VLAN trunking, native vlan and management vlan
Hello all,
In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.
To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
Regards,
Leo
Similar Messages
-
About the Native Vlan and Management Vlan.
I wanted to know that Management vlan and Native vlan can be different vlan id or both should be same vlan id. Why should not be native vlan 1.
The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
a
Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
Hope this helps ! -
1300 bridge with native and management vlan in different vlans
Hello,
We are going to set up a wireless bridge between two 1300 accesspoints. In our network the native vlan and the management vlan are different vlan's. Will we be able to manage the ap and switch at the "remote" site? Do we have to set up two ssid's, one for native and one for management?
regards,
RutgerToo answer my own question:
I don't think it is possible. Things work fine by making our management vlan the native vlan on switches and ap's involved. Management IP address on the BVI1 interface and everything works!
Rutger -
Users VLAN and Management VLAN
is it possible to separate two VLANs:
one is running for the users VLAN connects to the clients
one is for management purpose.
Is there a sample code available for access points, bridges, and switches?
I am really appreciated thatHi,
You can configure VLANs on enterprise access points.
What you need to do is configure the access point with its managment IP address, set this as the native vlan and then add the other VLAN or VLANs.
Then on the switch that the access point is connected to you need to configure a trunk port and make sure that the native vlan is the same VLAN you set as native on the access point.
As an example if the Access point has an IP address for managment vlan 20, we set this VLAN as native and then we add the other VLAN or VLANs, and on the switch you configure the port as a trunk port with the same native VLAN 20.
Note, native vlan is the same as untagged vlan. When we confgure a trunk port this will tag all vlans except the native vlan or untagged vlan that needs to be the same between directly connected devices. -
Cisco 3750x DHCP and Management VLAN
We use 3750x switches in the stack, it has management VLAN (IP Address and Gateway configured correctly). I can ssh to switch fine. However we also use this switch as DHCP server for a number of different VLANS. So, I would create a DHCP pool, interface in this VLAN. Now, if I'm in VLAN3 that gets DHCP address on this switch I'm not able to ssh to this switch via Management VLAN IP Address 192.168.5.253 (can ping it fine), but I can ssh into this switch using Interface IP Address from the VLAN that I'm sitting on 192.168.3.253. For example
ip dhcp excluded-address 192.168.3.253 192.168.3.254
ip dhcp excluded-address 192.168.5.253 192.168.5.254
ip dhcp pool VLAN_3
network 192.168.3.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.3.254
ip default-gateway 192.168.5.254
interface Vlan3
description Test
ip address 192.168.3.253 255.255.255.0
interface Vlan5
description Management
ip address 192.168.5.253 255.255.255.0Hi,
can you post "sh run"? -
VLAN trunking to server and security
I have a question concerning interserver security.
I have a cat6513 and the port connected to a w2k3 server (single NIC) is in trunking mode carrying 2 VLANS a "customer" VLAN and "backup" VLAN. We serve multiple customers,each on their own specific VLAN, but all customers use the same generic backup service in a generic backup VLAN. Customers VLANS are separated by a FWSM but with this setup all the servers can connect to other servers on the backup VLAN.
What would be the best way to make sure that on the backup VLAN the servers can only connect to the backupserver and not ervers from oher customers.
We tried private VLAN's (which I think won't work because the port is a trunk)ad access-list but can't get it to work.
Any help or directions on how to solve this in well designed manner would be appreciated.
This is the config of a port in which vlan 11 is the backup vlan and vlan 31 the customer VLAN.
interface GigabitEthernet12/17
description
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,31
switchport mode trunkHello,
my first thought would be to use protected ports ('switchport protected' interface command), which would prohibit ports configured with that command from talking to each other. The drawback is that this only works for ports on the same switch...
Regards,
GP -
Management VLAN Design and Implementation
Greetings, friends. I'm having trouble getting a clear picture of how a management VLAN ought to look. I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches. I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).
Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN. Are you able to point me in the right direction to find such documentation? Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
What is the best practice for accessing the management VLAN? Inter-VLAN routing + ACLs? Multi-homed PCs or servers? Additional PCs to be used as access stations?
Thank you for your wisdom, experience, and advice!
Kevin1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.
2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.
3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.
4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall, but the hardcore customer insist on a second pc connected to the management lan.
Points to consider are as always,
Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.
Find the right balance between security, costs, easy of access for the business your in.
Cheers,
Michel -
VLAN trunking newbie SRW208MP to SRW2008MP
Hello All,
Just need a simple setup - 2 VLANs, a few ports each, on each unit, trunked together (ultimately on SFP module). Tried what seems to be right but (natch) not working. Just need simple guidelines to see where am going wrong. Thanks!OK, well, using that example, as well as another thread here (Cisco SLM224P
VLAN TRUNKING), I reset and redid all the VLAN related settings.
There are 2 subnets in play here -
10.51.0.0/255.255.252.0 - VLAN 1 - Used as the Management VLAN.
10.51.4.0/255.255.255.0 - VLAN 5 - A subnet for Wireless LAN POE connection and management.
And 2 switches -
198 is a SRW208MP, remote unit. will have single WAP and various devices.
199 is a SRW2008MP, at head end near subnet(s) source. Will have up to 4 WAPs and the
connections required to provide for both subnets.
For purposes of discussion, the planned fiber SFP interconnect is being played by a copper trunk.
Setups follow:
198 VLANs-
198 Port Setting-
198 Ports to VLAN 1-
198 Ports to VLAN 5-
198 VLAN to Ports-
Unit 2 - 199
199 VLANs-
199 Port Settings-
199 Ports to VLAN 1-
199 Ports to VLAN 5-
199 VLAN to Ports-
The configuration as posted does not provide the expected results.
I am convinced I am overlooking something simple. Usually is!
The net results are that the Management VLAN (1) is present and accounted for on both switches, but that could even be because they are acting as switches do.
The VLAN 5, however, does not function at either end. The 'Local' switch, 199, shows traffic on the WAP ports but no traffic of any consequence is traversing and the WAPs are nonresponsive.
Ditto Remote switch. Management VLAN yes, 5 VLAN no.
Any suggestions greatly appreciated. -
Hi,
Im configuring a vlan trunk between 2 switches but I'm having a problem somehow.
Switch 1 a Cisco 3750G n
name: alrswcc00
interface GigabitEthernet1/0/28
description Uplink Alrswcc20
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-30
switchport mode trunk
end
Name: Gi1/0/28
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: 1-30
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Switch 2 a Cisco 2960S
name: alrswcc20
interface GigabitEthernet1/0/25
description Uplink Alrswcc00
switchport trunk allowed vlan 1-30
switchport mode trunk
end
Name: Gi1/0/24
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 10 (Inactive)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 10,20,30,40
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Then lastly on switch 2 I created a port for an Ubiquiti access point with following settings.
interface GigabitEthernet1/0/24
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30,40
switchport mode trunk
end
But my AP doesn't seem the get an IP. Where as if I plug it in on Switch 1 it does with the same settings.
So I am assuming there is something wrong with my trunk. What am I doing wrong?
Thank you,
MichaelHere are a couple of observations:
1. The switchport trunk encap dot1q command was not applied on the 2960 because 802.1q trunking is the default. The 2960 series switches do not support ISL encapsulation, as the OP observed. There is, therefore, no need to manually specify the trunking protocol. The show int g1/0/24 switchport command confirmed that trunking is working. I find the show int g1/0/24 trunk command to be more informative in this context. It tells you what VLANs are active and trunking between the connection.
2. You do need to define VLANS 2-30 on your second switch. You can do so manually or you can configure VLAN Trunking Protocol (VTP). VTP is your easiest bet. Example config:
Switch 1
sw1(config)# vtp mode server
sw1(config)# vtp version 2
sw1(config)# vtp domain MY_DOMAIN
sw1(config)# vtp password MySecret
Issue a show vtp status in priv exce mode to very your settings.
Switch 2
sw2# show vtp status
Do this command FIRST and make sure that the configuration revision number is smaller than the revision number of SW1.
VTP Operating Mode : Client
Maximum VLANs supported locally : 255
Number of existing VLANs : 25
Configuration Revision : 174
If config revision on SW2 is greater than config revision of SW1, then issue following command:
SW2(config)# vtp domain bogus
SW2(config)# vtp domain MY_Domain
SW2(config)# do show vtp status
Your config revision should go back to zero.
Now issue the same commands on SW2.
SW2(config)# vtp version 2 (pretty sure that is default, but I issue it anyway)
SW2(config)# vtp mode client (means you cannot define VLANs on this switch. Most admins prefer that only one switch be capable of creating VLANs).
SW2(config)# do sh vtp status
The config revision was important because injecting a switch into your network that has a higher VTP revision can overwrite your existing VLAN database. If that happens, chances are that most of your network traffic will cease to function as all of your access ports will be in a VLAN mismatch mode. -
VLANs - Default, Native and Management
Okay, please help in understanding the concept of VLANs by confirming whether the following is true or not, and based on that please help me to clear my doubts.
Default vlan - Always Vlan 1 on a switch and cannot be changed. It's purpose is to account the interfaces/ports which are not assigned with a vlan explicitly.
Native vlan - By default, it is also vlan 1 in a switch, but can be changed. Frames belonging to the native vlan are sent across the trunk link untagged. It's sole purpose is to provide back ward compatibility to the devices that doesn't understand frame tagging, as per 802.1q.
Management vlan- for managing switches.
Now my doubts ::
1. Can anyone please draw and explain a scenario in which NATIVe vlan comes into use, so that I can understand its purpose completely.
2. Management vlan- how they are created/assigned and is used ?Hello
From a security perspective its best practice to not use vlan1 whatsoever as it well documented that all cisco switches default to this vlan.
Also it is best to define a native vlan that will be not used.
This is due to something I think is called ( double tagging or vlan hopping) - and it when a hacker knowing that vlan 1 is untagged and the default vlan can apply an outer tag to a encapsulated packet and send this into your network, then when this outer tag is stripped away the native vlan1 is seen by the switch which is excepted into your network.and sent on its merry way toward its destination.
So to negate this threat it is best to either tagged ALL vlans or define a unused native vlan and a tagged management vlan and not allow the native vlan to cross any trunks
example:
vlan 1 = shutdown
vlan 10 = management
vlan 11-49 - user vlans
vlan 50 = native
conf t
vlan 2-50
exit
int vlan 1
shut
int vlan 10
ip address x.x.x.x y.y.y.y.y
interface gig x/x
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 2-49
res
Paul -
VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1
Hi All,
L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
Thanks,
HCHi HC,
the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
Simon -
Autonymouse AP1121 - Management Vlan and SSID Vlan
Hello,
We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
current switch port config ap is plugged into.
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 500
switchport mode trunkDo you have sub interfaces for vlan 10 being brigged through the radio interface?
Example config below...
interface Dot11Radio0.10
description Secure Wireless access
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk" -
1200: Native VLAN & Management VLAN
I want to keep the management VLAN and native VLAN seperate. Is this the correct setup when using VLAN 999 as the native VLAN and VLAN 100 for the management VLAN.
Management VLAN 100 (10.100.0.0/24)
### Trunk SW ###
description "AP"
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
### AP ###
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 99 key 1 size 128bit 7 3831CB248113D952741376BEC352 transmit-key
encryption vlan 99 mode wep mandatory
encryption vlan 11 mode ciphers tkip
ssid xoxoxo
vlan 11
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ssid xxx
vlan 99
authentication network-eap eap_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
station-role root
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface Dot11Radio0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
bridge-group 99 spanning-disabled
interface dot11radio 0.999
encapsulation dot1q 999 native
interface dot11radio 0.100
encapsulation dot1q 100
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
ntp broadcast client
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
interface FastEthernet0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
no bridge-group 99 source-learning
bridge-group 99 spanning-disabled
interface fastethernet 0.999
encapsulation dot1q 999 native
interface fastethernet 0.100
encapsulation dot1q 100
interface BVI100
ip address 10.100.0.110 255.255.255.0
no ip route-cache
ip default-gateway 10.100.0.1This looks correct to me. Do you have a non_root bridge on their other side?
Are you able to trunk all 4 VLANS with this config? -
WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan
Hi
We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
I can't find any recommandations regarding the use of native vlan/ssid vlan
Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
Regards,
Lars ChristianIt is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
HTH
Rasika
**** Pls rate all useful responses **** -
Wireless AP Management VLAN and BVIs
Hi All,
I've been looking around and I can't find a solution to what I am trying to achieve and I was hoping the community may have had more luck than I have.
I'm looking to have my management VLAN for my AP setup as a tagged BVI but I'm struggling to get it setup. I can set it up fine using BVI1 and having it just accessed on the native VLAN but I see this as a security flaw, I don't really want direct access into my management network on the switch.
Now there may be a better way of preventing this but I am, at least compared to many, still fairly new to Cisco and this seems to be the best approach. Please see below for my current config, hopefully you can let me know where I am going wrong.
Also, as a note, at the moment I am mainly focusing on the management security of the AP before I check the wifi config, hence the radios still being shutdown so there may also be small errors in this. I have also removed some elements which are not relevant.
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP01
no ip source-route
no ip cef
dot11 syslog
dot11 ssid <Guest secure network SSID>
vlan 30
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <key>
dot11 ssid <Internal Secure SSID>
vlan 10
authentication open
authentication key-management wpa version 2
wpa-psk ascii <key>
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
packet retries 64 drop-packet
channel 2437
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
peakdetect
no dfs band block
packet retries 64 drop-packet
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
interface GigabitEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 spanning-disabled
no bridge-group 30 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 spanning-disabled
no bridge-group 100 source-learning
interface GigabitEthernet0.101
encapsulation dot1Q 999 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
no ip address
no ip route-cache
shutdown
interface BVI100
mac-address <Actual ethernet address>
ip address 10.33.100.101 255.255.255.0
no ip route-cache
ip default-gateway 10.33.100.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
bridge 100 protocol ieee
bridge 100 route ip
line con 0
logging synchronous
line vty 0 4
transport input ssh
end
As you can see I am using BVI100 as the management VLAN for the device and BVI1 is shutdown with vlan 999/int gi0/101 holding bridge group 1.
With this setup I can't get any IP communication, send or receive but I can see the MAC address on the switch in the MAC address table on vlan100. There is also no entries in the ARP table of the AP.
The switch is setup with vlan 999 untagged and vlans 10,30,100 as tagged.
Hope you can help! Thanks for any advice in advanced.
Many thanks,
Martin.Yea that would work and I have set it up like this without issue but I'm trying to limit access to the management VLAN, I don't want someone to be able to plug directly into the switch and be on the same broadcast domain as alll of the other equipment.
There are otherways of achieving this but I felt like I was so close with the above config but I was just missing something.
Maybe you are looking for
-
Need to call Shell script that uses SQL loader in APex4.1/11g
Hi there! I have a requirement, wherein I have to call a shell script that connects to an external server, ftp's a file in and then uses sqlloader to load data into our table. Now we have the ftp script that does this for another program, but is a sc
-
Can I have some open and honest feedback on this site?
Hello everyone, I am posting to get some open / honest feedback on my site. Please feel free to comment, you will not hurt my feelings. I would rather here it from you guys, the pros and enthusiasts who do this for a living (or hobby) and who know
-
I uploaded many cd's to my MacBook Pro years ago and since donated to the local thrift shop. I have a fairly new Mac Air now and am giving the 'pro' to my son. I have tried backing up the music in my iTunes library to an external drive and all that s
-
HT4059 Will there be a built-in Spanish language dictionary in ibooks anytime soon?
I really love reading using ibooks, but I'd like a little help with my Spanish comprehension.. and If there's anything like the built-in English dictionary but in Spanish.. it will be really great. Do you have the least idea if there ever gonna be a
-
Verizon is legally robbing me!!!
This is a long story but basically I went to upgrade at a store location pretty far from my home because a friend used to work at that location an I thought they still had good customer service ( I was wrong). The salesmen sold me on the s4 which is