future.
  We'd like it very much if we could have a bunch of two-node clusters all sharing the same private interconnect. For example:
  Cluster 1, node 1: 192.168.16.2 / 255.255.255.0 / VLAN 16
  Cluster 1, node 2: 192.168.16.3 / 255.255.255.0 / VLAN 16
  Cluster 2, node 1: 192.168.16.4 / 255.255.255.0 / VLAN 16
  Cluster 2, node 2: 192.168.16.5 / 255.255.255.0 / VLAN 16
  Cluster 3, node 1: 192.168.16.6 / 255.255.255.0 / VLAN 16
  Cluster 3, node 2: 192.168.16.7 / 255.255.255.0 / VLAN 16
  Cluster 4, node 1: 192.168.16.8 / 255.255.255.0 / VLAN 16
  Cluster 4, node 2: 192.168.16.9 / 255.255.255.0 / VLAN 16
  etc.
  Whereas the concern is that Oracle Corp will only support us if we do this:
  Cluster 1, node 1: 192.168.16.2 / 255.255.255.0 / VLAN 16
  Cluster 1, node 2: 192.168.16.3 / 255.255.255.0 / VLAN 16
  Cluster 2, node 1: 192.168.17.2 / 255.255.255.0 / VLAN 17
  Cluster 2, node 2: 192.168.17.3 / 255.255.255.0 / VLAN 17
  Cluster 3, node 1: 192.168.18.2 / 255.255.255.0 / VLAN 18
  Cluster 3, node 2: 192.168.18.3 / 255.255.255.0 / VLAN 18
  Cluster 4, node 1: 192.168.19.2 / 255.255.255.0 / VLAN 19
  Cluster 4, node 2: 192.168.19.3 / 255.255.255.0 / VLAN 19
  Which eats one VLAN per RAC cluster.

  Thank you for your answer!!
  I think I roughly understand the argument behind a 2-node RAC and a 3-node or greater RAC. We, unfortunately, were provided with two physical pieces of hardware to virtualize to support production (and two more to support non-production) and as a result we really have no place to host a third RAC node without placing it within the same "failure domain" (I hate that term) as one of the other nodes.
  My role is primarily as a system engineer, and, generally speaking, our main goals are eliminating single points of failure. We may be misusing 2-node RACs to eliminate single points of failure since it seems to violate the real intentions behind RAC, which is used more appropriately to scale wide to many nodes. Unfortunately, we've scaled out to only two nodes, and opted to scale these two nodes up, making them huge with many CPUs and lots of memory.
  Other options, notably the active-passive failover cluster we have in HACMP or PowerHA on the AIX / IBM Power platform is unattractive as the standby node drives no resources yet must consume CPU and memory resources so that it is prepared for a failover of the primary node. We use HACMP / PowerHA with Oracle and it works nice, however Oracle RAC, even in a two-node configuration, drives load on both nodes unlike with an active-passive clustering technology.
  All that aside, I am posing the question to both IBM, our Oracle DBAs (whom will ask Oracle Support). Typically the answers we get vary widely depending on the experience and skill level of the support personnel we get on both the Oracle and IBM sides... so on a suggestion from a colleague (Hi Kevin!) I posted here. I'm concerned that the answer from Oracle Support will unthinkingly be "you can't do that, my script says to tell you the absolute most rigid interpretation of the support document" while all the time the same document talks of the use of NFS and/or iSCSI storage eye roll
  We have a massive deployment of Oracle EBS and honestly the interconnect doesn't even touch 100mbit speeds even though the configuration has been checked multiple times by Oracle and IBM and with the knowledge that Oracle EBS is supposed to heavily leverage RAC. I haven't met a single person who doesn't look at our environment and suggest jumbo frames. It's a joke at this point... comments like "OMG YOU DON'T HAVE JUMBO FRAMES" and/or "OMG YOU'RE NOT USING INFINIBAND WHATTA NOOB" are commonplace when new DBAs are hired. I maintain that the utilization numbers don't support this.
  I can tell you that we have 8Gb fiber channel storage and 10Gb network connectivity. I would probably assume that there were a bottleneck in the storage infrastructure first. But alas, I digress.
  Mainly I'm looking for a real-world answer to this question. Aside from violating every last recommendation and making oracle support folk gently weep at the suggestion, are there any issues with sharing interconnects between RAC environments that will prevent it's functionality and/or reduce it's stability?
  We have rapid spanning tree configured, as far as I know, and our network folks have tuned the timers razor thin. We have Nexus 5k and Nexus 7k network infrastructure. The typical issues you'd fine with standard spanning tree really don't affect us because our network people are just that damn good.

• Oracle VM 3.1.1, Oracle VM Server, PeopleSoft Templates and networking

  I have installed Oracle VM Manager on an Oracle Linux x86_64 system, all freshly installed, and two Oracle VM Server 6 systems also freshly installed. These three servers are each connected to two networks. One is a 192.168.15.0/24 ("net-A"), and the other is 10.8.15.0/24 ("net-B"). net-B also has the fileserver for the repositories et al directly attached. "net-A" is connected to the outside world. This is all working great; all servers can intercommunicate, can be reached from other devices on each network, et cetera. I can ssh from any machine on the network to these machines, and vice versa. All servers correctly use the internal and the external DNS, and can communicate with Google, et cetera. Excellent!
  Now, I have downloaded the templates for PeopleSoft HCM9.1, and PeopleSoft PeopleTools 8.52, and have successfully created Virtual Machines from these. The VMs start up and run successfully, and I have gone through the startup configuration prompts using the Oracle VM "Launch Console" feature.
  My problem is that I have not yet figured out how Oracle VM Networking is supposed to work, and so I cannot get these machines to talk to each other nor to the outside world. And I cannot ping them from other devices on the network, either. Obviously, there's no advantage to having a PeopleSoft server running when one cannot attach to it. I've read through the documentation numerous times, and I've pored through http://itnewscast.com/chapter-7-oracle-vm-networking-8021q document over and over, but I get lost in the virtual-upon-virtual-upon-virtual world. Maybe (probably) it's me, but I am not getting how this fits together, and where/how the virtual-ness of the network ends. Plus, all of the configurations in that itnewscast.com Chapter 7 article involve at least one switch (virtual maybe? not clear!) between the VMM and the VMS, and I don't have a switch invoved in this network... it's flat, with everything on the same wire.
  My Oracle VM network is super simple at present: There is exactly one network ("ps-net"), and it runs all five network channels (server management, live migrate, storage, etc.). Both servers are on this network, and the NIC used is the "net-B" NIC. There is no VLAN, and the IP addresses are set by DHCP. Bonding, the configuration display says, is Not applicable. Since these devices are on the same NIC as "net-B," I provided the 10.8.15.x network information when prompted, and assigned them fixed IP addresses on that network. For "gateway," I specified the address of the VMM, not knowing what else to use. And, as I said, these VM don't talk to anything, not even to each other.
  My needs are very simple. The shame is I've built all this up for the express purpose of running those two templates, and it's been a battle, to say the least, to get this far. Who can point me to the error of my ways, or a better way to accomplish this end?
  Thanks for your time, and for reading this far!

  OK. Out of desire to resolve this, I have completely removed the 192.* network from this configuration, by disconnecting the eth0 networks, and changing the ifcfg-eth0 to ONBOOT=no (yes, I know either action should suffice).
  So there is exactly one network involved now. (Greg King said that's OK, if scalability is not an issue, and if he said it, I believe it. I'll complicate it later, after I get simple working.) And one VMS is out of the configuration for now. So I have ora-vmm at 10.8.15.49 ora-vms1 at 10.8.15.47, and the fileserver at 10.8.15.50. ora-vms2 is at 10.8.15.48, but is down for now. The server pool address is set to 10.8.15.1. The network looks like this:
  ID: 10.8.15.0
  Name: ps-net1
  Channels: all
  Servers: ora-vms1, ora-vms2
  Selected paths: ora-vms1 Port (2) (eth1), ora-vms2 Port (2) (eth1)
  VLAN Group: None
  VLAN Segment: None
  Configure IP Address: ora-vms1 Port (2) (eth1) Use DHCP 10.8.15.47 255.255.255.0 Bonding: N/A
  Configure IP Address: ora-vms2 Port (2) (eth1) Use DHCP 10.8.15.48 255.255.255.0 Bonding: N/A
  ifconfig from ora-vmm
  eth1 Link encap:Ethernet HWaddr 00:0C:29:38:92:7E
  inet addr:10.8.15.49 Bcast:10.8.15.255 Mask:255.255.255.0
  inet6 addr: fe80::20c:29ff:fe38:927e/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:3516 errors:0 dropped:0 overruns:0 frame:0
  TX packets:3186 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:1520847 (1.4 MiB) TX bytes:383384 (374.3 KiB)
  eth2 Link encap:Ethernet HWaddr 00:0C:29:38:92:88
  inet addr:10.8.16.1 Bcast:10.8.16.255 Mask:255.255.255.0
  inet6 addr: fe80::20c:29ff:fe38:9288/64 Scope:Link
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:0 (0.0 b) TX bytes:830 (830.0 b)
  lo Link encap:Local Loopback
  inet addr:127.0.0.1 Mask:255.0.0.0
  inet6 addr: ::1/128 Scope:Host
  UP LOOPBACK RUNNING MTU:16436 Metric:1
  RX packets:136683 errors:0 dropped:0 overruns:0 frame:0
  TX packets:136683 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:30853824 (29.4 MiB) TX bytes:30853824 (29.4 MiB)
  ifconfig from ora-vms1
  10.8.15.0 Link encap:Ethernet HWaddr 00:0C:29:D5:97:F1
  inet addr:10.8.15.47 Bcast:10.8.15.255 Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:21463 errors:0 dropped:1 overruns:0 frame:0
  TX packets:23017 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:10033833 (9.5 MiB) TX bytes:12175262 (11.6 MiB)
  10.8.15.0:0 Link encap:Ethernet HWaddr 00:0C:29:D5:97:F1
  inet addr:10.8.15.1 Bcast:10.8.15.255 Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  eth1 Link encap:Ethernet HWaddr 00:0C:29:D5:97:F1
  UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
  RX packets:47343 errors:0 dropped:0 overruns:0 frame:0
  TX packets:48885 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000
  RX bytes:23261224 (22.1 MiB) TX bytes:22212168 (21.1 MiB)
  lo Link encap:Local Loopback
  inet addr:127.0.0.1 Mask:255.0.0.0
  UP LOOPBACK RUNNING MTU:16436 Metric:1
  RX packets:5858 errors:0 dropped:0 overruns:0 frame:0
  TX packets:5858 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:2749072 (2.6 MiB) TX bytes:2749072 (2.6 MiB)
  I don't understand why, but the VMM has placed this entry into each server's /etc/sysconfig/network-scripts directory:
  ifcfg-10.8.15.0
  Contents are:
  #This file was dynamically created by OVM manager. Please Do not edit
  DEVICE=10.8.15.0
  TYPE=Bridge
  BOOTPROTO=dhcp
  ONBOOT=yes
  DELAY=0
  I am able to start the guest with no issue. It has been configured with IP address 10.8.15.101, netmask 255.255.255.0. Its gateway is 10.8.15.50, the same network configuration as all the other servers.
  The important parts of ifconfig output from the guest (which I must manually type since Launch Console provides no copy/paste functionality) are:
  eth0 Ethernet, HW Addr: 00:21:f6:00:00:11
  inet addr: 10.8.15.101 Bcast: 10.8.15.255 Mask: 255.255.255.0
  inet6 ...
  UP BROADCAST RUNNING MULTICAST ...
  RX Packets: 11 errors:0 dropped:0 overruns:0 frame:0
  TX Packets: 101 errors:0 dropped:0 overruns:0 carrier:0
  RX bytes:620 (620.0 b) TX bytes:10592 (10.3 KiB)
  Interrupt:14
  Ping to 10.8.15.47 (the server on which this guest is running) is successful
  All other ping attempts fail.
  This is where I am, and why I'm confused. Can anyone help me understand why this guest can only talk to its "host?"
  Thank you.

• 1242AG Bridge, VLAN and Multiple SSIDs

  I have two buildings that I'm trying to configure a bridge in between them using 2 1242AG APs.
  Building A
  PCOFFICE SSID on VLAN 200 Radio G
  ROOT_1 SSID on Native VLAN 1 Radio A
  Root Bridge
  Building B
  FDAPC SSID on Native VLAN 1 Radio G
  ROOT_1 SSID on Native VLAN 1 Radio A
  We are using directional antenna.  I know they are lined up properly because I have them both down and in front of me.  I'm getting an error on the Building B AP that says "
  No SSID with VLAN configured. Dot11Radio1 not started." and I'm unable to get this to work.  The bridge was working before I added the VLAN and encryption/WPA information for the PCOFFICE and FDAPC SSIDs
  Any assistance would be amazing.  Thanks!  Please see attached files for configurations.  I know the switch is configured properly because I had this working before and forgot to save the damn configuration off the devices.  I'm not having to do it over from scratch.

  That did not work.
  I've managed to fix the ROOT_1 and FDAPC... now I'm having an issue where I can attempt to connect to the PCOFFICE SSID but I'm unable to get a DHCP address from the server.
  Here is the config for the AP with PCOFFICE on it and the switch.
  SWITCH
  interface GigabitEthernet3/2
  switchport trunk allowed vlan 1,200
  switchport mode trunk
  interface Vlan1
  ip address 192.168.3.4 255.255.255.0
  interface Vlan200
  ip address 192.168.30.2 255.255.255.0
  ip helper-address 192.168.3.98
  ip default-network 192.168.3.0
  ip route 0.0.0.0 0.0.0.0 192.168.3.1
  no ip http server
  ACCESS POINT
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP1_ROOT_AP
  enable secret 5 REMOVED
  ip subnet-zero
  no aaa new-model
  dot11 vlan-name VLAN1 vlan 1
  dot11 vlan-name pcCopper vlan 200
  dot11 ssid PCOFFICE
     vlan 200
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 7 REMOVED
  dot11 ssid ROOT_1
     vlan 1
     authentication open
     authentication key-management wpa
     infrastructure-ssid optional
     wpa-psk ascii 7 REMOVED
  dot11 network-map
  dot11 arp-cache optional
  power inline negotiation prestandard source
  username Cisco password 7 REMOVED
  username admin privilege 15 password 7 REMOVED
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers tkip
  encryption vlan 200 mode ciphers tkip
  ssid PCOFFICE
  speed basic-2.0 5.5 11.0 12.0 18.0 24.0 36.0 48.0 54.0
  no power client local
  power client 17
  power local cck 17
  power local ofdm 17
  channel 2462
  station-role root access-point
  antenna receive right
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 port-protected
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.200
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 200
  bridge-group 200 subscriber-loop-control
  bridge-group 200 block-unknown-source
  no bridge-group 200 source-learning
  no bridge-group 200 unicast-flooding
  bridge-group 200 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers tkip
  encryption vlan 1 mode ciphers tkip
  ssid ROOT_1
  dfs band 3 block
  speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
  no power client local
  power client 11
  power local 11
  channel 5180
  station-role root bridge
  antenna receive right
  antenna transmit right
  interface Dot11Radio1.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  hold-queue 160 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0.200
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 200
  bridge-group 200 spanning-disabled
  interface BVI1
  ip address 192.168.3.241 255.255.255.0
  no ip route-cache
  ip default-gateway 192.168.3.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  control-plane
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local

• How to setup vlans and routing between them

  Hey guys
  I am onboard a vessel where I have a Cisco 1921 router with intergrated 8-port dwitch. I have no experince what so ever with Cisco, onlye knowledge about netwrok in general.
  What I need to do is to create 3 VLANs wit different networks and thier own gateways internally( no external routers, no external switches), and I want client in all networks to be able to communicate qith each other:
  Vlan 2:
  192.168.0.0
  Default Gateway: 192.168.0.1
  Network Mask: 255.255.255.0
  Vlan 3:
  192.168.1.0
  Default Gateway: 192.168.1.1
  Network Mask: 255.255.255.0
  Vlan 4:
  192.168.2.0
  Default Gateway: 192.168.2.1
  Network Mask: 255.255.255.0
  As mentioned abode, I need clients from each VLAN to be able to communicate with each other. Se drawing

  Disclaimer
  The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.
  Liability Disclaimer
  In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.
  Posting
  It might be as simple as defining VLAN interfaces for your 3 VLANs, and they assigning the ports to one of the 3 VLANs.

• School me on Vlans and subnets

  I am in the process of planning the design for a voip rollout.  Here is the scenario.  We have 1 3560-e series at our core and 2 4506-e series switches in our wiring closets(we are a small school).  When I installed them a couple years ago I did not create vlans and everything is running off of the native vlan 1.  What I want to do is create 1 new vlan for voice.  We are small enough that I don't think it warrants going much farther than that with vlans.  The problem I am running into is understanding the IP scheme.
  Currently our network is 172.16.x.x with a subnet of 255.255.0.0
  What I want is our data to be 172.16.2.1-172.16.3.254
  and our voice to be 172.16.5.1-172.16.5.100
  Can both of these be on the same subnet mask or not?

  Hi Dan,
  Both can have the same subnet mask but that doesn't matter in your case. Subnet mask has more to do with the size of networks or segments and obviously the system depends on how many hosts will be in each subnet, not forgetting to take in account future when sizing.
  Back to your scenario, it seems you were having a flat design up to know. Know that you want to integrate voice in your lan you have to better the design by taking the following actions.
       1)Create a  new VLAN for Data, give it a number name it "DATA" or whatever suits you. If your data subnet range is 172.16.2.1-172.16.3.254 (or 172.16.2.0/23) then a mask of 255.255.254.0 encompassing 172.16.2.0/24 and 172.16.3.0 will do, but that implies all your host are in the same broadcast domain. That will work but it is not a good design practice to have too many host in the same broadcast domain.
       2) Create another VLAN for Voice, name it VOICE if you want.
       3) Configure your lan swithches access ports as follows:
            3.a: access vlan =  "Data vlan number"
            3.b: voice vlan =  "Voice vlan number"
       Once that configuration is done, both vlans can operate simultaneously on any access port with no probl, but routing betwen the vlan has to be configured.
          For smooth ip addressing of IP Phones, you will the set up DHCP for the voice network with the appropriate required details and make sure CDP (IP Telephony systems CDP for communication) is active on your LAN switches
  Good luck
  HTH!

• Video conferencing, voice, VLAN and Catalyst 2950, 3500 and 6500 switches

  We have a Cat6500 with MSFC in the COre/Distribution, mix of 2950 and 3524XL in the closets in the HQ. Every closet will be on one VLAN. There are 5 remote sites on a Frame with 768 CIR. There will be one Polycom VC station in the HQ per closet, one Polycom per remote site. Additionally, every PC everywhere will be using desktop NetMeeting for VC. CallManager and IP Phones will be everywhere. My questions are:
  1. should I put the Polycom on the same VLAN as the PC's with COS set to 4 at layer 2 and IP Precedence set to 4 at layer3? IP Phones are already on a seperate voice VLAN .
  2. Should I put Polycom on it's own VLAN and seperate from the PC VLANs? If I do it this way should I set COS and IP precedence for the PC's with NetMeeting?
  3. any sample config. for the Catalyst switches?
  Thanks!
  Chris

  Chris,
  Check out this IP telephony design guide. Hope it is of some help to you:
  http://www.cisco.com/univercd/cc/td/doc/product/voice/ip_tele/network/

• Vlans and trunks etc

  Can someone please tell me the main reason for having a vlan and server/clients setup, why do we need this setup, Please give simple explanation.
  thanks
  Carl

  The main reasons to break networks down into VLAN's is Security and to minimise broadcasts. With Security I mean the ability to block or restrict access between networks with the use of ACL's, firewalls etc. The general rule of thumb when deploying networks is /23 subnets (500 or so hosts) for IP-only networks and /24 subnets (250 hosts) when using multiprotocol. This way you reduce the broadcast domain and so can contain the amount of broadcasts within the each VLAN.
  The general practise now is also to deploy 2 unique VLAN's per access switch (1 Voice & 1 Data). This prevents the need to span VLAN's across multiple Access Layer switches and minimises the STP sizes and subsequently any STP issues from spanning network-wide. Designing your network this way also makes troubleshooting and understanding issues easier as you generally have very strict data paths between hosts; no trying to overlay your STP network over your Layer-3 network to see the logical & physical paths.
  I would also disagree with the previous post regarding VTP. Yes it does simply the creation of VLAN's in a large Layer-2 campus environment, but the Layer-2 environment is what we are trying to move away from. Using VTP Transparent or disabling VTP promotes better practise amongst your IT staff and prevents any VTP mishaps that are always network-wide.
  HTH
  Andy

• Setting up wireless Cisco Access Points independently and network layout

  Hello,
  I am technician in a school. I have been asked to upgrade wireless system in school. Currently I am using VDSL2 30Mbps line. I am using E4200 Router, which is providing internet services. The school has 3 floors. On one floor I have this router which is further attached with 16 port gigabit unmanageable switch. The same router is providing wireless service on the same floor using Class C ip address. From the switch I have extended a cable and took it on to another (second floor), where I have got one more gigabit switch. From that switch I have connected one router using different subnet and further i have attached two access points for the entire floor, which is working ok. From the same switch I have extended one more cable up to third floor where I have connected one more access point. So, 3 access points on three floors, 2 switches and two router. This is the current network layout.
  Now school have decided to go over to fiber. ISP is going to put Juniper router and going to create vlan and will configure access restrictions. School will have 100Mbps unlimited up and download speed. Its because of increase in number of students. School is still waiting for the router and configuration to be done.
  I have got 4 cisco 1602i access points (AIR-SAP1602I-Z-K9). These access points are POE supported. I have got one 8 port POE switch also. When I got these 4 cisco I didnt get power adapters with them. First I want to ask, is this normal. Don't they usually come with power adapter. I know they are POE, but cisco doesn't send them with power adapters.
  Second I want to ask, if these access points can work independent without WLAN controller. Or do i have to have WLAN controller.
  As fiber is not up yet so, for the time being I have connected these access points with POE switch using Cat5E cable and then further connected the POE switch with normal gigabit switch, which is further conneted with router at this point.
  Please tell me if I am doing it correctely. I will also be needing help with the configuration.
  Can anyone tell me how to setup these access points independently for current situation to provide internet access. How to set them on different channels etc......
  Also want to know if there is any software that can detect access points and can help me manage these access points.
  I shall be thankful.
  Sarab

  DUPLICATE POST
  Sent from Cisco Technical Support iPhone App

• Auth VLAN and Access vlan

  When the interface comes up, the CAM puts the user in the AUTH vlan as expected via the set command (vlan 210)
  03:09:09: SNMP: Packet received via UDP from 172.31.200.200 on Vlan220
  03:09:09: SNMP: Set request, reqid 2144479366, errstat 0, erridx 0
  vmVlan.1 = 210
  that works OK
  Fa0/21, Fa0/22, Fa0/23
  210 VLAN0210 active Fa0/1
  211 VLAN0211 active
  So SNMP RW works OK,
  After the user logs in to the network the user should be put back into vlan 220 (according to the port profile settings) but nothig happens, no set command send, no SNMP traffic at all. The user remains in AUTH vlan and the agent loops
  I have tried all the settings, role based, initial VLAN as well, to no avail.
  Any ideas? What to check for?
  Rafal

  Have you double checked your settings for mapping ports with the VG setup guide?
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_addSrvr.html#wp1089247
  Also make sure your OOB port profile is correct and that it switches from auth to access vlan after authentication
  http://www.exio.com/en/US/docs/security/nac/appliance/configuration_guide/411/cam/m_oob.html#wp1083087