VLANs with L3 Switch (SG-500)

Similar Messages

• VLAN with 2 switch ESW - 520

  For test I used 2 Switch that name "ESW X" and "ESW Y"
  I have 2 network that I named "Network A" and "Network B"
  I build 2 VLAN for each network that named Vlan 2 for Network A and Vlan 3 for Network B, I don't use Vlan 1 because it's the default Vlan
  Configuration ESW X:
  port e1 : ACCESS PORT on UNTTAGGED Vlan 2
  port e2 : ACCESS PORT on UNTTAGGED Vlan 2
  port e3 : ACCESS PORT on UNTTAGGED Vlan 3
  port e4 : ACCESS PORT on UNTTAGGED Vlan 3
  port g3 : TRUNK PORT with UNTTAGGED Vlan 1(default) and TAGGED Vlan 2 and Vlan 3
  Configuration ESW Y:
  port e1 : ACCESS PORT on UNTTAGGED Vlan 2
  port e2 : ACCESS PORT on UNTTAGGED Vlan 2
  port e3 : ACCESS PORT on UNTTAGGED Vlan 3
  port e4 : ACCESS PORT on UNTTAGGED Vlan 3
  port g3 : TRUNK PORT with UNTTAGGED Vlan 1(default) and TAGGED Vlan 2 and Vlan 3
  I Use for test 2 computer with the same IP class adress.
  Test Result :
  Communication between ESW X e1 and ESW x e2 =>OK
  Communication between ESW X e3 and ESW x e4 =>OK
  Communication between ESW Y e1 and ESW Y e2 =>OK
  Communication between ESW Y e3 and ESW Y e4 =>OK
  Communication between ESW X e1 and ESW Y e1 or e2 =>NOK
  Communication between ESW X e2 and ESW Y e1 or e2 =>NOK
  Communication between ESW X e3 and ESW Y e3 or e4 =>NOK
  Communication between ESW X e4 and ESW Y e3 or e4 =>NOK
  Each Vlan can't communicate between the two switch, I think they're a problem in my vlan/port configuration, can you help me.

  Hi Thibaud,
  Thank you for the purchase of the ESW switches.
  Just out of interest, are you using the latest  firmware on your ESW switch version 2.1.19 
  But you sure sound like you have a great understanding of Tagged and untagged VLANs  from you posting description..great stuff.
  I just tried your configuration, I can communicate between ESW540-24P switch and a SF300-48P switch.
  Sorry,  I don't have two ESW switches handy. But it should not matter. Standards based  Ethernet is hopefully just standards based ethernet
  My vlan configuration below for my ESW540-24P,  and it's working just fine.
  I  just connected switch ports 24 between the two switches together, that's why port 24 is tagged in each of the screen shots below.
  I would really really doubt you would have a problem, unless there is something fundimental or basic you have done such as not saving the running configuration to the startup configuration.  Obviously not backing up tjhe configuration before a power down will kill the configuration.
  ( saved your configuration within each switch)
  Here is a copy of a section of my switch running  configuration, that resulted from me playing with the ESW configuration utility.
  (note that my switch has all Gigabit ethernet ports;)
  interface range ethernet g(1-2)
  switchport trunk native vlan 2
  exit
  interface ethernet g24
  switchport trunk allowed vlan add 2
  exit
  interface range ethernet g(3-4)
  switchport trunk native vlan 3
  exit
  interface ethernet g24
  switchport trunk allowed vlan add 3
  exit
  If you are still having issue, here is the contact URL  for the Small Business Support Center, maybe a fresh set of eyes can spot the issue;
  http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  regards Dave

• Intervlan Routing with 6500 switch

  I am designing an upgrade to our current network that will contain a 6500 switch and i wanted to setup vlans with the switch. I know that this switch has the ability to perform routing on its own so i do not need an external router to route between the vlans but if that is the case what default gateway do i give each vlan? Do i give the vlan ip address as the default gateway for the end devices or do i use an IP address in the switch somehow as the default gateway?
  Thanks.
  Pete

  Hi,
  Think of the MSFC as a router with many different interfaces. Your router itself would only have one default gateway for all those interfaces. For the clients, they will sit in each VLAN that you create. The clients default gateway will be the VLAN IP address (or HSRP address) on the 6500 that they sit. So, if you create vlan100 and put an IP address of 10.10.10.1 on the vlan100 interface..the 10.10.10.1 address would be the gateway for the clients in vlan 100. If you create a vlan200 and put an IP address of 10.11.11.1 on that interface..all the clients that are in vlan200 would have the gateway address of 10.11.11.1.
  Hope that helps.

• Help with inline VLAN Pair and switch configuration

  Hello,
  I'm new to IPS and IDS in general, but I have an IPS-4255 and a couple of Catalyst 2900 switches to experiment with. I'm currently trying to enable an Inline VLAN Pair configuration on the IPS and have a simple setup.
  SW1 and SW2 have vlans 100 and 200 configured. PC1 and PC2 are on the same IP range (no routing). PC1 on vlan 100 connects to Sw1. PC2 on vlan 200 connects to SW2. The IPS connects to a SW2 trunking port, and SW1 and SW2 are connected together on another trunking port.
  I know that my trunking is working because PC1 and PC2 can ping each other whenever they are on the same vlan of either switch. But, they can't ping when on the separate vlans.
  From what I've read, the IPS with an Inline VLAN Pair acts as a bridge between the two vlans and should forward the traffic if it passes inspection. However, the IPS does not appear to see any traffic at all.
  My IPS is configured with inline VLAN pair 100->200 and associated to vs0.
  Have I missed something in my config somewhere? Or am I misunderstanding how inline VLAN Pairs are supposed to work?
  Below are my configs for the switches and the IPS.
  Any help would be appreciated. Thank you!
  IPS Config
  service interface
  physical-interfaces GigabitEthernet0/0
  no description
  admin-state enabled
  duplex auto
  speed auto
  alt-tcp-reset-interface interface-name GigabitEthernet0/3
  subinterface-type inline-vlan-pair
  subinterface 1
  description test
  vlan1 100
  vlan2 200
  exit
  exit
  service analysis-engine
  virtual-sensor vs0
  physical-interface GigabitEthernet0/0 subinterface-number 1
  inline-TCP-session-tracking-mode vlan-only
  exit
  exit
  SW1 and SW2 config
  interface FastEthernet0/1
  switchport access vlan 100
  interface FastEthernet0/9
  switchport access vlan 200
  interface FastEthernet0/18
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface FastEthernet0/24 (Sw 2 only)
  description IPS port
  switchport trunk encapsulation dot1q
  switchport mode trunk

  It has been awhile since I've dealt with a 2900 switch to I am just trying to guess at what may be wrong with your setup.
  I noticed that neither of your trunk port configuration are specifically stating which vlans are allowed on the trunks.
  It is possible that for the trunk between the 2 switches there may be some protocol negotiation so the switches can determine which vlans to trunk, BUT no such negotiation will happen with the sensor. If I remember right you will need to specifically state which vlans the trunk to the sensor should carry. If I remember right the commmand would be something like:
  switchport trunk allowed-vlan 100,200
  You will want to find the show command on your switch that will show you which vlans are actually being trunked by the port. It might be something like "show switchport trunk"
  And you will want to verify that the switch is actually trunking vlans 100 and 200 to your sensor.
  On your sensor you will want to execute "show interfaces" and look at the statistics for Gig0/0 to see if it is receiving packets on vlan 100 and 200.
  You can also run "packet display GigabitEthernet0/0" to see if any packets are making it to your sensor.
  You will also want to check Link status and make sure your sensor is linking up properly with your switch. A common mistake is to connect the wrong ports, as some sensors do not have the port numbers clearly marked.
  NOTE: If the above doesn't help, then take the additional step of eliminating the second switch. Attach both pcs to the same SW2 switch (1 in each vlan). The second switch isn't necessary to test the inline vlan pair functionality. Connecting both PCs to the same switch will help eliminate any possibility of misconfiguration between the 2 switches.

• Two VLANs on one switch port?

  Currently we have the following
  Cat 4003 with VLAN trunking turned on to multiple switches. Each port in those exterior switches is assigned to a vlan(we have about 60 different vlans).
  What I would like to do is on those exterior switches have two vlans assigned to it.
  We'd like to create a single IP Phone VLAN(let's call it 999) that can span our entire enterprise and would have dhcp deployed on it.
  Each port is connected to an IP phone which has a 2 port switch in them. One port to the wall, one to the pc.
  The switch ports on those phones support vlan tagging
  How would setup an exterior switch to access 2 vlans that connect to 2 port switch on an IP phone?

  To facilitate ease of deployment, use VTP so that you can centrally create the vlans and propagate to each exterior switch. Now I believe you already do have a layer 3 engine or router that does routing between all these vlans. What switches are used on teh exterior ? This is to find out if voice vlan support is available.
  In cat switches, voice vlan is created using command,
  set port auxiliaryvlan vlan
  In IOS based switches,
  int fa0/1
  switchport mode trunk
  switchport trunk encap dot1q
  switchport trunk native vlan
  switchport voice vlan
  switchport priority cos extend 0
  or
  int fa0/1
  switchport mode access
  switchport access vlan
  switchport voice vlan
  I am not sure about support of voice/aux vlan in 4003. We will have check your other switch models/ software versions to determine support for this command.

• How do I add a Subnet and vlan with a catalyst 3550 and RV120

  Hello Friends.
  I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
  This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
  I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
  In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
  The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
  DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
  There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
  VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
  There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
  I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
  I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
  I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
  I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
  Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
  I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
  Any advice on how to do this?
  As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.

  Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
  To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
  With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
  If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different  "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst.

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Multiple vLans with Multiple Gateways

  HI.
  Got a SF500 in layer3 mode, operating 5 vlans all with their own subnet.
  Vlan 10 = 192.168.10.0/24
  Vlan 100 = 192.168.100.0/24
  Vlan 200 = 192.168.200.0/24
  Vlan 201 = 192.168.201.0/24
  Vlan 202 = 192.168.202.0/24
  We have a gateway on Vlan 10 (192.168.10.1), which all vlans can see & access (because of intervlan routing), and this at present allows vlan 10 to access the internet.
  I want vlan 100 to be able to access the internet through this gateway as well, although the other vlans (200,201,202), will use a different gateway located on vlan 200 subnet.
  Of course, the gateway has to exist in the subnet.  I cannot assign the default gateway of a machine on vlan 100, an ip address of the gateway on vlan 10.  
  If I point the default gateway to the virtual interface in its subnet (e.g. 192.168.100.254), it equally does not know how to get out to the internet, even though it can see the gateway (I can access a web page it hosts).
  So the question is this:
  Can vlan 100 traffic be routed on the SF500 to use the gateway on vlan 10? (outside of the default gateway of the switch).
  If this is not possible with the SF500, what would I need to make it work?
  Many thanks.

  Hi Andrew,
  I don't have more information about your network so I will try to much your configuration from your post
  let's say we have this configuration :
  1. Create Vlan 10 and assign on SVI IP address 192.168.10.254 /24
  2. Create Vlan 100 and assign on SVI ip address 192.168.100.254/24
  3. Create Vlan 200 and assign on SVI ip address 192.168.200.254/24
  4. Create Vlan 201 and assign on SVI IP address 192.168.201.254/24
  5. Create Vlan 202 and assign on SVI IP address 192.168.202.254/24
  and the gateway (Router) is on Vlan 10 with IP address 192.168.10.1
  6. we assign at least one port to each vlan and the switch port from where is connected to the router should be trunk (10U,100T,200T,201T,202T) it means All the traffic from Vlan 100,200,201,202 is Tagged and transmitting through Untagged Vlan 10
  7. Under IP Cofiguration --> IPv4 Management and Interface --> IPv4 Route
  8. add the deafult static route to the gateway : 
  Destination  : 0.0.0.0
  SubnetMask   : 0.0.0.0
  Remote IP GW :192.168.10.1
  Now from the router expectation : router need to NAT all the source IP address (200.0/24 , 100.0/24 ...)
  I don't know what the router you have but there is a router where NAT all the source coming to him to go to Internet, but there is other router which need to configure NAT for the unknown address for the router side --> Here is up to the Router 
  after that connect PC to port on Vlan 100 setup static IP for example 192.168.100.100/24 with Gw 192.168.100.254 should access to the internet via the trunk port on the switch and router should NAT this subnet to go outside
  Hope I was clear 
  Please rate this post or marked as answered to help other Cisco Routers
  Greetings 
  Mehdi

• IBook 12 Dual USB Inverter Cable with Reed Switch

  I apologise if this should go on an older thread. The last time I was trying to access what was called the angle of death thread it took so long to load I gave up.
  My question is: my G3 iBook 12" 500 is working perfectly as a backup for surfing and using Word, with a fairly new replacement hard drive in it. But it has started the backlight blanking out when the screen is moved through 90 degrees. From a recent post I noticed yesterday that must have been moved, I now understood that the problem was usually, or often, to do with the need to replace the Inverter Cable with Reed Switch. I live in the UK and cannot get this done locally, but an online UK firm agrees this is usually the problem and he can fit the part and do the repair which with labour costs and postage will be not far off £100.
  Is it fairly safe now to assume that this part is the root of this problem?
  thanks
  Tom Older
  Mac Mini G4 1.25 iBook G3 500   Mac OS X (10.4.8)  

  Thanks for the reply clarifying the matter. In fact it's now been explained to me that with postage plus vat it goes from £31 plus tax for the part, then £75 plus tax for the labour, then £15 plus tax for the postage, which comes to £142 total.
  I think I'll try to keep working at 89 degrees for a bit yet then if I have to I'll buy the part and see if I can get a cheaper way to get it installed. Don't trust myself with such a job.
  Mac Mini G4 1.25 ibook G3 500 Mac OS X (10.4.8)

• How to create wrielesss vlan with diffrence configuration

  how to create wireless vlans with different configuration in network?
  device use only :
  laptop = 30
  desktop = 40
  linksys wirelesss router = 1
  switch 2960 = 1
  router 1841 = 1
  vlan 10 = lecturer(1 desktop & 1 laptop)
  vlan 20 = student(29 laptop & 39 desktop)
  Posted by WebUser ???? ?????????? from Cisco Support Community App

  in this case we don't have enough budget t get WLC device....mybe use the autonomous ap....i use the linksys wireless routes as AP that connect to switch and create the VLANs 10 and VLANs 20 in the switch 2960, the switch connect to router 1841 that will ensure vlan connect each other.
  Posted by WebUser ???? ?????????? from Cisco Support Community App

• Adding subnet IP range to VLAN in SGE2000P switch

  hi,
  I am unable to add subnet IP range to VLAN in SGE2000P switch. Can anyone help me to configure same. Thanks in advance
  I want to configure 3 VLAN in my SGE2000P switch. as a router I am using my Fortigate firewall 50b. I have done all required configuration in switch but till I am unable to assign subnet range to switch. 

  i am using ios version v1.2.7.7 (latest)
  i tried the following CLI commands
  switch(config)# vlan 2
  switch(config)# interface vlan 2
  switch(config-if)# name project2
  switch(config-if)# ip address 192.168.10.2 255.255.255.0
  so as and when i press ENTER on the ip address line , the switch stopes responding. i tried changing vlan number and name but no luck.
  it already has vlan 1 , with default ip address 192.168.1.254 , i cannot ping this IP after this.
  pls suggest...

• How to route two vlans on two switches that are connected only on one router?

  Suppose that any of the trunk links fails or if you want, suppose that there is no link between SW1 (G0/1) and SW2 (G0/1). How can you make computers in Vlan 10 to see computers in Vlan 20 and viceversa?. I tried creating a bridge group on the router for G0/0.10-G1/0.10 and another for G0/0.20-G1/0.20. Then define interface BVI10 and BVI20. Interfaces came up but you can not configure dot1q on them and switches can not see them. Anyways with one interface on the bridge group going down the BVI interface goes down as well so that's not an option. Router should be 10.10.10.1 and 20.20.20.1 and each computer have that as gateway respectively.

  Jody thanks very much!
  Indeed the encapsulation was done in the sub-interfaces, as posted in the OP you can not [encap dot1q X] on the BVI interface. Even though, the switches didn't established the trunk with the BVI. Anyways using bridge groups is not an acceptable solution because with the failure of any interface of the trunk links in the router, the BVI interface goes down as well.
  You said "if I want to handle it at layer 2" How will you do it at layer 3? I though something like HSRP or VRRP but that doesn't apply since it is only one router. Remember, the router must be able to route between vlan10 and vlan20 for computers on both switches in case of one of the trunk link failure.
  This is for learning purposes so I started with Packet Tracer but PT doesn't support bridge groups. Then I tried GNS3. I will try with the router in GNS3 with a switch module but I'm not clear. that will be like having a 3rd switch, right?  What I mean is that I will not be using routed interfaces between the router and the switches, right?

• How to search/Scan Vlan of cisco switch ports

  Can any one tell me how i can scan/search vlans of cisco switch port through any monitoring tool (orion/solarwinds).
  Consider this scenario as i have no access to switch and i want to know below things:
  1-Vlans created on switch?
  2-which switch port belongs to which vlan id?
  Thanks

  Hi,
  You can do it only with hub in between and also please note that when sniffing with Wireshark on Windows the OS would remove VLAN tag so you may need to use Linux machine.
  Regards,
  Aleksandra

• 1142N NON_CISCO-NO_CDP_RECEIVED with 3560 switch

  I thought the 3560 switches, the 8 port and 24 port are 802.3af standard switches?  When I connect 1142N radios to them I get the no cdp error and the radios are disabled. I have 17 of these that I converted to LAP, and I got the issue both before and after upgrading to LAP from AP.  It's not like I disabled CDP on the switches.

  I may have found the problem. I thought I had initially connected to a switchport that was just setup as a switchport access vlan, with no other configurations on it, and after looking at the port found it was a trunk port, which should work, and does for the other AP's I worked with, but not the 1142N.
  I took one of the other AP's that is connected to the test switch I am using to setup the WLC and AP's and connected that to one of the unconfigured ports, with default settings and the radios both powered up and I saw CDP neighbor detail,
  I removed spanning-tree portfast from the trunk port, and reconnected the AP to that port, I saw it negotiated full power, but I dont see neighbor information. I had to console in and do a no shut on dot11radio 0 for it to come up on all 3 of them.
  I went back and pulled that new one out of the box and reconnected to the interface I used before after removing portfast, still had the same problem, then removed the trunk configuration, and rebooted. Now I see
  *Mar  1 00:14:19.266: %CDP_PD-2-POWER_LOW: All radios disabled - NEGOTIATED WS-C3560-8PC
  Fa0/6     auto   on         14.5    AIR-LAP1142N-A-K9   3     15.4
  I took one of the other AP's that I boxed up and connected it to the same port, this was a converted AP to LAP.
  Fa0/6     auto   on         15.4    AIR-LAP1142N-A-K9   3     15.4
  Futher puzzlement, plugged that last AP into the test switch which is setup to mimic a remote location with trunk ports for FlexConnect, and after the radio powered up, and joined the controller, saw this.
  wmmAC status is FALSE
  *May 30 08:15:02.896: Starting Ethernet promiscuous mode
  *May 30 08:15:03.150: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
  *May 30 08:15:03.222: %LWAPP-3-CLIENTEVENTLOG: OfficeExtend Localssid saved in AP flash
  *May 30 08:15:03.629: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC-2504
  *May 30 08:15:03.677: %LWAPP-3-CLIENTEVENTLOG: SSID wlcman added to the slot[0]
  *May 30 08:15:03.710: %LWAPP-3-CLIENTEVENTLOG: SSID internal added to the slot[0]
  *May 30 08:15:04.137: %LWAPP-3-CLIENTEVENTLOG: SSID guest added to the slot[0]
  *May 30 08:15:04.269: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
  *May 30 08:15:04.461: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to down
  *May 30 08:15:04.462: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *May 30 08:15:04.552: %LWAPP-3-CLIENTEVENTLOG: SSID wlcman added to the slot[1]
  *May 30 08:15:04.553: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *May 30 08:15:04.575: %LWAPP-3-CLIENTEVENTLOG: SSID internal added to the slot[1]
  *May 30 08:15:05.010: %LWAPP-3-CLIENTEVENTLOG: SSID guest added to the slot[1]
  *May 30 08:15:05.866: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5300 MHz for 60 seconds.
  *May 30 08:15:06.055: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
  *May 30 08:15:06.351: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
  *May 30 08:15:07.187: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  *May 30 08:15:07.215: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to down
  *May 30 08:15:07.216: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
  *May 30 08:15:08.223: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
  *May 30 08:15:08.237: %DOT11-6-DFS_SCAN_START: DFS: Scanning frequency 5300 MHz for 60 seconds.
  *May 30 08:15:08.237: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
  *May 30 08:15:09.245: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
  Why would radio 0 be admin down? It is enabled on the WLC.  I went into the AP and did a no shut on it too.  Not sure what is going on with this, never ran into this sort of issue before.

• Guest VLAN with SG-200

  I'd like to use the SG-200 to create an isolated guest VLAN that cannot access the secure LAN, except of course for the router. This post discusses the necessary ACE's to use with an SG-300, but it's not clear that this level of access control exists on the SG-200. Is it possible to isolate a guest VLAN with the SG-200? My network is a roaming (bridged) network that looks like this:
  [Modem] — [AE Router] — [Switch] — [Roaming Wifi]

  Thank you very much for the pointers. I found a way to use the router as my VLAN, keeping the SG-200 as a simple switch. This turns out to be the best option because my router doesn't support ACL's or multiple VLANs that would be used for isolating VLANs on my level 2 switch.
  This router-based solution involved resolving a simple DNS issue. My router gets DNS from the server, which the router's VLAN guests cannot see. Configuring DNS by hand on guest clients (e.g. Google DNS 8.8.8.8, 4.4.4.4) provides guest internet access, isolated from the LAN, all with roaming. And I'm using one less piece of hardware by using the router's VLAN. Thanks again.