Vlan IP address

Similar Messages

• CIPC Doesnt take voice vlan Ip Address

  ia have my pc (windows) connected to a 3com switch and its takes the ip address from an active directory. but to apply Voice QoS, i need that the CIPC takes an ip address from the voice vlan. placing a 7911 or 7941 in the network plug they take the voice vlan ip address. how i configure the CIPC to takes the voice vlan ip address?

  CIPC is a SW running on a PC and uses the IP address of the PC.
  You just have to configure the the IP address of the TFTP server (Callmanager running the TFTP service).
  Therefore there is no need for the phone to get a IP address from the Voice VLAN.
  Pierre.

• SF300 VLAN IP Address Issues

  I have purchased 3 SF300-48 switches to work with my Aironet AP1131AG wireless APs. I have now switched from 1 VLAN for everything to having a Guest_Wireless VLAN 200 as well as the default VLAN 1 for my Corporate_Network. The issue that I am having is that any client on my default VLAN is receiving an IP address from the Windows DHCP server without issue, but when you connect to the Guest VLAN you cannot get an IP address.
  So, I also have a Cisco 3560G Router (Default Gateway) that has the same Aironet AP1131AG AP connected to it with the same config files as the other APs and it is working perfectly. I can connect to either wireless SSID (Corp Vlan1 or Guest Vlan 200) and get the proper IP address from the DHCP server.
  I attached the diagram of the network below and was looking for help in configuring the SF300 to allow the IP address to be obtained on the Vlan 200 subnet. I also tried connecting my laptop directly into the SF300 and setting the port to access Vlan 200 and I can still not get an IP address.
  Any help would be appreciated...
  Aaron                 

  Thank you for taking the time to help me Tom, yes the 3560G has its trunks set to dot11q encap and native valn of 1. The native vlan on the SF300 is set to vlan 1 but I didn't tag vlan 200 to the trunk. I was thinking that if not listed it would pass any vlan info across a trunk and when you tagged it would only limit passing vlan info of the vlans that you specified only.
  I will definately give this a try and update this thread.
  Thanks,
  Aaron

• WLC - 4402/4 - Vlan Interface Addressing

  I currently have 7 WLCs with the same Vlan interfaces defined across all 7 controllers. Does anyone know the best practice for addressing these interfaces on each of the WLCs. I currently have each unique Vlan interface assigned with the same IP address across all 7 WLCs. This is working. Should I leave it this way or should I assign each controller with a different address for the Vlan interface?

  The controllers, assuming you have it configured as such, act as dhcp relay agents. Presumably, if the router got the wrong mac address in its arp entry, the dhcp message would be lost.
  Clients could have taken a while before getting a dhcp addr (race condition for router arp entry) and not been able to work if dhcp was required.
  That said, I've seen the controllers work with the dhcp server set to 255.255.255.255 so the ip helper addresses on the routers would pick up the requests.

• VLAN network address issue

  we are having 6500 series switch.we are able to telnet the switch with network address as well as with interface address...several vlan are created in this switch.
  now my question is that how can we telnet it with network address...
  help me out plz as soon as possible

  you cannot telnet to a network address. for example, i'm guessing you have 24 bit subnetMask which would make your network address: 192.168.16.0.
  you cannot telnet to 192.168.16.0 BECAUSE it is a network address and not a host able to respond to a telnet request.
  your detail still seems a little fuzzy though...didn't you say:
  "network address is 192.168.16.32...."
  "now i can telnet the switch with 192.168.16.32...."
  and then say:
  "how can i telnet with network address???"

• Vlan name vs interface vlan ip address

  Hello,
  What is consider for ports to be in the same Vlan subnet, is it Vlan name or the ip address given to the SVI or the subnet advertise for that vlan on a layer 3 switch.  Like for example say have 4  layer 3 switches connected where some ports on each switch are put under vlan 802. The SVI ip address for vlan 802 is different on each switch and under eigrp advertises 802 vlan svi with there subnet. Are all those ports under 802 vlan in the same subnet because the vlan name is still 802 but the svi for each 802 vlan is different subnet just the vlan name is the same.  So that mean I have 4 subnets under vlan 802 or there all act as one subnet because the vlan name is the same?
  Thanks,

  It's not really to do with the name or subnet. It really depends on how the switches are connected.
  So in general terms for any vlan if all the switches are interconnected with -
  1) access port links where each end of the link was in that vlan
  or
  2) trunk links where that vlan was allowed on that link
  or a combination of the above then that vlan would be the same L2 broadcast domain across all your switches.
  Usually it is one subnet per vlan but you can if you want use multiple subnets per vlan although if you do this generally you add secondary addressing to the one L3 SVI for that vlan and have a different SVI per switch.
  However, if your switches are interconnected with - 
  1) access port links where the access port is not that vlan
  2) trunk links but that vlan is not allowed on that link
  3) L3 routed links
  then the vlan is a different vlan per switch.
  From the sounds of what you are describing each switch has it's own vlan with it's own subnet and they are not the same vlan across all the switches.
  Usually it is a good idea if this is the case not to reuse the same vlan number on multiple switches because it just leads to confusion.
  Jon

• Vlan dhcp addresses

  Can anyone tell me how I can get my router to give out ip addresses to a particular vlan only and nothing else on my network ?

  Hi Carl,
  You need to configure your router as DHCP server and in "network" command only include the subnet address which you want for that particular vlan
  Something like this
  service dhcp
  ip dhcp pool
  network x.x.x.x x.x.x.x
  default-router x.x.x.x
  ip dhcp excluded-address
  Now make sure you include only that subnet in network command which you want for that specific vlan also make sure to exlude the address for default gateway which you have configured in default-router command.
  I hope you will comtinue to rate the post like you did in last month.
  HTH, if yes please rate the post.
  Ankur

• 4500 VLAN MAC address issue

  We are facing an issue with our 4500 switch. It is using the same MAC address for all VLAN interfaces, which is causing a problem with our service provider.
  Is there a way to disable this?
  Thanks,
  Fabián

  Fabián,
  I'm afraid that's not possible on a 4500:
  Supported Platforms for Unique MAC Address Configuration on VLAN or L3 Interfaces for Catalyst Switches
  Best regards
  Rolf

• Issues with CWLMS 3.2 RME 4.3.1 cannot fetch vlan.dat off a VSS and 4510.

  Hi,
  I am having a major headache with RME collecting the vlan.dat from a VSS and 4510, the device and credentials work fine, however when archiving the config i get partial success due to vlan failing. You can see in the IC_Services log that it attempts to TFTP the .dat file off which it fails with, i believe vlan fetch is only supported by SSH or telnet
  when you do a CDA test both devices pass on everything..

  managed to log on and please see below, tftp on one device works fine but from the 4510 or vss still fails
  GRA_CHUB_CR_01#copy cat4000_flash: tftp:
  Source filename []? vlan.dat
  Address or name of remote host []? 172.20.220.10
  Destination filename [vlan.dat]?
  %Error opening tftp://172.20.220.10/vlan.dat (Timed out)
  GRA_CHUB_CR_01#
  DAR_R002_AS_01#
  DAR_R002_AS_01#copy flash:vlan.dat tftp:
  Address or name of remote host []? 172.20.220.10
  Destination filename [vlan.dat]?
  616 bytes copied in 0.009 secs (68444 bytes/sec)
  DAR_R002_AS_01#

• SG300-10 VLAN Questions

  My apologies if this has been asked before, but I have some questions regarding the setup of my new switch and network. I have never worked with switches before, so this is quite a learning experience. The picture above describes the current layout of my network. Here is how I have tried to set it up, so far.
  VLAN 1 [Ports 1-4, Untagged, Trunk] (172.16.1.1/24)
  Workstation A (Wired)
  172.16.1.2/24
  Server B (Wired)
  172.16.1.3/24
  VLAN 2 [Ports 5-8, Untagged, Trunk] (172.16.2.1/24)
  Server C (Wired)
  172.16.2.2/24
  Server D (Wired)
  172.16.2.3/24
  Server E (Wired)
  172.16.2.4/24
  Server F (Wired)
  172.16.2.5/24
  VLAN 3 [Ports 9-10, Untagged, Trunk] (192.168.1.1/24)
  Laptop G (Wireless)
  DHCP via Router
  Laptop H (Wireless)
  DHCP via Router
  Laptop I (Wireless)
  DHCP via Router
  Wireless Router
  192.168.1.254/24
  Now, my goal is to have all 3 VLANs be able to talk to each other but also have VLAN 1 access the internet, through the wireless router. In the future I would also like Server B to be able to expose services (http & ssh) to the outside. VLAN 2 shouldn't have internet access at all. I know I can add static routes to the wireless router, if need be. All three laptops, can access the internet through the wireless router, without any problems.
  So my questions are:
  1) Is there anything inherently wrong with the design of this network? If so, what could be changed?
  2) Is VLAN 3 really necessary?
  3) What would I need to do, to get the 3 VLANs communicating with each other?
  4) What should the gateway be, to get VLAN 1 internet access?
  5) What would I need to do, to expose Server B services to the outside?
  6) What static routes do I need to add?
  Thanks in advance!
     Jer

  Hello Jeremy,
  Thank you for your interest and patience.
  You are on the right track here. However, several important changes must be made. Consider the following concepts:
  The concept of a native VLAN. The link between the router and the switch must be part of VLAN 1. Otherwise, information from the router will not be distributed correctly on the switch due to the current PVID of 3.
  The VLAN IP Interface (VLAN IP Address) identifies the subnet for the VLAN. Therefore, thinking of the switch as a router, you are correct that the default gateway for each client should be the respective VLAN interface on the switch. The switch will automatically route between directly connected IP Interfaces and their subnets.
  However, in order for your clients to get to network that the switch doesn't know about, (the internet), there must be a default route to the router.
  Additionally, in order for the router to forward information from the internet back to the VLANs on the switch, the router must know how to reach the different VLANs.
  The folloing linked figure (Fig. 1) describes an appropriate sample setup. See here.
  In this scenario, a SG300-10 is configured with 3 VLANs:
  VLAN 1 - Default VLAN, used for management - 192.168.1.x/24 - Ports 9-10 - 1U - Trunk Mode
  VLAN 2 - Servers - 192.168.2.x/24 - Ports 5-8 - 2U - Trunk Mode
  VLAN 3 - Workstations - 192.168.3.x/24 - Ports 1-4 - 3U - Trunk Mode
  VLAN 1 is used to communicate to the router. Therefore, the following default route must be added to the switch's configuration:
  ip route      0.0.0.0      0.0.0.0      192.168.1.1
  The switch will automatically build the routes between the VLANs local to the switch. Visualize Server C going togoogle.com. Its IP address is 192.168.2.2. Its default gateway should be the VLAN 2 IP Interface on the switch (192.168.2.254 in this example). Because the default route is configured, the switch will forward the internet request to the router. The router will then forward the request to your ISP out the WAN where it will eventually reach Google.
  However, when the request comes back into the router, the router must know to route it to the 192.168.2.x subnet. So, in order for this to work, routes that accomplish the following must be configured on your router:
  Subnet IP               Mask                    Gateway                                              Interface
  192.168.2.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
  192.168.3.1             255.255.255.0        192.168.1.254 (SG-300 IP Interface)         LAN
  As you have already discovered, there are several limitation to using a router that does not support 802.1Q tagging. Chiefly, your clients will not receive either DHCP or DNS automatically from the router. To mitigate this, you can do either of the following:
  Run a DHCP server with multiple DHCP scopes on a device connected to your switch. You can then use Option 82 on the switch to route DHCP requests and DNS info between VLANs on the switch.
  Statically configure IP and DNS information. You could enter Open DNS Servers or Google's DNS servers on your clients.
  Ideally, you would want to use a router that supports 802.1Q tagging. In this figure here (Fig. 2), you can see the VLANconfiguration page for a Cisco RV180W, a very capable and affordable small business router that I highly recommend. Port 1 on the RV180W is configured as a trunk port and carries VLANs 1-3 to the switch. The clients automatically receive IP addresses and DNS information from the correct DHCP pool on the router.
  Do not hesitate to contact us. We are always happy to help.
  All the best,
  -David Aguilar
  Cisco Small Business Support Center
  1-866-606-1866

• VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)

  Hi,  I've been pulling my hair out trying to get simple vlan trunking working between these devices.
  Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200.  I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc).   Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
  VLAN 1 - inside (has separate dhcp scope assigned by ASA)
  VLAN 99 - guest (has separate dhcp scope assigned by ASA)
  SG200
  purpose
  ASA 5505 (Sec Plus license)
  purpose
  g2
  Trunk 1UP,99T
  Ubiquiti AP (VLAN 1 works, VLAN 99 does not
  g3
  Access port 99T
  vlan 99 does not work
  g8
  Trunk 1UP, 99T
  < Trunk between switch and ASA >
  Int e0/2
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Int e0/3
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Second ubiquiti AP
  Both VLAN 1 and VLAN 99 clients work properly

  Frustrated - yes.  Confused - maybe not as much, but I could have put some more effort into the overall picture.
  There are two VLANs (1 - native) and (99 - guest).   There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.    
  No clients connected to the SG200 on VLAN 99  are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP.   The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
  Anything connected to the SG200 on the native VLAN works properly.
  Anything connected to the ASA VLANs (1 or 99) works properly
  I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
  I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
  SG200 g2 - trunk port (1UP, 99T) -- Access Point
  SG200 g2 - access port (99U)
  SG200 g8 - trunk port (1UP, 99T)  connected to ASA5505  e0/3  
  ASA5505 e0/3  (switchport trunk allowed vlan 1,99,  switchport trunk native vlan 1,  switchport mode trunk)
  Thanks,

• 6509E with Sup720 - Show mac address

  I have seen very strange behavior. The following two commands show different outputs...
  core2#sho mac address-table dynamic | in cc04
       7  0009.0fbb.cc04   dynamic  Yes        150   Po10
  core2#sho mac address-table address 0009.0fbb.cc04
  Legend: * - primary entry
          age - seconds since last seen
          n/a - not available
    vlan   mac address     type    learn     age              ports
  ------+----------------+--------+-----+----------+--------------------------
  No entries present.
  Po10 is etherchannel to core1. The MAC address is on the core2 and should never be learned on core1. Core1 doesn't learn this MAC address at all.
  The commands are run at the same time. I repeated many times and it is the same... Any idea why?
  Thanks!
  Difan

  Hi Jon,
  Correct, I am not using VSS. However it is not standard set up. The vlan 7 is extended to many other switches. The root is actually not core1 or core2. It also passes some provider to different location as well. However like you said, all the correct ports are blocked. Please trust me on this.. If there is a loop, we will have much more serious problem... At least our CPU will hike and link will congested, right?
  I know your concern that the same packet could be somehow loopped back through core1, which makes core2 to learn the MAC on the port-channel interface to core1. However when this happens, core1 doesn't learn the MAC anywhere and on core2 some command show the MAC but not the other command...
  Also something interesting, even that MAC in the command will eventually disappear. Please note the aging time. The aging time configured on the vlan is 480 seconds. At last the MAC address is pointing to another interface like G1/1. That interface doesn't even have vlan 7 allowed on the trunk link.
  core2#sho mac address-table address 0009.0fbb.cc04
  Legend: * - primary entry
          age - seconds since last seen
          n/a - not available
    vlan   mac address     type    learn     age              ports
  ------+----------------+--------+-----+----------+--------------------------
  No entries present.
  core2#
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        285   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        290   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        300   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        305   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        315   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        320   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        320   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        330   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        335   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        340   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        375   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        405   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        425   Po10
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        465   Gi1/1
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        480   Gi1/1
  core2#show mac address-table | in 0009.0fbb.cc04
       7  0009.0fbb.cc04   dynamic  Yes        480   Gi1/1
  core2#show mac address-table | in 0009.0fbb.cc04
  core2#show mac address-table | in 0009.0fbb.cc04
  core2#sho mac address-table address 0009.0fbb.cc04
  Legend: * - primary entry
          age - seconds since last seen
          n/a - not available
    vlan   mac address     type    learn     age              ports
  ------+----------------+--------+-----+----------+--------------------------
  No entries present.
  core2#sh int g1/1 trunk
  Port                Mode         Encapsulation  Status        Native vlan
  Gi1/1               on           802.1q         trunking      1
  Port                Vlans allowed on trunk
  Gi1/1               64,72,156,214-216,300,600
  Port                Vlans allowed and active in management domain
  Gi1/1               64,72,156,214-216,300,600
  Port                Vlans in spanning tree forwarding state and not pruned
  Gi1/1               64,72,156,214-216,300,600
  Is it a bug?
  Thanks!

• Using GRE to build site to site VLANs. my config comments

  Site A and Site B have hosts belong to the same vlan.
  I am trying t build a GRE tunnel to get these host communicate.
  So far here is what I have in mind.
  See below. IS there anything I am mixing up.
  Comments or suggestions will be highly apreciated.
  I translate Site A VLAN IP Addresses to another subnet of IP addresses which does not exist in Site B and similarly Site B IP addresses to a subnet which does not exist in Site A.I have hurriedly configured this with a very basic setup and below are the configs.
  Router R0 is connected to R1 through Serial 1/0 interfaces and the fastethernet 0/0 on both routers connects to the Local LAN. The config bits are -:
  hostname R0
  interface Tunnel0
  ip address 1.1.1.1 255.255.255.0
  ip nat outside
  tunnel source Serial1/0
  tunnel destination 192.168.1.2
  interface FastEthernet0/0
  ip address 10.1.1.2 255.255.255.0
  ip nat inside
  duplex full
  interface Serial1/0
  ip address 192.168.1.1 255.255.255.0
  ip nat inside source static 10.1.1.2 192.168.100.2 extendable
  ip route 172.16.1.0 255.255.255.0 Tunnel0
  Router R1
  hostname R1
  interface Tunnel0
  ip address 1.1.1.2 255.255.255.0
  ip nat outside
  tunnel source Serial1/0
  tunnel destination 192.168.1.1
  interface FastEthernet0/0
  ip address 10.1.1.1 255.255.255.0
  ip nat inside
  interface Serial1/0
  ip address 192.168.1.2 255.255.255.0
  ip nat inside source static 10.1.1.1 172.16.1.1 extendable
  ip route 192.168.100.0 255.255.255.0 Tunnel0
  it is clear to me that if I am on R0 and do
  R0#ping 172.16.1.1 it should be successful.
  Now what about a host behind R0 that want to reach a host behind R1 on the same vlan.
  For example if host A behind R0 and host B behind R1 are on VLAN 1 and want to communicate.
  Host A address is 10.1.1.3 and Host B address is 10.1.1.4
  If sitting at A I do ping 10.1.1.4, how will R0 know that 10.1.1.4 belongs to a host behind R1 ? Remember the NAT at R1 is changing 10.1.1.4 to another address say 172.16.1.4.
  So I am thinking a default route of
  ip 0.0.0.0 0.0.0.0 tunnel0 will be a solution
  Is there something I am mixing up or what will the disadvantage of using a static route?

  Sorry about the lack of information on sugestion 3, I was called to do some urgent work. For this I would suggest something like:-
  For R0
  ip nat inside source static network 10.1.1.0 192.168.100.0 /24 extendable
  For R1
  ip nat inside source static network 10.1.1.0 172.16.1.0 /24 extendable
  This way from site a = R0 is, you want to connect from 10.1.1.3(A) to 10.1.1.4(B) from 10.1.1.3 you would initiate a connection to 172.16.1.4. R0 would translate your source from 10.1.1.3 to 192.168.200.3 and pass the destination of 172.16.1.4 onto R1. R1 would see a destination of 172.16.1.4 and translate that source to 10.1.1.4 and your source would remain 192.168.200.3. 10.1.1.4 would respond to 192.168.200.3! This process would work the other way around also!
  HTH.

• How to verify VPLS mac-address forwarding

  I think VPLS know how to forward by mac-address. but how to verify it ?
  for example I show mac-address vlan 100. But I can not find a command to verify How mac-address is forwarding ?
  at 6509:
  PA_C76_1>sh mpls l2transport vc
  Local intf Local circuit Dest address VC ID Status
  VFI PA-LA-test VFI 203.160.227.88 100 UP
  VFI PA-LA-test VFI 203.160.227.95 100 UP
  PA_C76_1>show mac-address-table vlan 100
  Legend: * - primary entry
  age - seconds since last seen
  n/a - not available
  vlan mac address type learn age ports
  ------+----------------+--------+-----+----------+--------------------------
  * 100 000b.45b6.bc40 dynamic Yes 95 Router
  * 100 0012.d946.59c1 dynamic Yes 10 Gi4/1

  Hi,
  VPLS provides the medium to for a E-LAN, and in Cisco implementations, the MAC learning is not actually done by a VPLS instance.
  This can be best explained by an example.
  PE(SW)-A ---- PE(SW)-B
  PE(SW)-C
  Now these three PE nodes under VPLS, are only provided the medium to connect to each other using P2P PW forming a full mesh.
  For simplicity you can assume they are three switches connected in the above manner using copper. So this copper connecitivity is provided by VPLS.
  And at the end of the day the end nodes learn mac addresses using the conventional method of flooding and learning. So you wont find any VPLS specific commands to see what mac address is the VPLS instance flooding. As its only providing a medium for connectivty. And the flooding is done by the end nodes. as they treat the VPLS VC as one of the outgoing port.
  HTH-Cheers,
  Swaroop

• Query vlan in cisco ACE

  I've configured query vlan FT internface as follow:
  class-map type management match-any query_VLAN
    2 match protocol icmp any
  policy-map type management first-match query_VLAN_MGT
    class query_VLAN
      permit
  interface vlan 11
    description ##query vlan##
    ip address 192.30.3.196 255.255.255.252
    peer ip address 192.30.3.195 255.255.255.252
    access-group input ANY-ANY
    service-policy input query_VLAN_MGT
    no shutdown
  ft interface vlan 10
    ip address 192.30.3.192 255.255.255.252
    peer ip address 192.30.3.191 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 10
    query-interface vlan 11
  and when I do "sh ft peer sum" I see following:
  sh ft peer sum
  Peer Id                      : 1
  State                        : FSM_PEER_STATE_COMPATIBLE
  Maintenance mode             : MAINT_MODE_OFF
  FT Vlan                      : 10
  FT Vlan IF State             : UP
  My IP Addr                   : 192.30.3.191
  Peer IP Addr                 : 192.30.3.192
  Query Vlan                   : 11
  Query Vlan IF State          : UP, Manual validation - please ping peer
  Peer Query IP Addr           : 192.30.3.196
  Heartbeat Interval           : 300
  Heartbeat Count              : 10
  SRG Compatibility            : COMPATIBLE
  License Compatibility        : COMPATIBLE
  FT Groups                    : 5
  would you please advise why "Query Vlan IF State " is showing "Manual validation - please ping peer" do I need to configure anything else?
  Thanks....

  You don't need to configure anything further. Your config looks good.
  The query interface thing can be a bit misleading.  The ACE does not use the query interface until the FT vlan goes down. This is the reason why we added a etxt to request users to manually verify query interface is functioning properly as below :
  "Manual validation - please ping peer"
  So if you need to check if the query vlan is up, then manually ping the peer ip address. That's what the message means.
  - Andrew