VLAN Mapping and Inline Probe

Similar Messages

• AP-Specific WLAN-VLAN Mapping audit

  Is there anyway to audit the access points in FC mode to determine the WLAN-VLAN mapping and if it is AP or WLAN specific?
  or
  Is there a script that I can run to make the WLAN-VLAN mappings on all FC mode APs AP-Specific?

  Thanks for the fast reply.
  Here are the screen shots:
  Settings "Flexconnect group"
  Settings "Access Point"
  Error message

• Vlan mapping cisco catalyst 3560

  Hello
  which Cisco switches support vlan mapping ?
  and did Cisco catalyst 3560 support vlan mapping or not ??
  thank u

  Thank u pdanekul
  I know 3750 support vlan mapping but with 3560 i can not see vlan mapping config
  switchport vlan mapping
  and also i can not see it in cisco Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swtunnel.html

• Filter Traffic using ISDM-2 Inline Mode and Inline VLAN Pairs

  Hi Everyone,
  I have a new ISDM-2 Module (Version 6.0(1)E1) and I?m thinking use Inline VLAN Pairs to bridge two vlans, in my case vlan 100 and vlan 101. Vlan 100 is the vlan used by MSFC and Vlan 101 is the vlan used by the outside of my FWSM . In this way, I think I can monitor all the traffic into and from Internet. My question is: can I choose what traffic I will analyze using this configuration ? Maybye with VACL or another way.
  Thanks in Advanced
  Andre Lomonaco

  If I understand your question correctly, I do not think you have the ability to selectively inspect the traffic with only a single pair of vlans. The IPS module is going to bridge your vlans together and you would want all traffic to go through that bridge...I don't know what mechanism you'd use to selectively direct traffic through some other bridge/route function.
  Within the IPS software you can turn off (disable AND retire) signatures that inspect traffic that you wish to ignore, the IPS will just forward the traffic through, but you don't have a fine level of granularity there.
  Scott

• Help with inline VLAN Pair and switch configuration

  Hello,
  I'm new to IPS and IDS in general, but I have an IPS-4255 and a couple of Catalyst 2900 switches to experiment with. I'm currently trying to enable an Inline VLAN Pair configuration on the IPS and have a simple setup.
  SW1 and SW2 have vlans 100 and 200 configured. PC1 and PC2 are on the same IP range (no routing). PC1 on vlan 100 connects to Sw1. PC2 on vlan 200 connects to SW2. The IPS connects to a SW2 trunking port, and SW1 and SW2 are connected together on another trunking port.
  I know that my trunking is working because PC1 and PC2 can ping each other whenever they are on the same vlan of either switch. But, they can't ping when on the separate vlans.
  From what I've read, the IPS with an Inline VLAN Pair acts as a bridge between the two vlans and should forward the traffic if it passes inspection. However, the IPS does not appear to see any traffic at all.
  My IPS is configured with inline VLAN pair 100->200 and associated to vs0.
  Have I missed something in my config somewhere? Or am I misunderstanding how inline VLAN Pairs are supposed to work?
  Below are my configs for the switches and the IPS.
  Any help would be appreciated. Thank you!
  IPS Config
  service interface
  physical-interfaces GigabitEthernet0/0
  no description
  admin-state enabled
  duplex auto
  speed auto
  alt-tcp-reset-interface interface-name GigabitEthernet0/3
  subinterface-type inline-vlan-pair
  subinterface 1
  description test
  vlan1 100
  vlan2 200
  exit
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/0 subinterface-number 1
  inline-TCP-session-tracking-mode vlan-only
  exit
  exit
  SW1 and SW2 config
  interface FastEthernet0/1
  switchport access vlan 100
  interface FastEthernet0/9
  switchport access vlan 200
  interface FastEthernet0/18
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface FastEthernet0/24 (Sw 2 only)
  description IPS port
  switchport trunk encapsulation dot1q
  switchport mode trunk

  It has been awhile since I've dealt with a 2900 switch to I am just trying to guess at what may be wrong with your setup.
  I noticed that neither of your trunk port configuration are specifically stating which vlans are allowed on the trunks.
  It is possible that for the trunk between the 2 switches there may be some protocol negotiation so the switches can determine which vlans to trunk, BUT no such negotiation will happen with the sensor. If I remember right you will need to specifically state which vlans the trunk to the sensor should carry. If I remember right the commmand would be something like:
  switchport trunk allowed-vlan 100,200
  You will want to find the show command on your switch that will show you which vlans are actually being trunked by the port. It might be something like "show switchport trunk"
  And you will want to verify that the switch is actually trunking vlans 100 and 200 to your sensor.
  On your sensor you will want to execute "show interfaces" and look at the statistics for Gig0/0 to see if it is receiving packets on vlan 100 and 200.
  You can also run "packet display GigabitEthernet0/0" to see if any packets are making it to your sensor.
  You will also want to check Link status and make sure your sensor is linking up properly with your switch. A common mistake is to connect the wrong ports, as some sensors do not have the port numbers clearly marked.
  NOTE: If the above doesn't help, then take the additional step of eliminating the second switch. Attach both pcs to the same SW2 switch (1 in each vlan). The second switch isn't necessary to test the inline vlan pair functionality. Connecting both PCs to the same switch will help eliminate any possibility of misconfiguration between the 2 switches.

• CDP nei results and Flex Connect AP vlan mapping behavior

  Hi all,
      We're running controller code 7.4.100.108 and PRIME version 1.3.
      Occassionally, usually as the result of some networking event that causes flex connect AP's to lose connectivity to their controller, the flex connect AP's lose their vlan mapping configuration when they reconnect to their home controller.
      We "think" we have noticed that the cdp nei results are different for AP's that have proper vlan mappings from those that have lost their mappings.  For example, in the below example, only AP's 8213 and 8219 have lost their vlan mapping configs (all the AP's below are flex connect):
  8107   Gig 1/0/45        177           R T      AIR-LAP11 Gig 0
  8106   Gig 1/0/44        163           R T      AIR-LAP11 Gig 0
  8216   Gig 1/0/47        136           R T      AIR-LAP11 Gig 0
  8213   Gig 1/0/48        135           R T      AIR-LAP11 Gig 0.2
  8219   Gig 1/0/46        159           R T      AIR-LAP11 Gig 0.2
  8109   Gig 2/0/48        153           R T      AIR-LAP11 Gig 0
  ...and when the vlan mapping is fixed:
  8107   Gig 1/0/45        177           R T      AIR-LAP11 Gig 0
  8106   Gig 1/0/44        163           R T      AIR-LAP11 Gig 0
  8216   Gig 1/0/47        149           R T      AIR-LAP11 Gig 0
  8213   Gig 1/0/48        149           R T      AIR-LAP11 Gig 0
  8219   Gig 1/0/46        152           R T      AIR-LAP11 Gig 0
  8109   Gig 2/0/48        153           R T      AIR-LAP11 Gig 0
       I've done some reading to try to understand the details of the "Port ID" field of cdp neighbor with AP's but haven't found my answer.  I want to know what the significance of the difference between "Gig 0" and "Gig 0.2" is.
       I'm going to lab up an AP and see if I can replicate the behavior and confirm that it is related to the vlan mapping, but haven't gotten to it yet.   If anyone can point me to the nuts/bolts behind that sublte change in "Port ID" it'll help.
       By the way, I'm interested in this problem so that I can quickly identify which of my hundreds of flex connect AP's have lost their vlan mappings after a network disruptive event.  I can't find an interesting report in PRIME that will let me see it quickly.  So if a scriptable cdp nei command could identify the problem as well, that would be interesting.
       Thanks in advance for the help.

  I also have created WCS/NCS/PI templates to push the WLAN to vlan changes in the early morning just I'm case. When users start complaining, it's faster to just push out the commands to all than trying to find what AP lost its vlan setting.
  Sent from Cisco Technical Support iPhone App

• VLAN Map issue

  I have an issue with a VLAN map I am attempting to use to filter traffic. It is a flat Layer 2 LAN so all hosts are in VLAN 1. I have a number of test machines that I want to deny access to live database servers. To do this I tried the following:
  ip access-list extended testboxes
  permit ip host x.x.x.x host x.x.x.x
  vlan access-map denytest 10
  match ip address testboxes
  action drop
  vlan filter denytest vlan-list 1
  Once I apply the VLAN map I lose all connectivity to the switch. Is there something I am missing here?
  Thanks
  Ian

  Unlike regular IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN. If a VACL is configured for a certain traffic and that traffic does not match the VACL, the default action is deny. Additionally, VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type. Add an additional permit statement allowing telnet/ssh/or web traffic to the switch:
  permit tcp host X.X.X.X host X.X.X.X eq telnet
  Best Regards
  Francisco

• Problem switching from AP-specific to Group-specific VLAN mapping

  Hello.
  Some days ago, I updated our 5508 WLC to software version 7.5.102.0.
  With that version, it should be possible to have a VLAN mapping specific for a Flexconnect group that is set within Flexconnect Group settings.
  I did that for all my Flexconnect groups and it works fine with new access point.
  For existing access point, which already have an AP-specific VLAN mapping, it is not possible to switch to Group-specific.
  When I mark the WLAN in Flexconnect setting of the AP and select "Remove AP specific", I get the error message "Request failed: Vlan is not enabled on this flexconnect".
  I wonder what the problem could be, because for newly installed access points, it works fine. Did I miss some settings?
  Regards,
  Sven Lindeke

  Thanks for the fast reply.
  Here are the screen shots:
  Settings "Flexconnect group"
  Settings "Access Point"
  Error message

• Does WCCP support traffic from different VLANs(mapped to VRFs)?

  Hello,
  I have the following scenario from the WAN to the Data Center and from the WAN to the Branch:
  1. Router 2800/7200 with three (3) MPLS VRFs (VRF Lite)
  2. Switch 3750 with three (3) WAN VLANs (one for each VRF) and three (3) LAN User Traffic VLANs (one for each ASA Context) and one WAE VLAN
  3. WAE with WCCP enabled for one VLAN in the switch
  4. ASA with three (3) Contexts
  5. Three (3) Internal LANs (one for each Context)
  In summary, there are three flows of traffic which are separated along the way from Branch to Data Center. WAEs are working for one VLAN(VRF1) and WCCP is enabled at the 3750 Switch to do the redirection (not in the router). The question is: does WCCP support traffic from different VLANs (similar to inline 802.1Q) and handle all three flows separate? If so, what should the configuration be at the switch and the WAE?
  Thanks.

  The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
  It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
  at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
  Kindly find here GRE Tunnel with VRF Configuration Example:
  http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
  I have gotten as far as the WAE registering the router:
  "WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
  WCCP configuration for TCP Promiscuous succeeded.Please remember to
  configure WCCP service 61 and 62 on the corresponding router."
  wae01#sh wccp router
  Router Information for Service: TCP Promiscuous 61
  Routers Configured and Seeing this Wide Area Engine(1)
  Router Id Sent To Recv ID
  0.0.0.0 209.1.1.1 0000022F
  The router registers the WAE as a WCCP client:
  router04#
  "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
  client 209.1.1.2"
  "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
  client 209.1.1.2"
  The router however cannot figure out what its ID is and does not see
  itself as a WCCP group router.
  router04#sh ip wccp
  Global WCCP information:
  Router information:
  Router Identifier: -not yet determined-
  Protocol Version: 2.0
  Service Identifier: 61
  Number of Service Group Clients: 1
  Number of Service Group Routers: 0
  Total Packets s/w Redirected: 0
  Process: 0
  Fast: 0
  CEF: 0
  Redirect access-list: ACCELERATED-TRAFFIC
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 25957
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Total Bypassed Packets Received: 0
  This is a short summary of important commands for working with VRF's.
  View the VRF instances and the associated interfaces.
  ml-mr-c6-gs#show ip vrf
  Name Default RD Interfaces
  blurvrf 100:2 Vlan215
  Vlan326
  tgvrf 100:1 Vlan132
  Vlan325
  TenGigabitEthernet1/1
  ml-mr-c6-gs#
  Show the routing table for a specific VRF.
  ml-mr-c6-gs#show ip route vrf tgvrf
  Routing Table: tgvrf
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
  D - EIGRP, EX - EIGRP external,
  ---More--
  Gateway of last resort is 128.117.243.57 to network 0.0.0.0
  O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
  O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
  172.17.0.0/29 is subnetted, 3 subnets
  O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
  O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
  O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
  --More--
  Debugging should otherwise be similar to a regular switch or router.
  Final Teragrid VRF Design and Diagrams
  http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
  Teragrid Testbed Design
  http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
  Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
  Configuring VRF-Lite
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
  sachin garg

• Flex Connect Groups - WLAN to VLAN mapping

  I have a question about configuring WLAN to VLAN mapping on FlexConnect Groups.
  Do the mappings that are configured in the FC Group get inherited by the APs when they are placed in the group?
  It seems like they do not.
  I am playing around in a lab with a virtual WLC running 7.5 and an old 1131 AP.
  If I configure the WLAN to VLAN mapping on the individual AP, it works as expected.
  If I configure the WLAN to VLAN mapping within the FC group and add the AP to the group, it does not.
  The AP does not inherit the settings from the Group.
  I am wondering how you would deploy a lot of APs without having to configure each AP individually.
  Thanks

  Yes, you are correct. It is not like normal AP groups where it will map WLAN to AP belong to that AP group.
  Anyway since you have to convert each AP manually to FlexConnect mode, you should do the WLAN mapping at that point as additional step.
  FlexConnect Group is mainly to give fast roaming feature for FC APs in brach deployment solution (typically not so many APs). Also keep in mind you can have maximum  25 APs in FlexConnect AP group for WiSM2 or 5508 & you can go upto 100 in 7500 WLC. (see table 7.3 in below link)
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1108090
  HTH
  Rasika
  **** Pls rate all useful responses *****

• VLAN Map

  Does anyone know if VLAN Maps are supported in CAT OS? I have found that they are supported in the 3550, 4500, and 6509 running IOS but would like to know ALL of the devices they are supported in.
  Thanks for the help,
  Brian

  I don't think vlan maps are availble on Catalyst OS Switches. On Catalyst IOS Switches, the vlan access-map global configuration command is used on the switch stack or on a standalone switch to create or modify a VLAN map entry for VLAN packet filtering. This entry changes the mode to the VLAN access-map configuration. The vlan filter interface configuration command is used to apply a VLAN map to one or more VLANs.
  on Catalyst OS Switches, the set vlan mapping command is used to map 802.1Q VLANs to ISL VLANs.

• HREAP VLAN Mapping

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;
  mso-fareast-language:EN-US;}
  Hi,
  I've searched around to see if someone else has experienced the same issue regarding HREAP AP's losing their VLAN mappings; however I could not find any related topics.
  Scenario
  I've got a 5508 WLC running ver 7.0 with local VLANs assigned as follow:
  VLAN 241 - Data Users
  VLAN 253 - Voice Users
  The HREAP AP's (Cisco 1242AG) running at the remote branches is mapped to the following:
  VLAN 2 - Data Users
  VLAN 253 - Voice
  The Problem...
  HREAP works perfect; users get the local DHCP addresses at the branch office and have no issues with connectivity. Once and a while some of the HREAP AP's will lose the VLAN mapping I've assigned to them. In this case I've mapped VLAN 2 to the SSID for the Data Users, I will get complaints that users can't connect to the network when I go check the HREAP AP's VLAN mapping it defaulted back to VLAN 241 (the same VLAN the local AP's at head office use for the same SSID). Of course with the Voice SSID I don't have this problem as it's using the same VLAN ID as head office.
  Once I've corrected the mapping everything works perfect.
  Why...
  I just want to know why this happens, I've rebooted the AP's to see if they retain the mappings and they did. I've seen in the HREAP design deployment that it is preferred to use the same VLAN ID's of the head office where the WLC is located as for the same to the branch offices where the HREAP AP's are located.
  I can see why as this will resolve my problem, however this network was designed without the knowledge of HREAP being deployed to the remote sites and I would like to minimize change from a LAN perspective.
  Will this be my only solution by standardizing the branch office VLAN ID's the same as the head office network or should I be able to use different VLAN ID's for the branch offices?
  Thanks for your time reading this and for your input. If you know any discussion regarding this, please add the url.
  Regards
  Jurgens

  Hi,
  I'm having the same problem. And I have two WLCs (WISM) with 7.0.220 version.
  I think because of this BUG: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw92394&from=summary
  Anyone knows how can I solve this problem?
  I Have 42 HREAP APs, and when I have some link problem on the remote Branch and the AP lose for a few seconds Connectivity to the 1º Controller its loses the VLAN Mappings (all turned to the Native VLAN).

• Hreap vlan mapping issues

  wlc 5508 code 7.0.220.0
  AIR-CAP3502E-N-K9
  ap mode: hreap
  vlan mapping native 30
  vlan ssid  x 310.
  each time that for what ever reason my access point goes down(not that my access point resets by itself, if i have to move it), the setting in the vlan mapping  resets to  whatever my native vlan is, in this case 30
  that is native vlan 30
  ssid x vlan 30
  any idea.

  it could be
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw92394&from=summary
  but it is marked Unreproduceable.  You might try upgrading to the latest 7.2 code if you don't have 'legacy' AP.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• IDSM-2 and inline mode

  Hello
  I have a question about IDSM-2 (in catalyst 6500) and ips 6.0.3 and inline mode. I wanted to create vlan groups, so i could have inline ips with many virtual sensors for subinterfaces (vlans range).
  I tied to:
  set trunk 5/7 1-4095 (on swith)
  set trunk 5/8 1-4095 (on swith)
  and in IDSM-2 in CLI:
  i created inline interface (using 5/7 and 5/8 ports), but after that i could not create in physical interface vlan groups. Why ?
  How can i make my IDSM-2 card working inline with many virtual sensors (policies) per different vlans ?

  i found my answer in idsm-2 document "You can mix sensing modes on IDSM-2. For example, you can configure one data port for promiscuous mode and the other data port for inline VLAN pair mode. But because IDSM-2 only has two data ports and inline mode requires the use of both data ports as a pair, you cannot mix inline mode with either of the other two modes." but something else,for doing such thing suppos that i have sig 2004 configured for inline traffic to deny attacker inline then this action doesnt make any sense for some data in passive mode and suppos that for that kind of traffic which idsm-2 is operating in passive mode i want to just send an alert. so can i use deferent VS for doing this? thanks.

• Vlan mapping lost when fail to secondary WLC

  Hello
  I have two WLCs,The primary WLC mode 5508 ,running code is 7.4.100.60, The secondary WLC mode 4402,running code is 7.0.230.0.
  When ap working on 5508 wlc,it use flexconnect mode, when ap working on 4402, it will h-reap mode
  ap mode:1242、1142.
  question:
  When ap fail to secondary WLC(4402),some ap will lost their vlan mapping information.not all of ap.  during fail over, ap will doanloading firmware.
  is there any way to solve? thanks!

  I understand. Two controllers, two different code levels. 4400 is locked in at 7.0 code and you need 7.4 for the 2600 ap.
  In your orginal post you state when aps fail over from one controller to the other you lose vlans and aps code upgrade/down grade. This is not a support deisgn. You cant properly failover betwen different code versions.
  If you want them to stop failing over and clients dont roam from aps on controler to 1 to aps on controller 2, simple remove the controllers from the shared mobility group and put the controllers in their own group.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."