Vlan name vs interface vlan ip address
Hello,
What is consider for ports to be in the same Vlan subnet, is it Vlan name or the ip address given to the SVI or the subnet advertise for that vlan on a layer 3 switch. Like for example say have 4 layer 3 switches connected where some ports on each switch are put under vlan 802. The SVI ip address for vlan 802 is different on each switch and under eigrp advertises 802 vlan svi with there subnet. Are all those ports under 802 vlan in the same subnet because the vlan name is still 802 but the svi for each 802 vlan is different subnet just the vlan name is the same. So that mean I have 4 subnets under vlan 802 or there all act as one subnet because the vlan name is the same?
Thanks,
It's not really to do with the name or subnet. It really depends on how the switches are connected.
So in general terms for any vlan if all the switches are interconnected with -
1) access port links where each end of the link was in that vlan
or
2) trunk links where that vlan was allowed on that link
or a combination of the above then that vlan would be the same L2 broadcast domain across all your switches.
Usually it is one subnet per vlan but you can if you want use multiple subnets per vlan although if you do this generally you add secondary addressing to the one L3 SVI for that vlan and have a different SVI per switch.
However, if your switches are interconnected with -
1) access port links where the access port is not that vlan
2) trunk links but that vlan is not allowed on that link
3) L3 routed links
then the vlan is a different vlan per switch.
From the sounds of what you are describing each switch has it's own vlan with it's own subnet and they are not the same vlan across all the switches.
Usually it is a good idea if this is the case not to reuse the same vlan number on multiple switches because it just leads to confusion.
Jon
Similar Messages
-
Unknown interface vlan on fwsm
ive done the ff. on the msfc
firewall module 2 vlan-group 1
firewall vlan-group 1 100,200,300
interface Vlan100
no ip address
interface Vlan200
no ip address
shutdown
interface Vlan300
no ip address
shutdown
BUT WHEN I DO THE FF ON THE FWSM
int vlan 300
i get the foloowing
FWSM# conf t
FWSM(config)# int vlan 300
Unknown interface vlan.
the fwsm is not recognizing my vlan. what is missing?
thanksHi
Have you created the vlans at Layer 2 ie. if you do a "sh vlan" on the 6500 do you see your vlans ?
You do not create layer 2 vlans by entering
int vlan300
no ip address
shutdown.
If you want vlan 300 to be firewalled then please
1) remove the "interface vlan 300" from the 6500 ie.
6500(config)# no interface vlan 300
2) Add the vlan at layer 2 on the 6500 ie.
6500(config)# vlan 300
6500(config-vlan)# name vlan300
Do this for all vlans you want to firewall.
Jon -
Interface vlan does not up!
Hi all,
I create a vlan follows an interface vlan, but the interface vlan does not up.
I'm using RSP7600 Adv IP Service with ES20 line card. Please help.
Thanks million!Hello,
A SVI interface for a VLAN X will be up/up if there is an access port alive in the VLAN X on the switch, or if there is a trunk port alive on the switch on which the VLAN X is allowed. Are these requirements met in your particular case?
Best regards,
Peter -
WLC 5508 , AP client dhcp address different from WLAN interface VLAN subnet?
Hope the title makes sense, here's my situation: I have multiple businesses on 1 WLC 5508, there's a LAG to my core switch with seperate interfaces for each, broken up by vlans.
My question is: if i have a WLAN setup to use interface "Company A" which is vlan 10 with an ip of 10.0.1.5 which then points to 10.0.1.10 for dhcp.
Can the WLAN client connecting to the Company A WLAN use an IP in a different IP range?(192.168.1.10?) can the wlc route? from the perspective of the DHCP server where doers the request come from? (10.0.1.5?)
Can the DHCP server 10.0.10.10 on vlan 10 respond back with and ip on a different subnet to assign to the client to use and still be fully fonctioning? would the default gateway for the client need to be 10.0.1.5? So the clients ip would be 192.168.1.10 /24 with a gateway of 10.0.1.5 (ip adress fo vlan10 interface on WLC) And if multiple clients on the same subnet wanted to talk to each other woudl the WLC know how to route them to each other without passing through the default gateway?
Sorry if this is confusing I'm having a bit of a hard time explaining it in works, i can try and draw somethign up if it makes more sense.
thanks
EricI think if you want these clients to stick to a WLAN configured on a VLAN that has a different IP addressing you could configure your VLAN with the normal IP addressing then add on the SVI the 2nd IP_Class_default_gateway.
E.G.
Vlan 10
interface vlan 10
ip address 10.0.10.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0 secondary
Clients that receive IP address from 192.168.1.0/24 network will be able to reach 192.168.1.1 and all traffic will pass right. -
Guest VLAN unable to get DHCP IP address from Anchor Controller
Hello everybody,
In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
SSID Name - guest
Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
Mobility Group: Same configs at both ends
SSID Anchor : Anchor SSID on local and local SSID on Anchor.
AP: CAPWAP 3502 Management Subnet
SSID Security etc all defaults and matching on both ends
Checkpoint Firewall Rules: Allowed 16666-7, IP 97 etc on the firewall
Checkpoint Inside/DMZ to Outside(Internet) is NAT enabled.
EoIP Tunnel Status: Up, UP - Both ends
Mping - OK
eping - OK
WLC Sofware Version on Local - 7.0.98.0
WLC Sofware Version on Local - 7.0.116.0
DHCP Scope: Definitions on Anchor Controller and Guest Anchor SSID points to the Anchor management IP as the Primary DHCP server.
Management IP Subnet on Local: 10.x.x.x
Management IP Subnet on Anchor: 172.x.x.x
The problem definition as follows:
When guest SSID associates to the local AP, the guest SSID never gets a DHCP address assigned from the Anchor Controller and the following debugs are obtained.
1. WLAN ID 1 (for Guest SSID Number) delete message appears in the Controller message logs, but the SSID does not DHCP from the local Management Subnet and i can see DHCP request via the tunnel to the Anchor WLC as follows:
DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 0, port 13, encap 0xec03)
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP xid: 0x49c54774 (1237665652), secs: 42, flags: 0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP chaddr: 64:b9:e8:33:2d:13
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 24 17:20:46.612: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to EoIP tunnel
2. Similar debugs on the Anchor controller yields the following results;
Cisco Controller) >*DHCP Socket Task: Feb 25 04:30:25.488: 64:b9:e8:33:2d:13 DHCP options end, len 72, actual 64
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP xid: 0x49c54778 (1237665656), secs: 52, flags: 0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP chaddr: 64:b9:e8:33:2d:13
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:44.246: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP received op BOOTREQUEST (1) (len 308,vlan 20, port 1, encap 0xec05)
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP processing DHCP DISCOVER (1)
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP xid: 0x49c54778 (1237665656), secs: 61, flags: 0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP chaddr: 64:b9:e8:33:2d:13
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0
*DHCP Socket Task: Feb 25 04:36:53.208: 64:b9:e8:33:2d:13 DHCP successfully bridged packet to DS
*apfOrphanSocketTask: Feb 25 04:37:49.931: 34:51:c9:59:b1:c7 Invalid MSCB state: ipAddr=169.254.254.148, regType=2, Dhcp required!
Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
Thanks and Regards.The DHCP issue is resolved if external DHCP server is configured on a 3750 switch connected to the WLC and the default gateway for DHCP points to the Firewall, which is in the data path between the Inside and Anchor Controllers. DHCP is essentially bridged (no Proxy setting now) from the EoIP tunnel to the Distribution system network. We will test this solution on pilot production and then consider upgrading to 7.0.116.0, as there are about six offices running 7.0.98.0, which will need to be upgraded.
For L3 security, configuration is set up on both the controllers for external captive portal redirection.I will try this only on the Anchor and revert.
Thanks again very much for all your help. -
Interface Vlan is not installed in routing table
Dear All,
Today I faced a strange problem and I want to share it with you to find what is the problem ?
we have a VRF for one customer and we use interface vlan to define customer's branch.
The customer interface is VLAN 422 and it is defined under customer VRF probably .
PE#sh running-config vrf V3056:RIYADHBANK
Building configuration...
Current configuration : 1321 bytes
ip vrf V3056:RIYADHBANK
rd 65000:3887
maximum routes 1400 80
route-target export 65000:5405
route-target import 65000:5405
route-target import 65000:5406
interface Vlan422
description By *****
ip vrf forwarding V3056:RIYADHBANK
ip address 172.29.12.97 255.255.255.252
service-policy input 2M_IN
PE#sh vlan id 422
VLAN Name Status Ports
422 422 active Gi3/0/11 efp_id 422
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
422 enet 100422 1500 - - - - - 0 0
Remote SPAN VLAN
Disabled
Primary Secondary Type Ports
PE#
we can see the interface vlan is up
PE-L3Agg-Khu-107-2#sh int vlan 422 description
Interface Status Protocol Description
Vl422 up up ****
PE#
and we can see the vlan 422 belongs to the correct VRF
PE#sh vrf V3056:RIYADHBANK
Name Default RD Protocols Interfaces
V3056:RIYADHBANK 65000:3887 ipv4 Vl627
Vl775
Vl422
PE#
when we tried to troubleshoot the customer routing we found :
PE-L3Agg-Khu-107-2#ping vrf V3056:RIYADHBANK 172.29.12.97
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.29.12.97, timeout is 2 seconds:
Success rate is 0 percent (0/5)
PE-#
we could not ping the ip address of interface vlan 422.
PE#sh ip route vrf V3056:RIYADHBANK 172.29.12.97
Routing Table: V3056:RIYADHBANK
% Subnet not in table
PE#
PE#show ip route vrf V3056:RIYADHBANK connected
Routing Table: V3056:RIYADHBANK
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.111.16 to network 0.0.0.0
172.29.0.0/16 is variably subnetted, 338 subnets, 2 masks
C 172.29.12.44/30 is directly connected, Vlan627
L 172.29.12.45/32 is directly connected, Vlan627
PE-L3Agg-Khu-107-2#
PE-L3Agg-Khu-107-2#
My question is: Why the interface vlan 422 is not installed in VRF Table as it is UP ??
thanks in advance!
Rashed Wardi.what platform is this? can you please paste the output of show version and show run?
Also when you tested this was int Gi3/0/11 up/up?
Best Regards,
Bheem -
I am planning wired ISE for large university network where authenticated users will be assigned to a default data vlan by default.
There are a few departments across the university that will require thier own vlans, usually in specific locations.
example:
'medical' vlan name is configured on access switches in a medical building, so any users in the medical group will be placed in a medical vlan on successful authentication, so they can access sensitive information.
However, If those users go to other locations, where 'medical' is not configured on the access switches they will get no network access at all.
I would like ISE to offer a 'secondary' option of the 'default data' vlan, so the authenticated user can still access core college resources+www wherever they are, even if they are not able to access specific 'medical' resources.
thanksDefine VLANs Based on Enforcement States
Use the following command lines to define the VLAN names, numbers, and SVIs based on known
enforcement states in your network. Create the re
spective VLAN interfaces to
enable routing between
networks. This can be especially helpful to handle
multiple sources of traffic passing over the same
network segments—traffic from both PCs and the IP phone through which the PC is connected to the
network, for example.
Note
The first IP helper goes to the DHCP server and the se
cond IP helper sends a copy of the DHCP request
to the inline posture node for profiling.
vlan <
VLAN_number
>
name ACCESS
vlan <
VLAN_number
>
name VOICE
interface <
VLAN_number
>
description ACCESS
ip address 10.1.2.3 255.255.255.0
ip helper-address <
DHCP_Server_IP_address
>
ip helper-address <
Cisco_ISE_IP_address
>
interface <
VLAN_number
>
description VOICE
ip address 10.2.3.4 255.255.255.0
ip helper-address <
DHCP_Server_IP_address
>
ip helper-address <
Cisco_ISE_IP_address
> -
Cisco SG 300-10 VLAN and IP Interface Question
Hello,
Please forgive me if you find my question too basic. But, I would really appreciate an answer as I am having a heck of a time getting the VLANs to work. I have several VLANs configured as follows, but, my question is related only two VLANS: VLAN 104 and VLAN 2000. Followings are the screenshots. I have connected cable from Port 6 of the switch to the NIC2 of Windows 8.1 PC. When I use GE6 as access port for VLAN 104, I am able to ping to the NIC2 configured with static IP 10.10.30.30. However, when use GE as Trunk Port for VLAN 104 and 2000, I am not able to ping the NIC2 configured with static IP 10.10.30.30 or static IP 10.10.110.30. I am using the ping utility from the GUI.
If there is a better way to test the trunk port, please let me know.
At this point, I am assuming that something is wrong with my configuration as the NIC2 is unable to receive IP address.
The other assumption is that NICs with Windows 8.1 OS does not accept Traffic from Tagged VLANS.
VLAN TableShowing 1-11 of 1110203050per page
VLAN ID
VLAN Name
Originators
VLAN Interface State
Link Status
SNMP Traps
1
Default
Enabled
Enabled
100
Management A
Static
Disabled
Enabled
101
Management B
Static
Disabled
Enabled
102
VXLAN A
Static
Disabled
Enabled
103
VXLAN B
Static
Disabled
Enabled
104
vMotion
Static
Enabled
Enabled
105
IP Storage
Static
Disabled
Enabled
106
HQ Uplink
Static
Disabled
Enabled
107
HQ Access
Static
Disabled
Enabled
1000
Test VLAN
Static
Disabled
Enabled
2000
Test2 VLAN
Static
Enabled
Enabled
Port VLAN Membership Table
Filter:
Interface Type
equals to
PortLAG
Go
Interface
Mode
Administrative VLANs
Operational VLANs
LAG
GE1
Trunk
1UP
1UP
GE2
Trunk
1UP
1UP
GE3
Trunk
1UP
1UP
GE4
Trunk
1UP
1UP
GE5
Trunk
1UP
1UP
GE6
Trunk
1UP, 104T, 2000T
1UP, 104T, 2000T
GE7
Trunk
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
GE8
Trunk
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
GE9
Trunk
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
GE10
Trunk
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
1T, 100UP, 101T, 102T, 103T, 104T, 105T, 106T, 107T
IPv4 Interface TableShowing 1-11 of 1110203050per page
Interface
IP Address Type
IP Address
Mask
Status
VLAN 105
Static
10.10.20.1
255.255.255.0
Valid
VLAN 104
Static
10.10.30.1
255.255.255.0
Valid
VLAN 2000
Static
10.10.110.1
255.255.255.0
Valid
VLAN 1
Static
192.168.0.39
255.255.255.0
Valid
VLAN 1000
Static
192.168.1.1
255.255.255.0
Valid
VLAN 106
Static
192.168.100.1
255.255.255.0
Valid
VLAN 100
Static
192.168.110.1
255.255.255.0
Valid
VLAN 107
Static
192.168.130.1
255.255.255.0
Valid
VLAN 102
Static
192.168.150.1
255.255.255.0
Valid
VLAN 101
Static
192.168.210.1
255.255.255.0
Valid
VLAN 103
Static
192.168.250.1
255.255.255.0
Valid
Ping
Host Definition:
By IP address
By name
IP Version:
Version 6
Version 4
<tr id="trSourceIP" display:none"="">
Source IP:
Auto10.10.20.1(VLAN105)10.10.30.1(VLAN104)10.10.110.1(VLAN2000)192.168.0.39(VLAN1)192.168.1.1(VLAN1000)192.168.100.1(VLAN106)192.168.110.1(VLAN100)192.168.130.1(VLAN107)192.168.150.1(VLAN102)192.168.210.1(VLAN101)192.168.250.1(VLAN103)Autofe80::5267:aeff:fe3d:83b3(VLAN1)Auto10.10.20.1(VLAN105)10.10.30.1(VLAN104)10.10.110.1(VLAN2000)192.168.0.39(VLAN1)192.168.1.1(VLAN1000)192.168.100.1(VLAN106)192.168.110.1(VLAN100)192.168.130.1(VLAN107)192.168.150.1(VLAN102)192.168.210.1(VLAN101)192.168.250.1(VLAN103)fe80::5267:aeff:fe3d:83b3(VLAN1)
Destination IPv6 Address Type:
Link Local
Global
Link Local Interface:
VLAN 1
Destination IP Address/Name:
Ping Interval:
Use Default
User Defined
ms (Range: 0 - 65535, Default: 2000)
Number of Pings:
Use Default
User Defined
(Range: 1 - 65535, Default: 4)
Status:Tom and Michal, your response is much appreciated. You are 100% right. The issue was with the Windows recognizing the VLAN tags. I have tested trunking by using the vmxnet3 driver from VMware and it works.
I had another question where I can use your help too. I am not sure how to connect two Cisco SG300 switches - one with L3 mode and the second one with L2 mode. I have configured GVRP for Port 5 of both switches and run a cable connecting to Port 5 of each switch. I have made port 5 of both switches trunk mode ( 1U, 1000T). I have created VLAN 1000 on both switches. With L3 switch, I have added IP Interface (192.168.100.1) to VLAN 1000. My issues is that, I am not able to access the management port (192.168.1.238) of the L2 switch. Note that the L2 switch has only on uplink, which is to the L3 switch. Since the Port 5 also receives untagged traffic from VLAN1 (192.168.1.1), I am assuming that it would receive the management network from VLAN1. -
[switchport port-security mac ] on [interface VLAN n?]
Hello,
did anyone tried to use the command [switchport port-security mac-address n?] on [interface VLAN n?] ? (for example in a 2950).
I don't have the material to make that test, and I am not sure if it works or not.
Many thanks!Hi,
Switchport port-security as the name implies is to be configured on switchport. VLAN interface on the switch is a routed interface and hence, you can't apply any switchport configuration on it and that includes, port security.
HTH
Sundar -
Ip address on created Mangement VLAN shuts down 255 VLAN 1.0 subnet
My predecessor created a VLAN 255 to replace VLAN 1 as the Management VLAN. I noticed a some of the switches had there IP's on Fas0 out of band interface. To me it made more sense to put that ip address on a int vlan 255 on all the switches. As I did to my 4th Core Switch I added the ip address *.1.24 and it shut down the entire 255 vlan with affect the .1.0 subnet. I for the life of me can can't figure out what is causing the problem. It is not like any other device is using the 1.24 ip address and even if it was it should affect access to that device not all other devices on the 1.0 subnet.
The message in the log (doing the show log command) only shows interface 255 going up and down. The subnet mask is 255.255.255.0 (/24). I just put the ip in the interface again and pinged devices in the 1.0 subnet when I brought the interface back up yet I could not access any services on the 1.0 subnet from my workstations. I shut the interface again and could access services In that subnet again.The VLAN is in the trunk. shouldn't that be enough as for as putting it in the port goes? I already have the interface shut and configured. When I unshut the entire .1.0 subnet does down. To me it's just so unlogical.
-
Extending VLANs across routed interfaces
Hello;
I'm trying to create a L3 core network. The core equipment will be Cisco 3750 enhanced. My idea is make each link between core 3750 a routed interface, with /30 IP addresses.
The problem is the customer needs some VLANs extended across the full enterprise. Is there any way to encapsulate the VLAN inside routed interface?
Thanks in advance.I realize this thread is 5+ years old, but I feel like commenting anyway.
If you want to encapsulate the vlan across that link, you won't be able to use routed interfaces. You will need to use a layer 2 trunk(dot1q). Therefore, I wouldn't bother with the /30 addresses unless you want to monitor that specific link by IP. In that case, use a special VLAN just for those two interfaces and put your /30 addresses on the vlan interfaces.
If you want fast fail over on a layer 2 link, well then, use Rapid STP. The goal should be to get rid of those flat VLANs that span the core and switch to your original plan of routed interfaces using EIGRP or OSPF. -
Inter-VLAN routing, Auto-Voice VLAN and IP Address-Helper
Hope that somebody can help me with the setup in the screenshot.
Planning to use Auto-Voice VLAN and Smartports to configure VOIP
LLDP-MED will be enabled on the switch to detect the IP phones so they will be moved to the Voice VLAN (If not the first 6 signs will be added to the OID table). The Voice VLAN ID will be 2 >> Voice VLAN will be automatically enabled once a device is recognized as a IP phone right?
Workstations will be connected to the Cisco switch, VLAN data will be untagged and will remain on the native VLAN.
Smartports will be used to configure the ports (Macro's) >> Should configure the ports as trunks as assigns the correct VLANs right?
But how do i configure the IP Helper-Address? Do i have to create the Voice VLAN on both switches and then run the command "IP Helper Address" to specify a DHCP server? From what i've been reading it's required, when using Inter-VLAN routing, to configure the VLAN interface with an IP address. But it's going to give problems when both switches are connected to eachother and both have the same VLAN configured including the same IP address assigned to their VLAN interface?
Normal data should pass the ASA firewall, VOIP traffic should go through the Vigor modem to a hosted VOIP provider. The best way, i assume, is to configure 2 separate scopes on the DHCP server?
Still confused on how to set it up, hope that someone can point me in the right directionIf you're sending voice to only the Vigor modem then there is no need for a trunk between the SF-300 and the Vigor modem. You can just set that to an untag packet for the VLAN 2 between that switch and the Vigor modem.
On the 'edge' SF300 where the IP phone/PC is it is obviously going to interoute there and of course the phone port is tagged and PC port is untagged.
For the IP helper, it uses UDP-RELAY and it should be enabled on the port itself and enabled on the global configuration. You may also need option 82. Also keep in mind, depending how your DHCP server works, it may need option 82 configured as well or at least a route to understand the subnets in the layer 3 environment to get traffic across the VLANS. -
Interface vlan - ACL - pinging issues.
I'm trying to understand why an ACL which is applied to an interface vlan is affecting the traffic for a different interface vlan.
Both vlans are configured on the same device and there's a trunk connecting the "access" switch to the "distribution" switch.
so, what we have is:
UD-1 UD-1B
UA
Int vlan are configured in both UDs and the vlan is allowed in the trunk that connects the UD to the UA.
There's an ACL blocking traffic to the int vlan 225 ip that is configured in the UA, but there's no ACL on the vlan 185 (the same IP that Im trying to ping).
So , why is this happening?
configs:
UD-1A:
interface Vlan185
ip address 10.8.185.3 255.255.255.0
interface Vlan225
ip address 10.18.225.3 255.255.255.0
ip access-group ud1 in
int gi1/1
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
UD-1B
interface Vlan185
ip address 10.8.185.4 255.255.255.0
interface Vlan225
ip address 10.18.225.4 255.255.255.0
ip access-group al_rpf_sre_ud1_pro in
interface GigabitEthernet4/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
interface Vlan185
ip address 10.8.185.7 255.255.255.0
ip access-group ro in
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
so, when I ping 10.8.185.7
I get:
GMT-3: ICMP: dst (10.8.185.7) administratively prohibited unreachable rcv from 10.8.185.4
%SEC-6-IPACCESSLOGDP: list ud1 denied icmp 10.8.185.7 (GigabitEthernet1/1) -> 10.18.232.58 (0/0), 3 packets
anybody?Hello Paresh,
thanks for replying.
But, actually I dont think this is what happening.
Because 10.18.232.58 comes from an uplink - core router, which enters from a different interface.
Let me give you the configs:
uplinks:
interface GigabitEthernet3/1
no switchport
ip address 10.18.192.26 255.255.255.252
And the core are doing load-balancing to reach the UA.
So, icmp packets are arriving from these 2 interfaces, the uplink gi3/1 (router port) and from the link that connects the UA switch.
so, pinging from the BC you have 2 ways to get to the UA, from UD1 and UD1-B, when it reaches UD1-B it goes to the vlan (ie. goes down to the UA and up to UD1A).
Not sure if this is helping.
If you need any other info let me know.
this is killing me. -
Route map does not applied on interface vlan
Hi all,
could you pls tell me why i can't apply a route-map on an interface vlan,
belown my config:
SWBBO(config-if)#ip policy route-map TEST
^
% Invalid input detected at '^' marker.
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 04-Jan-13 01:38 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
BBWMASALE01 uptime is 40 weeks, 1 day, 6 minutes
System returned to ROM by power-on
System restarted at 22:12:07 UTC Mon Feb 18 2013
System image file is "flash:/c3750e-universalk9-mz.150-2.SE1.bin"
Best regards,
JamesHi jon,
belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
SWBB0#sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv6 multicast groups: 64
number of directly-connected IPv6 addresses: 74
number of indirect IPv6 unicast routes: 32
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 60 -
Policy-map input on an interface VLAN
Hi there,
I have a problem with a policy-map on an interface VLAN on my Cisco 6509-E.
The switch has the IOS Version 12.2(33)SXI10, RELEASE SOFTWARE (fc2).
I have configured this policy-map:
policy-map PM-10Mbit
class class-default
police cir 10000000 bc 1875000 be 3750000 conform-action transmit exceed-action drop violate-action drop
I bind this map on a physical interface
interface GigabitEthernet2/2
description <removed>
ip vrf forwarding <removed>
ip address <removed>
ip access-group <removed> out
service-policy input PM-10Mbit
service-policy output PM-10Mbit
and get this result:
show policy-map interface
GigabitEthernet2/2
Service-policy input: PM-10Mbit
class-map: class-default (match-any)
Match: any
police :
10000000 bps 1875000 limit 1875000 extended limit
Earl in slot 5 :
6428065284 bytes
5 minute offered rate 14696 bps
aggregate-forwarded 6294160565 bytes action: transmit
exceeded 133904719 bytes action: drop
aggregate-forward 584 bps exceed 0 bps
Service-policy output: PM-10Mbit
class-map: class-default (match-any)
Match: any
police :
10000000 bps 1875000 limit 1875000 extended limit
Earl in slot 4 :
10335145381 bytes
5 minute offered rate 21536 bps
aggregate-forwarded 10142894661 bytes action: transmit
exceeded 192250720 bytes action: drop
aggregate-forward 128 bps exceed 0 bps
Earl in slot 5 :
263335780 bytes
5 minute offered rate 176 bps
aggregate-forwarded 263335780 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 448 bps exceed 0 bps
But when I bind it on an interface VLAN i see no incoming traffic:
show policy-map interface
Vlan1012
Service-policy input: PM-100Mbit
class-map: class-default (match-any)
Match: any
police :
100000000 bps 18750000 limit 18750000 extended limit
Earl in slot 4 :
0 bytes
30 second offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Earl in slot 5 :
0 bytes
30 second offered rate 0 bps
aggregate-forwarded 0 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 0 bps exceed 0 bps
Service-policy output: PM-100Mbit
class-map: class-default (match-any)
Match: any
police :
100000000 bps 18750000 limit 18750000 extended limit
Earl in slot 4 :
1005376843668 bytes
30 second offered rate 33016448 bps
aggregate-forwarded 1005362388151 bytes action: transmit
exceeded 14455517 bytes action: drop
aggregate-forward 30943792 bps exceed 0 bps
Earl in slot 5 :
1828318775 bytes
30 second offered rate 1296 bps
aggregate-forwarded 1828318775 bytes action: transmit
exceeded 0 bytes action: drop
aggregate-forward 1272 bps exceed 0 bps
Is this a bug or am I doing something wrong here?Hello
As I understand it , this is command is required in mls qos because on a SVI ( L3 vlan interface) runs in a vlan-based mode which differs from normal L3 routed interfaces which run in interface mode.
As per cisco ="In VLAN-based mode, the policy map that is attached to the Layer 2 interface is ignored, and QoS is driven by the policy map that is attached to the corresponding VLAN interface."
Lastly regards
Try matching on all traffic incoming on the trunk interface on that switch for it to successfully police incoming traffic:
class-map V102
match input-interface x/x
Policy-map POLICE
class V102
Police xxxx xxxx
res
Paul
Maybe you are looking for
-
Payment Terms on PO Header is not coming automatically from vendor master
Hi Experts, I have two plants maintained as vendors in my system. Both have payment terms maintained in the Vendor master (Purchasing as well as Payment Transaction view) but when I create POs (all with the same document type), for one of the vendors
-
Automatic restart of Error-Message in Adapter-Engine (Job?)
Hi, we are working on PI 7.11 and facing following problem: Often in message-monitoring error-messages are forgotten because of wrong date-selections by the monitorer (not enough days back). It would be very nice, if there is a function witch is repe
-
How to void matching process in accounts payable module
Hi, I am working on Accounts payable module. in ap where did u setup matching process is optional.it means how to void matching process. give me navigation.. any one knows these answer. please help me Regards Ravi
-
Family Sharing not separating not working
My wife and I have been using family sharing. It went well for 3 weeks but in the last week my wife cannot updated any apps that I purchased and we are getting duplicate texts whenever we send and recieve texts. I've looked at everything. We are s
-
How to run tools from a java archive
I used to run Multivalent from http://multivalent.sourceforge.net/ but am now getting error messages like this: Exception in thread "main" java.lang.NoClassDefFoundError: tools/pdf/Impose This happens even when I'm in the directory containing the jar