Vlans and 802.1q

Similar Messages

• NEED HELP PLEASE Setting up 2 VLANS and a redundant WAN connection

  I have a remote branch office which is actually a huge bar/lounge. The bar wants to enable patrons to access the Internet with their wireless laptops. I want to prevent those patrons from accessing our private network, and also prevent them from traversing our static VPN tunnel back to HQ.
  The bar processes all credit cards via the T1 connection, and this has caused us to lose money every time the T1 goes down while we're open, since there is no WAN redundancy right now.
  Here is my current hardware configuration:
  1) one PIX 501 50-user 3des.
  2.) two Dell 3024
  3.) one Aironet 1100(g) AP.
  Current LAN Network: 10.35.35.0
  (internal employees only, static VPN tunneled to remote HQ network)
  Current Wireless SSID's:
  SSID1=PRIVATESSID
  SSID2=PUBLICSSID (not currently in use, waiting to figure this out)
  Current WAN: one T1 connection.
  WHAT I WOULD LIKE TO DO AND NEED HELP FIGURING OUT:
  #1a) I want to create two separate VLAN's that are able to share the WAN connection, but not be able to "see" each other.
  #1b) These VLAN's would be mapped to their respective SSID's on the AP (PRIVATESSID>10.35.35.0 and PUBLICSSID>192.168.1.0).
  #1c) The 192.168.1.0 network should not be able to traverse the static tunnel between the branch site and HQ.
  #2) I would like to install a backup WAN connection such as a modem 56k dial-up to an ISP or a cable modem to an ISP. In case the primary T1 goes down, I would like the router to automatically dial out over the modem conection and route all Internet bound traffic over that backup WAN connection, until the primary comes back online.
  Question 1:
  I'm assuming I need a router to do the intervlan routing. Could this router also do the on-demand WAN backup dialing to an ISP via analog modem?
  What IOS version and flavor (IP base, IP+, etc.) would I need? What is the cheapest router I can do all that with (i.e. 2620/2621/1720/3600 series)? What WIC's or NM's would I need?
  Question Two:
  I would like to prioritize PRIVATESSID's traffic over PUBLICSSID's traffic, which I know I can do on the access point. Can I do this on the router so that any 10.35.35.0 traffic takes priority over any 192.168.1.0 traffic?
  Question Three
  If the primary T1 WAN connection goes down, I don't want the router to re-route the 192.168.1.0 traffic over the backup 56k dial-up WAN connection. That traffic can wait until the T1 comes back up.
  Any help you can provide would be very much appreciated.

  Assuming your access points can place SSID into separate vlans and support 802.1q trunks then I can attempt to answer your questions. There are seperate secuity issues with both SSID for protection and VLANs for seperation but in your case in may be minimal.
  q1
  Any cisco router that will run 802.1q trunking will work. Since you are looking at older routers you will need IP+ to get it. Even 2610's will support 802.1q on their 10m ethernet at the correct code level but 10m and 802.1q is sorta nonstandard. Since your backup is only 56k you can use the internal modem port as a dial backup. A wic-2a/s will also work if you prefer not to use the modem port. You will need some wic to run your t1 line. If you are planning to leave the t1 on another router it makes the next 2 questions much harder.
  q2
  This is fairly simple and depends on your ios level. "priority queing" is supported on even the older software. I assume you do not control the far end of the t1 line since it sounds as if this goes to a ISP.
  You will need to have them do the QoS since most issues with the internet are inbound and not outbound. You can only control outbound traffic.
  q3
  If the T1 is on the same router then this is fairly simple. You can just put a floating static default route in that will cause the dialer to come up if the the t1 goes down. There is no easy way to protect against the line being up but no traffic passing. This is also why it would be best to have the t1 on the same router. If its not you will need to get very creative to solve this. You could build a GRE tunnel to a remote location and montior the tunnel or run a routing protcol over the tunnel. In the newest software you could use SAA and policy routing to force the traffic over the dialer but the router must support ios 12.4.
  3a. You mentioned a cable modem as a backup. That can be much easier sometimes since it is all routing and no dialer interfaces with nasty modem issues. This does not make the issue of the t1 not on the same router easier.

• Oracle RAC Interconnect, PowerVM VLANs, and the Limit of 20

  Hello,
  Our company has a requirement to build a multitude of Oracle RAC clusters on AIX using Power VM on 770s and 795 hardware.
  We presently have 802.1q trunking configured on our Virtual I/O Servers, and have currently consumed 12 of 20 allowed VLANs for a virtual ethernet adapter. We have read the Oracle RAC FAQ on Oracle Metalink and it seems to otherwise discourage the use of sharing these interconnect VLANs between different clusters. This puts us in a scalability bind; IBM limits VLANs to 20 and Oracle says there is a one-to-one relationship between VLANs and subnets and RAC clusters. We must assume we have a fixed number of network interfaces available and that we absolutely have to leverage virtualized network hardware in order to build these environments. "add more network adapters to VIO" isn't an acceptable solution for us.
  Does anyone know if Oracle can afford any flexibility which would allow us to host multiple Oracle RAC interconnects on the same 802.1q trunk VLAN? We will independently guarantee the bandwidth, latency, and redundancy requirements are met for proper Oracle RAC performance, however we don't want a design "flaw" to cause us supportability issues in the future.
  We'd like it very much if we could have a bunch of two-node clusters all sharing the same private interconnect. For example:
  Cluster 1, node 1: 192.168.16.2 / 255.255.255.0 / VLAN 16
  Cluster 1, node 2: 192.168.16.3 / 255.255.255.0 / VLAN 16
  Cluster 2, node 1: 192.168.16.4 / 255.255.255.0 / VLAN 16
  Cluster 2, node 2: 192.168.16.5 / 255.255.255.0 / VLAN 16
  Cluster 3, node 1: 192.168.16.6 / 255.255.255.0 / VLAN 16
  Cluster 3, node 2: 192.168.16.7 / 255.255.255.0 / VLAN 16
  Cluster 4, node 1: 192.168.16.8 / 255.255.255.0 / VLAN 16
  Cluster 4, node 2: 192.168.16.9 / 255.255.255.0 / VLAN 16
  etc.
  Whereas the concern is that Oracle Corp will only support us if we do this:
  Cluster 1, node 1: 192.168.16.2 / 255.255.255.0 / VLAN 16
  Cluster 1, node 2: 192.168.16.3 / 255.255.255.0 / VLAN 16
  Cluster 2, node 1: 192.168.17.2 / 255.255.255.0 / VLAN 17
  Cluster 2, node 2: 192.168.17.3 / 255.255.255.0 / VLAN 17
  Cluster 3, node 1: 192.168.18.2 / 255.255.255.0 / VLAN 18
  Cluster 3, node 2: 192.168.18.3 / 255.255.255.0 / VLAN 18
  Cluster 4, node 1: 192.168.19.2 / 255.255.255.0 / VLAN 19
  Cluster 4, node 2: 192.168.19.3 / 255.255.255.0 / VLAN 19
  Which eats one VLAN per RAC cluster.

  Thank you for your answer!!
  I think I roughly understand the argument behind a 2-node RAC and a 3-node or greater RAC. We, unfortunately, were provided with two physical pieces of hardware to virtualize to support production (and two more to support non-production) and as a result we really have no place to host a third RAC node without placing it within the same "failure domain" (I hate that term) as one of the other nodes.
  My role is primarily as a system engineer, and, generally speaking, our main goals are eliminating single points of failure. We may be misusing 2-node RACs to eliminate single points of failure since it seems to violate the real intentions behind RAC, which is used more appropriately to scale wide to many nodes. Unfortunately, we've scaled out to only two nodes, and opted to scale these two nodes up, making them huge with many CPUs and lots of memory.
  Other options, notably the active-passive failover cluster we have in HACMP or PowerHA on the AIX / IBM Power platform is unattractive as the standby node drives no resources yet must consume CPU and memory resources so that it is prepared for a failover of the primary node. We use HACMP / PowerHA with Oracle and it works nice, however Oracle RAC, even in a two-node configuration, drives load on both nodes unlike with an active-passive clustering technology.
  All that aside, I am posing the question to both IBM, our Oracle DBAs (whom will ask Oracle Support). Typically the answers we get vary widely depending on the experience and skill level of the support personnel we get on both the Oracle and IBM sides... so on a suggestion from a colleague (Hi Kevin!) I posted here. I'm concerned that the answer from Oracle Support will unthinkingly be "you can't do that, my script says to tell you the absolute most rigid interpretation of the support document" while all the time the same document talks of the use of NFS and/or iSCSI storage eye roll
  We have a massive deployment of Oracle EBS and honestly the interconnect doesn't even touch 100mbit speeds even though the configuration has been checked multiple times by Oracle and IBM and with the knowledge that Oracle EBS is supposed to heavily leverage RAC. I haven't met a single person who doesn't look at our environment and suggest jumbo frames. It's a joke at this point... comments like "OMG YOU DON'T HAVE JUMBO FRAMES" and/or "OMG YOU'RE NOT USING INFINIBAND WHATTA NOOB" are commonplace when new DBAs are hired. I maintain that the utilization numbers don't support this.
  I can tell you that we have 8Gb fiber channel storage and 10Gb network connectivity. I would probably assume that there were a bottleneck in the storage infrastructure first. But alas, I digress.
  Mainly I'm looking for a real-world answer to this question. Aside from violating every last recommendation and making oracle support folk gently weep at the suggestion, are there any issues with sharing interconnects between RAC environments that will prevent it's functionality and/or reduce it's stability?
  We have rapid spanning tree configured, as far as I know, and our network folks have tuned the timers razor thin. We have Nexus 5k and Nexus 7k network infrastructure. The typical issues you'd fine with standard spanning tree really don't affect us because our network people are just that damn good.

• VLANs and VoIP on the same port

  Hello, we want to move our VoIP system on its own vlan. We currently have everything on one big broadcast domain. I have been doing some reading and have head about Voice Vlans and switchport modes. All of our computers are connected to our ip phones so they are on the same physical line. The phones are Aastra 480i and they run on a sphericall phone system. The phones can tag the phone data with 802.1p/q. If im using static port based vlans how would i configure the ports to accepts these 2 diffrent vlans?

  Hi Friends,
  I have tried many a times with Avaya Ip phones and Cisco swiches and it works fine.
  Actually what I think CDP is used for inline power negotation so if you dont have Cisco switches you have to use external power supply. Also now a days switches are coming which internal power supply which supoprt IEEE standard so if we have those switches we can use other vendors ip phones without external power supply.
  Anoher thing I will always recommend not to configure trunk especially cause tht may result in pc getting DHCP ip adress later. I have experienced many a times this situation. When you configure switchport voice vlan command on the switch it automatically forms an internal trunk which is not displayed on the switch but internally it works.
  Right now I was not able to find one cisoc doc which especially says no need for trunk if you configure switchport voice vlan command on switch.
  So just 2 commands
  switchport voice vlan
  switchport access vlan
  Works perfectly fine.
  HTH
  Ankur

• Vlan and brdige on debian

  I'm running Qemu based VMs on top of debian,
  In my enviornment the data center gave us two vlans on one NIC,
  As I build VMs' NIC on top of a bridge which is build on top of vlans, when vlans become two the network connectivity of VMs is lost, but with one vlan it's OK.
  Any help on this issue?
  it's my interfaces configuration file,
  #network interface settings
  auto lo
  iface lo inet loopback
  iface eth0 inet manual
          address  0.0.0.0
          netmask  0.0.0.0
  auto eth0.972
  iface eth0.972 inet static
         address  0.0.0.0
         netmask  0.0.0.0
  auto eth0.973
  iface eth0.973 inet static
          address  0.0.0.0
          netmask  0.0.0.0
  auto eth0.976
  iface eth0.976 inet static
          address  0.0.0.0
          netmask  0.0.0.0
  auto eth0.977
  iface eth0.977 inet static
          address  0.0.0.0
          netmask  0.0.0.0
  iface vmbr0 inet manual
           bridge_ports eth0.978 eth0.976
           bridge_stp off
           bridge_fd 0

  The bridge supports only one SSID. You should assign the SSID to the native VLAN
  1.Create subinterfaces on the radio and Ethernet interfaces.
  2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.
  3. Assign a bridge group to each VLAN.
  4. (Optional) Enable WEP on the native VLAN.
  5. Assign the bridge's SSID to the native VLAN.
  To assign an SSID to a VLAN and how to enable a VLAN on the bridge radio and Ethernet ports
  For further information click this link.
  http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.3_8_JA/configuration/guide/p38vlan.html

• Native VLAN and Trunks on Bridges

  I have a need for different Native VLANs on the radio side and the ethernet side. Can this be done on the non-root 1410 bridge?
  The radio native VLAN is to support the management on teh 1410 bridges. I also need to attach a single device from another VLAN on the non-root bridge and I do not want to have to put in a switch just to break out that needed VLAN.

  The bridge supports only one SSID. You should assign the SSID to the native VLAN
  1.Create subinterfaces on the radio and Ethernet interfaces.
  2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.
  3. Assign a bridge group to each VLAN.
  4. (Optional) Enable WEP on the native VLAN.
  5. Assign the bridge's SSID to the native VLAN.
  To assign an SSID to a VLAN and how to enable a VLAN on the bridge radio and Ethernet ports
  For further information click this link.
  http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.3_8_JA/configuration/guide/p38vlan.html

• Cat 3750 with Voice VLAN and Dynamic VLANs

  Morning,
  Has anyone had any success with configuring a Catalyst 3750 with a Voice VLAN (Cisco phones) and 802.1x dynamic VLANs?
  Is a RADIUS server able to provide values to change the native vlan?
  Is there a decent tech note knocking about for configuring 'dynamic VLAN assignment through MAC addresses'?
  Thanks,

  Voice VLAN's don't require trunk ports to be configured (unless you are talkling about 2900XL/3500XL switches). Cisco added the ability to trunk a single 802.1q VLAN down an access port in addition to the access vlan - so in 2950 or above the only config you need is:
  interface FastEthernet0/1
  switchport
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 100
  This is effectively the same as:
  interface FastEthernet0/1
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport trunk native vlan 10
  switchport trunk allowed vlan 10,100
  The only difference is the CDP message with the first config will advertise the Voice VLAN capability and the tag.
  With the older 2900XL/3500XL switches you had to configure the interfaces like the second example (plus adding the command switchport voice vlan xx for CDP to inform the IP Phone of the voice vlan).
  QoS is not detailed anywhere here and that obviously plays an important role with voice.
  In your scenario I am not sure ACS can do what you describe as this will require 802.1x supplicants on the client PC's (I may be wrong here and I do remember someone talking about switches being able to do an 802.1x 'proxy' using the MAC address on behalf of non 802.1x capable devices). This seems to me more of a VMPS application.
  Personally I would reconfigure the network each time and charge the occupants a small fee for network setup.....
  HTH
  Andy

• What's the easiest way to create a new VLAN and then move all existing devices to it?

  One of our locations was implemented using VLAN1 as the main (native) VLAN. My goal is to create a new sub-interface on the router and then move all the existing switches (all Layer 2) into the new VLAN, without disrupting the network (and remotely). I am trying to determine the best way to proceed. Thanks.

  I wanted to shed a little more light on the situation. The "new" VLAN has actually been in existence since the network was initially setup. The network runs VTP and the new VLAN already has an interface on the router and already shows up on all the switches when you do a "sh vlan" command. We have about 10 VLANs in all. In reality, I am simply trying to migrate about 8 switches from VLAN1 (which they never should have been on) to the new VLAN. I know that I need to create an interface for the new VLAN on each of the switches and then swap the management IP to that interface. If I could connectly directly into each switch via the console port, this would be a simple task. However, the switches are in extremely remote locations with special circumstances, thus I have no physical access to them. This fact has me a little reluctant to making the changes, as we can't afford any mistakes that would potentially cause network downtime. I am looking for some guidance on exactly the steps to take to achieve my goal. Let's call the new vlan, VLAN2. During testing, I logged into a local switch that was on VLAN1 (that's where it had it's management address). It did have VLAN2-VLAN10 as well, via VTP. I created an interface for VLAN3 on the switch and then accessed it via VLAN3 to swap the main management interface from VLAN1 to VLAN2. The changes took, but I couldn't access it via VLAN2. I am assuming this is because the router still has VLAN1 listed as the native vlan and the VLAN2 IP address is still assigned to VLAN1 on the router. What would be the best way for me to make the required changes on the 8 switches that need swapped, without losing remote access? It wouldn't hurt if the network went down for 5 minutes or less, but we can't have a big outage. Thanks.

• Cisco Systems vs "CSIRO" 802.11a and 802.11g infringed upon the '069 patent

  Hi,
  any news about Cisco Systems and the "CSIRO" 802.11a and 802.11g infringed upon the '069 patent ?
  http://www.buffalotech.com/products/wireless/
  Dear Customer
  As you may be aware, Commonwealth Scientific and Industrial Research Organisation ("CSIRO") sued Buffalo, Inc. and Buffalo Technology (USA), Inc. ("Buffalo"), for alleged infringement of United States Patent No. 5,487,069 ("the '069 patent"). Subsequently, CSIRO also asserted its patent against the entire wireless LAN industry, including, Microsoft, Intel, Accton, SMC and Netgear.
  In it's lawsuit against Buffalo, CSIRO claimed certain Buffalo wireless networking products compliant with IEEE standards 802.11a and 802.11g infringed upon the '069 patent. Buffalo believed at that time and continues to believe that there are no grounds for CSIRO's allegations of infringement. The United States district court, however, found Buffalo to infringe the '069 patent and enjoined the importation and sale of Buffalo's IEEE 802.11a and 802.11g compliant products.
  CSIRO's lawsuits are against the entire wireless LAN industry and could affect the supply of wireless LAN products by any manufacturer, not just Buffalo. The entire industry is resisting CSIRO's attempts to enjoin the sale of wireless LAN products. Recently, Microsoft, 3COM Corporation, SMC Networks, Accton Technology Corporation, Intel, Atheros Communications, Belkin International, Dell, Hewlett-Packard, Nortel Networks, Nvidia Corporation, Oracle Corporation, SAP AG, Yahoo, Nokia, and the Consumer Electronics Association filed briefs in support of Buffalo's position that injunctive relief is inappropriate in this case.
  During the period of time that the injunction is in effect (10/1/2007), Buffalo cannot offer for sale, sell, import, or use its IEEE 802.11a and 802.11g compliant products in the United States. A list of the products covered by the injunction is attached here . The injunction does not prohibit sales of pre-existing inventories of products by Buffalo's customers. In addition, Buffalo has secured CSIRO's agreement to permit the replacement of defective products under warranty. None of Buffalo's other products are currently affected by this injunction.
  While Buffalo believes that it will be successful in reversing the district court's decision and will obtain a stay of the injunction pending a decision on the merits, the Court of Appeals has not yet issued a decision. Should the Court of Appeals issue a decision staying the injunction, you will be promptly notified. After the stay is issued or a favorable decision on the merits is obtained, Buffalo will be able to resume the supply of IEEE 802.11a and 802.11g products
  Please rest assured that Buffalo continues to stand behind their products and will continue to support all of our loyal customers as it relates to product warranties, technical support and the like without interruption.

  I suspect after reading the patent and the litigation that you mentioned above, that the US District Court decision will be reversed as the patent appears to be very vague in its contsruction and verbage. Furthermore, the intent to hold the IEEE hostage on the ratification of 802.11n will not bode well in the court's eyes. If in fact the case is reversed, I believe that the members of CSIRO will be in danger of lost profits litigation from Buffalo. Stay tuned to this bat channel.

• What's the difference between using and 802.11a and 5GHz only?

  What's the difference between using "802.11n (802.11a compatible)" and "802.11n only (5GHz)" modes on the Airport Extreme?

  802.11a gives you 802.11g speeds but using 5GHz (54mbps
  802.11n gives you 144Mbps (600 peak) at 2.4GHz or 5GHz

• Setting Up VLAN and QoS for VOIP on SG200-18

  We recently purchased the SG200-18 smart switch to replace a Netgear unmanaged switch. We're moving our phone service to VOIP through our local ISP as well. 
  I've currently got the VOIP phone plugged into Port 17 on the SG200-18 (it's a Grandstream cordless VOIP phone).
  I want to put the VOIP phone on a separate VLAN from the rest of the network and optimize the QoS settings so that the VOIP phone has exceptional audio quality even during intense network traffic.
  Here's my questions:
  1. Do I need to adjust anything on the type of port for Port 17 (since it looks like some form of Combo port)?
  2. How do I go about isolating the VOIP phone on it's own VLAN (I'm seeing VLAN and Voice VLAN settings, not sure which one to use; I tried setting a VLAN and broke Internet connectivity to the phone until I went in and removed it)?
  3. Do I need to adjust any QoS settings on the switch to better optimize the VOIP phone?
  A couple of additional questions about the GS200-18 in general:
  1. Do I need to adjust any of the System Time Settings on the switch? I'm in Central Time.
  2. Do I need to adjust any of the Green Ethernet/Energy Saving settings or should I stick with the defaults?
  Also, a couple of "getting started" side questions to Cisco:
  1. I've registered a My Cisco account. What do I need to do to register my switch with Cisco and associate it with my My Cisco account?
  2. What are the benefits of taking out a Cisco Small Business Support Contract, and about how much would it cost on the SG200-18 (I ordered it from Provantage)? I'm curious to see if it's worth the money.
  Here's my "specs":
  Switch: SG200-18
  VOIP phone: Grandstream DP715 and 710 expandable handsets
  Plugged into: Port 17 on the SG200-18
  ISP: Local ISP (Direclynx)
  Connection type: 3M down/500k up DSL, moving to a wireless connection coming up which will give us faster speeds
  VOIP backend provider: VOIP Innovations
  Router: Apple Airport Extreme AC model (I run all Macs and iOS devices and OS X Server on the network, so using the Apple router makes setup easier, since it doesn't QoS, trying to QoS and VLAN at the switch level)
  Thanks everyone!

  Hello,
  Lots of different questions here so I'll try to make sure I don't miss anything.
  1. Do I need to adjust anything on the type of port for Port 17 (since it looks like some form of Combo port)?
     The way the combo ports work is you can either use the SFP slot for a fiber connection or the copper ethernet port, but not both at the same time.  Other then that they just function as normal network ports.
  2. How do I go about isolating the VOIP phone on it's own VLAN (I'm seeing VLAN and Voice VLAN settings, not sure which one to use; I tried setting a VLAN and broke Internet connectivity to the phone until I went in and removed it)?
     It sounds like you created the VLAN correctly and assigned the phone, however there wasn't anything doing any routing for that VLAN.  You would need to have a VLAN capable router or a layer 3 switch so that something would act as the default gateway for the voice VLAN and route the traffic for you.  Since there was nothing like this your phone lost it's connectivity to the internet when you placed it in the new VLAN.  I don't think the Airport is VLAN capable, but we will come back to that.
  3. Do I need to adjust any QoS settings on the switch to better optimize the VOIP phone?
     Once you have a seperate VLAN setup for the phone properly you only have to tell the switch what your Auto Voice VLAN is going to be and it will automatically apply recommended QoS settings for the Voice VLAN and prioritize the voice traffic.  There are ways to do this manually and even with the phone in the same VLAN however the are considerably more complicated.
  1. Do I need to adjust any of the System Time Settings on the switch? I'm in Central Time.
     The system time isn't always very important.  You can set the correct time zone, however you should know the switch does not have a battery in it to keep track of time, so if/when it reboots or loses power the clock will reset.  If you would like the switch to maintain accurate time you should setup an NTP server so the time is automatically updated from the internet.  The switch will keep your timezone settings once you save them.  Time is mostly important for logging and things like that, so you can configure it if you like but it is not necessary.
  2. Do I need to adjust any of the Green Ethernet/Energy Saving settings or should I stick with the defaults?
     Green ethernet simply reduces the power usage of the switch slightly, so unless you are having odd issues where ports are disconnecting, I would just leave them at the defaults.
  1. I've registered a My Cisco account. What do I need to do to register my switch with Cisco and associate it with my My Cisco account?
     There isn't really a way to associate your Small Business devices with your Cisco account.  If you ever call in for technical support we will use your Cisco account and your serial number to create a support case, but even then they aren't linked together.  If you decide to buy a support contract, that will be linked to your switch's S/N and your Cisco ID, so in a way that would associate them together.  Devices being associated with Cisco accounts is something more common with Enterprise equipment, and mainly has to do with technical support cases.
  2. What are the benefits of taking out a Cisco Small Business Support Contract, and about how much would it cost on the SG200-18 (I ordered it from Provantage)? I'm curious to see if it's worth the money.
     There are a few advantages to a Support Contact.  Your switch comes with a Limited Lifetime warranty that includes 1 year of technical support and return to factory hardware.  With a service contract you get 3 years of technical support and next business day Advanced Replacement of the switch if it need to be replaced.  I just did a quick google search, and it looks like a contract (part #CON-SBS-SVC2) costs about $50.
  So there are a few other things to consider however.
  As a frame of reference the average VOIP call uses about 64 - 128 kbps max.
  Since you don't have a VLAN capable router or a layer 3 switch, a separate voice VLAN may not be an option.   You also mention that the Apple Airport does not do QoS, meaning we will only be prioritizing the voice traffic while it is on the switch.  When it is passed off to the Airport to be routed out to the internet all of the QoS settings will be lost, and normal network traffic will get the same priority as voice, since that is all up to the Airport.
  With one phone the hassle of getting more equipment and setting up advanced QoS isn't really worth it, especially if the link to the internet isn't going to be participating in QoS.
  One last thing I wanted to mention is you are switching to a wireless internet connection.  I would ask them how their latency and jitter is, as these two network statistics greatly effect voice quality, and usually wireless performs worse when it comes to voice traffic.
  I hope this information helps, if you have any more questions just let me know.
  Thank you for choosing Cisco,
  Christopher Ebert - Network Support Engineer 
  Cisco Small Business Support Center

• 1242AG Bridge, VLAN and Multiple SSIDs

  I have two buildings that I'm trying to configure a bridge in between them using 2 1242AG APs.
  Building A
  PCOFFICE SSID on VLAN 200 Radio G
  ROOT_1 SSID on Native VLAN 1 Radio A
  Root Bridge
  Building B
  FDAPC SSID on Native VLAN 1 Radio G
  ROOT_1 SSID on Native VLAN 1 Radio A
  We are using directional antenna.  I know they are lined up properly because I have them both down and in front of me.  I'm getting an error on the Building B AP that says "
  No SSID with VLAN configured. Dot11Radio1 not started." and I'm unable to get this to work.  The bridge was working before I added the VLAN and encryption/WPA information for the PCOFFICE and FDAPC SSIDs
  Any assistance would be amazing.  Thanks!  Please see attached files for configurations.  I know the switch is configured properly because I had this working before and forgot to save the damn configuration off the devices.  I'm not having to do it over from scratch.

  That did not work.
  I've managed to fix the ROOT_1 and FDAPC... now I'm having an issue where I can attempt to connect to the PCOFFICE SSID but I'm unable to get a DHCP address from the server.
  Here is the config for the AP with PCOFFICE on it and the switch.
  SWITCH
  interface GigabitEthernet3/2
  switchport trunk allowed vlan 1,200
  switchport mode trunk
  interface Vlan1
  ip address 192.168.3.4 255.255.255.0
  interface Vlan200
  ip address 192.168.30.2 255.255.255.0
  ip helper-address 192.168.3.98
  ip default-network 192.168.3.0
  ip route 0.0.0.0 0.0.0.0 192.168.3.1
  no ip http server
  ACCESS POINT
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP1_ROOT_AP
  enable secret 5 REMOVED
  ip subnet-zero
  no aaa new-model
  dot11 vlan-name VLAN1 vlan 1
  dot11 vlan-name pcCopper vlan 200
  dot11 ssid PCOFFICE
     vlan 200
     authentication open
     authentication key-management wpa
     guest-mode
     wpa-psk ascii 7 REMOVED
  dot11 ssid ROOT_1
     vlan 1
     authentication open
     authentication key-management wpa
     infrastructure-ssid optional
     wpa-psk ascii 7 REMOVED
  dot11 network-map
  dot11 arp-cache optional
  power inline negotiation prestandard source
  username Cisco password 7 REMOVED
  username admin privilege 15 password 7 REMOVED
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers tkip
  encryption vlan 200 mode ciphers tkip
  ssid PCOFFICE
  speed basic-2.0 5.5 11.0 12.0 18.0 24.0 36.0 48.0 54.0
  no power client local
  power client 17
  power local cck 17
  power local ofdm 17
  channel 2462
  station-role root access-point
  antenna receive right
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 port-protected
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.200
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 200
  bridge-group 200 subscriber-loop-control
  bridge-group 200 block-unknown-source
  no bridge-group 200 source-learning
  no bridge-group 200 unicast-flooding
  bridge-group 200 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers tkip
  encryption vlan 1 mode ciphers tkip
  ssid ROOT_1
  dfs band 3 block
  speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
  no power client local
  power client 11
  power local 11
  channel 5180
  station-role root bridge
  antenna receive right
  antenna transmit right
  interface Dot11Radio1.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  hold-queue 160 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0.200
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 200
  bridge-group 200 spanning-disabled
  interface BVI1
  ip address 192.168.3.241 255.255.255.0
  no ip route-cache
  ip default-gateway 192.168.3.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  control-plane
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local

• WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

  Hi
  We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
  Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
  If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
  I can't find any recommandations regarding the use of native vlan/ssid vlan
  Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
  Regards,
  Lars Christian

  It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
  From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2

  How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.

  Hi Tarik,
  Thanks for your answers,
  I've attached my configured AuthZ rules and AuthZ profile for provisioning,
  I want the process to be the same for iPhone, Android and Windows.
  1) Connect to the SSID
  2) Login using your AD credentials PEAP-MS-CHAP-v2
  3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
  4) As soon as the client click "register" no more redirects and PERMIT-ALL
  I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
  1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
  2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
  3) everything else = DENY-ALL
  But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
  What screenshoot do you need after the registration? the Auth report?
  Thank you very much for your time!

• Port security and 802.1x (ISE)

  Hi everyone,
  I'm implemmenting ISE in a network with Port Security enabled.
  According the book Cisco ISE for BYOD and Secure Unified Access Port-security is not compatible with 802.1x.
  I want to know what is the affectation of to have Port-security and 802.1x enabled on the same SW Port.
  Someone?
  Thanks!

  Hi Neno,
  Thanks for the reply.. As we checked the port is going in error-disable with by phone mac address wherein phone is connected 24/7 and machine connects from phone.
  Please find below logs from switch - 
  Oct  1 09:21:11: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E906E5392F07 ======Phone MAC
  Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E907E53931BF ======Laptop MAC
  Oct  1 09:21:12: %AUTHMGR-5-START: Starting 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %DOT1X-5-SUCCESS: Authentication successful for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0026.b9eb.28ec) on Interface Gi5/30 AuditSessionID AC1232470000E908E539329B
  Oct  1 09:21:12: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT APPLY
  Oct  1 09:21:12: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPE DOT1X| EVENT IP-WAIT
  Oct  1 09:21:13: %AUTHMGR-5-SECURITY_VIOLATION: Security violation on the interface GigabitEthernet5/30, new MAC address (e804.62eb.b435) is seen.AuditSessionID  Unassigned
  Oct  1 09:21:13: %PM-4-ERR_DISABLE: security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
  Oct  1 09:21:13: %AUTHMGR-5-START: Starting 'dot1x' for client (e804.62eb.b435) on Interface Gi5/30 AuditSessionID AC1232470000E909E53935F3
  Oct  1 09:21:13: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0026.b9eb.28ec| AuditSessionID AC1232470000E908E539329B| AUTHTYPEDOT1X| EVENT REMOVE
  Oct  1 09:21:13: %PM-4-ERR_DISABLE: STANDBY:security-violation error detected on Gi5/30, putting Gi5/30 in err-disable state
  Can you guide us how to fix this one
  Regards
  Pranav