VLAN config issue

I am configuring VLANS on 2960x switches by building. We have about 15 buildings and would like to have each building be in its own VLAN. This issue I am having is that we have some devices that are static IP's and when those devices are pluged in, they do not work. Cannot ping them. For example, our maintenance department has some energy management devices that are addressed 10.20.1.x and printers are address 10.10.101.x. So when i configure vlan 55, ip address 10.55.1.2, set the switch ports to switchports access vlan 55 and plug any device with a static ip in to that switch, it doesnt work. It is possible to have these devices on the same vlan as everthing else in thier building without changing their IP address?

The 2960 is set up with all ports in vlan 55 and the link back to the 4506 is a trunk port. The 4506 port is set up the same.
4506
interface Vlan55
ip address 10.55.1.1 255.255.255.0
Port to 2960
interface GigabitEthernet2/10
switchport access vlan 55
switchport mode trunk
2960
interface Vlan55
ip address 10.55.1.3 255.255.255.0
ip helper-address 10.10.1.41 -- DHCP server
ip helper-address 10.10.11.2 -- wireless controller
port to 4506
interface GigabitEthernet1/0/52
switchport access vlan 55
switchport mode trunk
ip route 0.0.0.0 0.0.0.0 10.55.1.1
When i plug in a device with a static ip, for example, 10.20.1.250, SM 255.255.0.0, DG 10.20.1.1 it does not work. These are not PC''s . They are allen bradly controllers that are installed on equipment like air compressors and heaters so our maintenanse department can monitor everything. Theses devices will not be in every switch and have been installed way before i started working here. I set up a pc using a address in the 10.20 range and cant even ping the switch that is plugged into.

Similar Messages

Vlan config issues

I have a 6509 with a vlan 105 configure. I have also added a vlan 100. vlan 100 and 105 work for internal routing. vlan 105 workstation can get to the internet. however any vlan 100 workstation can not access the internet. A tracert from a workstation on vlan 100 stops at the 6509. attached is the 6509 config, i have included IP just because they already have changed.
any ideas? Does the port connecting to my firewall have to allow all vlan traffic? if so how do i do this.
thanks,

Hi,
Please provide more information on setup( other devices, connectivity diagram) to have a clear idea, so that we can help you.
From the config provided, i could see the following default route
ip route 0.0.0.0 0.0.0.0 10.175.105.3
What is 10.175.105.3 ? Is this your firewall / WAN router??
Also what is the need for this static route.?
ip route 10.175.100.0 255.255.255.0 10.175.105.3
10.175.100.0/24 is the subnet for vlan 100, which a directly connected network on this switch. Hence you dont need that route. Remove that route.
Finally whatever device is 10.175.105.3, please add a route in that device for vlan 100 so that traffic can reach vlan 100.
The route that you should add in 10.175.105.3 is
ip route 10.175.100.0 255.255.255.0 10.175.105.1.
Hope this helps.
-VJ

Config view for VLAN config is not supported

Hi folks,
I have the following error when I try to view the VLAN config from RME->ConfigManagement->Version Tree.
"Config view for VLAN config is not supported"
I didn't found any information over the RME and Campus documentation.
Anybody know what kind of error I'm issuing
Thanks and Regards.
Leonardo

Hi Pablo,
The VLAN.dat file cannot be used to be deployed via CiscoWorks, but it can be done manually:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.3/user/guide/config.html#wp1311740
The problem with viewing the VLAN.dat contents in the config viewer or change audit reports is also mentioned in the link below:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_resource_manager_essentials/4.3/user/guide/chgaud.html#wp1060886
Look for the "Details" row and there you will see the following:
VLAN configurations cannot be compared because they are in binary format. In this case, the Details link will not be available and will be shown as NA.
Hope this helps!

1250AP VLAN config

I am trying to configure VLANs on my 1250 autonomous AP. I have the sub-interfaces setup but still cannot connect to the LAN. I use 432 for my native vlan and then want to assign clients to vlan 543. Being a security guy, I do not use vlan 1, nor do I trunk vlan 1. Here's a snippet of my config, so tell me what I am missing. All interfaces are showing up-up.
Thanks.
int d0
no ip add
int d0.432
encap dot1q 432 native
bridge-group 1
int d0.543
encap dot1q 543
bridge-group 2
int g0
no ip add
int g0.432
encap dot1q 432 native
bridge-group 1
int g0.543
encap dot1q 543
bridge-group 2

I'd prefer to not post the entire config as it would take a lot of editing. :-)
Both statements are there, and there is no issue with the SSID config. I'm just trying to get a connection to my RADIUS server, which the AP cannot connect to. I am not able to ping the server from the AP, so it has something to do with the vlan config, but I don't know where. The switch where the AP is connected is trunking and allows all vlans (at this point) except for 1.
This is a head scratcher. :-)

Vlan database vs vlan config, rpr-plus...

We have Catalysts 6500's that we are migrating to native ios mode, and have noticed in the docs (http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a00800da705.html#wp1095579) that vlan configurations made from the vlan database mode are NOT replicated throught rpr-plus.
While configuration of vlans through the global config mode isn't really a problem for future configs, we haven't found a way to easiliy convert vlan database configs to vlan-config...
Is there such a way besides clearing vlan.dat and starting over?
Also, after doing a clean config of vlans through vlan-config, there doesn't seem to be much (any?) diffrence either in the global config or the presence of the vlan.dat. Is the config supposed to look any diffrent when issued as vlan-config?
TIA

check out the following link on configuring vlans :
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008007e711.html#wp1020848

New VLAN config on Cisco router

We are in the process of rolling out VOIP with new Cisco router
configurations. When the VLAN config is changed on the router it can no
longer ping the server. The router config is setup with secondary IP info
so that we don't have to go thru the process of changing IP config on the
NW 6.5 SP 6 servers.
Has anyone seen this issue? Do I need to bind new VLAN ti IP NICs? Any
other thoughts?
Thanks for any help received,
Todd W Carter

On 6/5/2007 Todd W Carter wrote:
> We are in the process of rolling out VOIP with new Cisco router
> configurations. When the VLAN config is changed on the router it can no
> longer ping the server. The router config is setup with secondary IP info so
> that we don't have to go thru the process of changing IP config on the NW 6.5
> SP 6 servers.
>
> Has anyone seen this issue? Do I need to bind new VLAN ti IP NICs? Any other
> thoughts?
When pinging from the router, the packets will be source from its primary
ip address. If the server's subnet is part of the secondary IP address on the
router, you must use an extended ping in the router for it to work.
However, I recommend implementing router-in-a-stick instead of secondary IP
addressing when creating multiple VLANs.
On the router, you can create sub-interfaces under the LAN interface and deploy
dot1q trunking. At the switch-port, configure dot1q trunking as well and the
router
will route between VLANs while providing a better design.
This is outside of the scope of this forum so I recommend posting in the Cisco
forums at http://forum.cisco.com/eforum/servlet/NetProf?page=main
Thanks !
Edison Ortiz
(Routing & Switching, CCIE # 17943)

LMS 4: VLAN config fetch failing for all devices

LMS 4.0.1, standalone on W2K8 R2, new install
Vlan config fetch is failing for all devices. If I attempt to put a vlan.dat file in tftpboot and then manually copy a vlan.dat file from a device, the following is returned:
TFTP: error code 2 received - 16739
%Error opening tftp://server_name/vlan.dat (Permission denied)
The Windows application logs ont the server log this:
Log Name:      Application
Source:        CRMtftp
Date:          6/15/2011 2:07:49 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      server_name
Description:
GetEffectiveRightsFromAcl failed: Overlapped I/O operation is in progress.
(997)
I tried restarting crmtftp, but no luck. Any ideas what may be causing this?
-Jeff

I have the same issue with a freshly installed 4.2 version now:
Log Name:      Application
Source:        CRMtftp
Date:          2/24/2012 12:30:50 PM
Event ID:      3
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      srvwienlms.nts.local
Description:
GetNamedSecurityInfo failed failed: The operation completed successfully.
(0)
I will also open a TAC case, lets see if we still have to stick with a3.x TFTP binary...
br.herwig

Solaris 10 X2100 VLAN config

What are my options for configuring a virtual interface on an x2100 server with Sol10 Because the interface shows up as the type " nge0" I am assuming
that the hardware does not support it per the info below. Is there another alternative or a software workaround ?
-john
The Solaris OS now supports VLANs on the following interface types:
ce
bge
xge
e1000g

Looks like I just had the wrong VLAN config syntax.. and miss read the documentation. this works !
bash-3.00# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
nge0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 128.111.207.230 netmask ffffff00 broadcast 128.111.207.255
ether 0:e0:81:5c:d3:6
nge829000: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 4
inet 10.0.0.62 netmask ffffff00 broadcast 10.0.0.255
ether 0:e0:81:5c:d3:6

I can sync bookmarks on my Firfox for android, but folders aren't sync, i can only get bookmarks from bookmarks main folder. Is a bug or a config issue?

I can sync bookmarks in firefox for android, but only the ones that are on Bookmarks main folder, the folders create below the main folder are not synchronized. Is this a bug or a config issue?
Thanks

Thanks Barney, I tried that but all that comes up in Spotlight are the log files that show the file paths! I don't know how Steam works. Are all the files held by Steam on their server perhaps?

Cisco 5760 - Anchor config issue

Hi,
I am having an issue where the 5760 Anchor WLC has 4 Subnets but half of the VLANS need to go to a seperate gateway and the other half to another gateway.
Below image is what the network looks like:
The router (Content Filtering) is the Gateway for 4 x SSID’s/VLANs
The Firewall is the Gateway for the Management VLAN
The issue here is that we have 2 separate Gateways and there is no way to define separate gateways for each VLAN on the 5760 WLC
We have an default IP route 0.0.0.0 0.0.0.0 10.1.1.254 which is pointing to the Firewall. The firewall is not the gateway for the other 4 x SSID/VLANs that exist on the Anchor so we do not want all traffic going to the Firewall, only management traffic.
Is there a way to set different gateways for different subnets/VLANs on the 5760 WLC? Keeping in mind that there is an default route pointing to the Firewall.
Also does the 5760 WLC acts as a Layer 3 device?
Thanks

All types of deployments listed below for the Anchor configuration.
Case solution :
Wireless WebAuth and Guest Anchor Solutions
The following sections show a WebAuthentication (WebAuth) configuration and Guest Anchor examples on the CT5760.
Note For a complete webauth configuration, please download the webauth bundle from the following URL: http://software.cisco.com/download/release.html?mdfid=284397235&softwareid=282791507&
release=3.2.2&relind=AVAILABLE&rellifecycle=&reltype=latest .The readme file has all the GUI and CLI configuration for webauth.
Configure Parameter-Map Section in Global Configuration
The parameter map connection configuration mode commands allow you to define a connection- type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map.
! First section is to define our global values and the internal Virtual Address.
! This should be common across all WCM nodes.
PARAMETER-MAP TYPE WEBAUTH GLOBAL?
VIRTUAL-IP IPV4 192.0.2.1
PARAMETER-MAP TYPE WEBAUTH WEBPARALOCAL?
TYPE WEBAUTH?
BANNER TEXT ^C WEBAUTHX^C
REDIRECT ON-SUCCESS HTTP://9.12.128.50/WEBAUTH/LOGINSUCCESS.HTML
REDIRECT PORTAL IPV4 9.12.128.50
Configure Customized WebAuth Tar Packages
Transfer each file to flash:
copy tftp://10.1.10.100/WebAuth/webauth/ webauth_consent.html flash:webauth_consent.html
copy tftp://10.1.10.100/WebAuth/ webauth_success.html flash: webauth_success.html
copy tftp://10.1.10.100/WebAuth/ webauth_failure.html flash: webauth_failure.html
copy tftp://10.1.10.100/WebAuth/ webauth_expired.html flash: webauth_expired.html
Configure Parameter Pap with Custom Pages
parameter-map type webauth webparalocal
type webauth
custom-page login device flash:webauth_consent.html
custom-page success device flash:webauth_success.html
custom-page failure device flash: webauth_failure.html
custom-page login expired device flash:webauth_expired.html
Configure Parameter Map with Type Consent and Email Options
parameter-map type webauth webparalocal
type consent
consent email
custom-page login device flash:webauth_consent.html
custom-page success device flash:webauth_success.html
custom-page failure device flash:webauth_failure.html
custom-page login expired device flash:webauth_expired.html
Configure Local WebAuth Authentication
username guest password guest123
aaa new model
dot1x system-auth-control
aaa authentication login EXT_AUTH local
aaa authorization network EXT_AUTH local
aaa authorization network default local
or
aaa authentication login default local
aaa authorization network default local
Configure External Radius for WebAuth
aaa new model
dot1x system-auth-control
aaa server radius dynamic-author ?
client 10.10.200.60 server-key cisco ?server-key cisco ?
auth-type any
radius server cisco
address ipv4 10.10.200.60 auth-port 1812 acct-port 1813
key cisco
aaa group server radius cisco server name cisco
aaa authentication login EXT_AUTH group cisco
or
aaa authentication login default group cisco
Configure WLAN with WebAuth
wlan Guest-WbAuth 3 Guest-WbAuth
client vlan 100
mobility anchor 192.168.5.1
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list EXT_AUTH
security web-auth parameter-map webparalocal
no shutdown
Configure HTTP Server in Global Configuration
!--- These are needed to enable Web Services in the Cisco IOS® software.
ip http server
ip http secure-server
ip http active-session-modules none
Other Configurations to be Checked or Enabled
!--- These are some global housekeeping Cisco IOS® software commands:
ip device tracking
ip dhcp snooping
SNMP Configuration
From the CT5760 console, configure the SNMP strings.
snmp---s er v er co mmuni t y p ub l i c r o
snmp---s er v er co mmuni t y p r i v a t e r w
IPv6 Configuration
IPv6 is supported on the data path. Wireless clients will be able to get an IPv6 address.
Enable IPv6 Snooping - CT5760
There are slight differences in configurations on a CT5760 when configuring IPv6. To enable IPv6 on a CT5760, the following step must be completed.
ipv6 nd raguard attach-policy testgaurd
Trusted-port
Device-role router
interface TenGigabitEthernet1/0/1
description Uplink to Core Switch
switchport trunk native vlan 200
switchport mode trunk
ipv6 nd raguard attach-policy testgaurd
ip dhcp snooping trust
Enable IPv6 on Interface - CT5760
Based on interfaces that need IPv6 configurations and the type of address needed, respective configurations are enabled as follows. IPv6 configurations are enabled on VLAN200.
vlan configuration 100 200
ipv6 nd suppress
ipv6 snooping
interface Vlan100
description Client VLAN
ip address 10.10.100.5 255.255.255.0
ip helper-address 10.10.100.1 2001:DB8:0:10::1/64
ipv6 address FEC0:20:21::1/64
ipv6 enable

Private Vlan config

I have a question regarding private Vlan config. I have a DMZ switch where I need to be able for a particuilar server to communicate to the reset of the servers on port 8686 and deny the rest of the communications between them. I have this server on a poremiscuios mode and the other servers on isolated ports.For security reason how can apply this access list? on which vlan? I am running IOS on the switch connecting these servers. Thanks for your help

the port is that the server(10.3.1.50. 255.255.0.0) that need to talk to all server is attached to:
interface GigabitEthernet1/0/18
description DZ1WEBSD001
switchport private-vlan host-association 50 51
switchport mode private-vlan promiscuous
speed 100
duplex full
no mdix auto
The subnet is 10.3.1.0 255.255.0.0
Basically the 10.3.1.50 need to talk to all servers on this subnet on port 8686 and deny evrything else
Thanks

851 Router Config Issue

Hi all,
Hopefully this will be a nice easy one for you all.
I have recently configured and installed an 851 router successfully :) I now only have one issue, the damn thing switches itself off after a period of inactivity!
If I want to use it again I have to issue a reset command then a boot command.
This takes me to the:
router>
prompt. I then have to issue a copy start run command. And then a no shut on each of my interfaces.
Obviously I would just like the router to stay up and running. But I cant work out how to do it. Im sure that this is just a simple config issue and I would dearly love for you all to solve it!
If any of you know the answer can you please provide clear an accurate commands as I will copy it parrott fashion into the router.
Thank you all in advance.
Stuart

Hello,
as spremkumar already pointed out the config register usually is set to 0x2102. You can reconfigure the register by:
Router#configute terminal
Router(config)#config-register 0x2102
Router(config)#end
Then perform a reload and check whether the config is present after the router finished booting.
Hope this helps! Please rate all posts.
Regards, Martin

When/how does VTP issue vlan config changes?

Hi,
On my VTP server switch I renamed a vlan. Does this change automatically get sent out after a set period of time or am I supposed to enter a command myself?
Thanks

According to:
http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094c52.shtml
Subset Advertisements
When you add, delete, or change a VLAN in a Catalyst, the server Catalyst where the changes were made increments the configuration revision and issues a summary advertisement, followed by one or several subset advertisements. A subset advertisement contains a list of VLAN information. If there are several VLANs, more than one subset advertisement may be required to advertise them all.

Config Issues

Hi guys,
I am having some trouble with this config. All i am looking to do is a simple reverse proxy to this one host. When the page comes up it prompts me to download a bin file.... Probe succeeds and it says its working. I would also like to redirect to /spend What am i missing?
PA-ACE-4700-SLB/Spend-Support# show run
Generating configuration....
crypto chaingroup SPEND-CHAINGROUP
cert AddTrustExternalCARoot.crt
cert COMODOHigh-AssuranceSecureServerCA.crt
access-list allow line 8 extended permit ip any any
probe tcp HTTPS_PROBE
port 443
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
probe tcp TCP8005_PROBE
port 8005
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver host Spend
ip address 10.0.10.22
inservice
serverfarm host SPEND
probe HTTPS_PROBE
rserver Spend 443
    inservice
ssl-proxy service SPEND-SSLPROXY
key ProdKEYPAIR.PEM
cert WWW-PROD-CERT.crt
chaingroup SPEND-CHAINGROUP
class-map type http loadbalance match-any L5
2 match http url /.*
class-map match-all SPEND-CLASS
2 match virtual-address 10.0.1.110 tcp eq https
policy-map type loadbalance first-match HTTPS
class L5
    serverfarm SPEND
policy-map multi-match SPEND-SLB
class SPEND-CLASS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 1000
    ssl-proxy server SPEND-SSLPROXY
interface vlan 1000
ip address 10.0.1.109 255.255.255.0
access-group input allow
nat-pool 1 10.0.1.110 10.0.1.110 netmask 255.255.255.255 pat
service-policy input SPEND-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.1.8
Thanks!
-Andy

Hey Andy what´s up?
Ok, Could you explain a little bit what seems to be the issue which you got or what you want to accomplish here?
You said, you are typing: https://10.0.1.110 and it should show the content of 10.0.10.22 but it is not or you are typing
https://10.0.1.110/spend and you expect the ACE magicly know what to do?
Could you specify a little bit?
If you are trying to do the following:
https://10.0.1.110/spend
then you may try something like:
class-map type http loadbalance match-any spend
2 match http url /spend
policy-map type loadbalance first-match HTTPS
class spend
    serverfarm SPEND
class L5
    serverfarm serverfarm-for-others
Please specify what you are looking for.
Jorge

Ip phone and pc VLAN security issue - ISE 1.0

Hello there.
We are about to implement IP phones to our current network and during testing I have found 2 issues.
1- ip phone connects to a protected port using ISE mab authentication for the data network.
The voice VLAN is set up static on the port. The pc VLAN is given by ISE profiling.
Then the issue is that once the pc connects to the VLAN it belongs to from the ip phone it leaves open that vlan on that port which means that if I connect another pc it will get the original VLAN the port had open up the connection with. This is a big security issue as computers that should not be allowed on specific VLAN can access them this way.
2- once the connection is up and running on the port for both the phone and the pc, there is re-authentication Happening every minute to ISE. The Authentication logs are getting so many messages for just one port. So once we convert from 2 ip phones to 500, that is definitely going to generate a lot of unnecessary traffic.
Let me know your thoughts...thanks
Port config info....below
interface GigabitEthernet0/2
description Extra port by Camilos Desk
switchport mode access
switchport voice vlan 220
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust cos
snmp trap mac-notification change added
auto qos trust
spanning-tree portfast
end

On # 1
You have the make sure that
"authentication host-mode multi-domain" command is under each port
This will allow one voice vlan and only one PC vlan at any given time. If you disconnect a PC and connect onother PC mac address to it, the phone will reinitialize to accept or reject the new mac based on its profile.
On #2
I have not found a solution. But what I have found after deployment is that it has happend only on 2 VOIP phones, out of 70 that we have as of now. So it might to be related to ISE.
On the other hand we are not using Cisco phones but mitel. So this might be a whole issueon itself.
Hope this helps.

VLAN config issue

Similar Messages

Maybe you are looking for