Wireless AP Management VLAN and BVIs
Hi All,
I've been looking around and I can't find a solution to what I am trying to achieve and I was hoping the community may have had more luck than I have.
I'm looking to have my management VLAN for my AP setup as a tagged BVI but I'm struggling to get it setup. I can set it up fine using BVI1 and having it just accessed on the native VLAN but I see this as a security flaw, I don't really want direct access into my management network on the switch.
Now there may be a better way of preventing this but I am, at least compared to many, still fairly new to Cisco and this seems to be the best approach. Please see below for my current config, hopefully you can let me know where I am going wrong.
Also, as a note, at the moment I am mainly focusing on the management security of the AP before I check the wifi config, hence the radios still being shutdown so there may also be small errors in this. I have also removed some elements which are not relevant.
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP01
no ip source-route
no ip cef
dot11 syslog
dot11 ssid <Guest secure network SSID>
vlan 30
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <key>
dot11 ssid <Internal Secure SSID>
vlan 10
authentication open
authentication key-management wpa version 2
wpa-psk ascii <key>
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
packet retries 64 drop-packet
channel 2437
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
peakdetect
no dfs band block
packet retries 64 drop-packet
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
interface GigabitEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 spanning-disabled
no bridge-group 30 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 spanning-disabled
no bridge-group 100 source-learning
interface GigabitEthernet0.101
encapsulation dot1Q 999 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
no ip address
no ip route-cache
shutdown
interface BVI100
mac-address <Actual ethernet address>
ip address 10.33.100.101 255.255.255.0
no ip route-cache
ip default-gateway 10.33.100.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
bridge 100 protocol ieee
bridge 100 route ip
line con 0
logging synchronous
line vty 0 4
transport input ssh
end
As you can see I am using BVI100 as the management VLAN for the device and BVI1 is shutdown with vlan 999/int gi0/101 holding bridge group 1.
With this setup I can't get any IP communication, send or receive but I can see the MAC address on the switch in the MAC address table on vlan100. There is also no entries in the ARP table of the AP.
The switch is setup with vlan 999 untagged and vlans 10,30,100 as tagged.
Hope you can help! Thanks for any advice in advanced.
Many thanks,
Martin.
Yea that would work and I have set it up like this without issue but I'm trying to limit access to the management VLAN, I don't want someone to be able to plug directly into the switch and be on the same broadcast domain as alll of the other equipment.
There are otherways of achieving this but I felt like I was so close with the above config but I was just missing something.
Similar Messages
-
Autonymouse AP1121 - Management Vlan and SSID Vlan
Hello,
We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
current switch port config ap is plugged into.
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 500
switchport mode trunkDo you have sub interfaces for vlan 10 being brigged through the radio interface?
Example config below...
interface Dot11Radio0.10
description Secure Wireless access
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk" -
Wireless AP native vlan and switch trunk
Hi,
I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
AP Config
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname hostname
logging rate-limit console 9
enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
no aaa new-model
ip cef
dot11 syslog
dot11 ssid Personal
vlan 2
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 070E26451F5A17113741595D
crypto pki token default removal timeout 0
username Cisco password 7 1531021F0725
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
stbc
beamform ofdm
station-role root
no dot11 extension aironet
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
encryption vlan 2 mode ciphers aes-ccm tkip
ssid Personal
antenna gain 0
no dfs band block
stbc
beamform ofdm
channel dfs
station-role root
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio1.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 2
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.1.100 255.255.255.0
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
password 7 01181101521F
login
transport input all
end
Switch Port config
interface FastEthernet1/0/10
switchport trunk native vlan 100
switchport mode trunkI will re-check the routing again but could it be some bridging issues ?
interface GigabitEthernet0
no ip address
duplex auto
speed auto
**** unable to put up this command on the giga port
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging issue ? -
IPM problem with shadow router management vlan and services vlan
Hi everybody!
Im trying to config a shadow router that has 2 vlan int one is for managemt and the other for services.
Cisco Works server only sees the management interface of this shadow router.
On the other end i have a cisco device with rtr responder enabled on the services vlan, so shadow router and this device see each other on this vlan.
In the shadow router i know i can configure the source address.
Is there a way i can configure the end device as a target that has rtr responder enabled even if i cant reach it from the Cisco Works Server?
thanks in advance.Thanks for the reply - yes I did save it. All the other ports have the command. But when the phone boots up - it ends up disappearing after the above occurs:
When the phone boots up - it seems to encounter a broadcast storm (???) the port goes from this:
interface gigabitethernet36
switchport trunk allowed vlan add 10
to this:
interface gigabitethernet36
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
switchport trunk allowed vlan add 10
macro description ip_phone
!next command is internal.
macro auto smartport dynamic_type ip_phone
Then in a minute or two I'm no longer able to ping the voicelan - and when I do a show run - gi36 isn't even visible. However, the PC that is also on gi36 works fine.
If I then reissue the 'switchport trunk allowed vlan add 10' to gi36 - the phone is pingable - and works continuously until the phone is rebooted.
So I'm not really sure what happens during the bootup that causes this to happen, or a way to try and prevent it from occuring. -
VLAN trunking, native vlan and management vlan
Hello all,
In our situation, we have 3 separate vlans: 100 for management vlan and 101 for data and 102 for voice.
We have an uplink which is trunked using .1Q. Our access ports has the data vlan as the native. Based on our design, what should be the native vlan for this uplink trunk? Should it be the management vlan or the data vlan? Thanks for your help.To answer this question you must remember what the native vlan is. Native is where untagged packets are sent, i.e. packets without a dot1Q tag. It is there mainly for compatibility. On an access port it has no function while normal traffic is not tagged and sent to the vlan that is configured for the port. Traffic for the voice vlan is an exception to this general rule.
Native vlan setting only plays a role on trunk links where most of the traffic carries a tag. As explained, it is then used as the vlan for untagged traffic.
When you do not consider this a security breach, you may configure the data-vlan as native. Use another vlan (why not vlan1?) in the case where you want to isolate this traffic.
I find it good design practice to use the same native vlan throughout the network. This keeps things clear and it's better for anyone who is not completely obsessed with security. The latter kind of people can always find a reason to mess things up, both for themselves and for others;-)
Regards,
Leo -
About the Native Vlan and Management Vlan.
I wanted to know that Management vlan and Native vlan can be different vlan id or both should be same vlan id. Why should not be native vlan 1.
The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
a
Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
Hope this helps ! -
I am trying to configure my Aironet 1121G acess points with several vlans, got the vlans all working fine with wired devices, but the wirless devices don't get DHCP.
Basically, I have the BVI on my managment vlan and two other vlans that pass through, trying to have the public WiFi on 1 vlan and two corporate vlans with seperate wifi. can't get IPs on any of them though.
Vlnas are routed by a catlayst 3550 with helper addresses configured on all the vlan interfaces.
DHCP comes from 2 windows server 2003 boxes on a further vlan
any Ideas?Vinod,
Here is the AP config, I'm confused, so any help would be useful, got to get a wireless course under my belt.
Cheers,
Peter
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname IT_AP1121G_01
no logging console
enable secret
ip subnet-zero
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 vlan-name Corporate vlan 3
dot11 vlan-name Default vlan 1
dot11 vlan-name Managment vlan 2
dot11 ssid stosWIFI
vlan 1
authentication open
guest-mode
mbssid guest-mode
infrastructure-ssid optional
mobility network-id 1
dot11 ssid stoswaldsWIFI
vlan 3
authentication open eap eap_methods
mobility network-id 3
username admin privilege 15 secret 5 $1$.dBF$jstGCUjGPaD6OQ/JVmZEY1
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
encryption key 1 size 128bit 7 0D1A262E215F252C7E5A2D6A6498 transmit-key
encryption mode wep mandatory
encryption vlan 1 key 1 size 128bit 7 DA303E012047F6068707FC131B4A transmit-key
encryption vlan 1 mode wep mandatory
encryption vlan 3 mode wep mandatory
ssid stosWIFI
ssid stoswaldsWIFI
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
channel 2412
station-role root
world-mode dot11d country GB both
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3
interface FastEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.2.33 255.255.255.0
no ip route-cache
ip default-gateway 192.168.2.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging trap notifications
logging
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
password
line vty 0 4
password
line vty 5 15
end -
I'm implementing a large WLAN for a hospital. they will be using Cisco VPN and RSA OTP to provide authentication and data confidentiality/integrity. They also desire a Wireless LAN Solution Engine.
I wish to create a "user" VLAN-SSID mapping, and a "wireless network management" VLAN-SSID mapping, so I can require users to use VPN to get off their local segment, but also use WLSE & HPOV to manage the WAPs via a managment interface.
To trunk the mgmt vlan, I think i need to map it to an ssid on the WAP. However, I do not want the mngmt vlan/ssid to accept client associations. I basically only want the mngmt vlan to exist on the wire and at the AP, not on the RF.
How would I accomplish this?It is a little bit of a kludge to do this but.
On the vlan SSID page set the max allowed associations to 1 ( 0 will mean max number of associations will be 2047) This will allow only on client to associate, now you can block this one by creating a MAC address filter on that VLAN that has no MAC address in it and the default action for both multicast and unicast is discard.
You could do just the filter but if the filtre is ever turned off then you have the added bonus of only one client getting through
David -
Question in regard to management VLAN for each Context in ACE module
Dear Pros,
I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
2) If it does require that, what IP address should I used for default route in each context.
I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
Any suggestions or if you can point me to location as always will be greatly apprecaited.
Thanks and best regards.
Raman AzizianHi,
you have several options to choose from.
1. Use Admin context for management
You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
+ Easy and straightforward
- snmp and syslog are using the ip from each individual context and not the management IP
2. Use a Large subnet and assign an IP address in each context for management.
You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
+ each context has its own managment address
- static routes need to be added
3. Use your client-side ip address (or BVI) as management address.
You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
+ no static routes needed
- inline management
Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
HTH,
Dario -
Management VLAN on a WAP371.
Hello,
When I try and configure the WAP371 to use my management VLAN, I lose control of the WAP. I am connecting it to my 3750-X stack, and I have the port it is connected to configured as an 802.1Q trunk, and the 3750-X shows the port up as an 802.1Q trunk. I have configured VLAN 501 as the management VLAN and when I configure the management VLAN on the WAP371 to use VLAN 501, and I set an appropriate static IP for this VLAN, and an appropriate default gateway, I can no longer communicate with the WAP371. I do know it is properly using VLAN tags, as the other SSIDs are communicating with hosts on the respective VLANs associated with each SSID. I have tried leaving the untagged VLAN support on, I have turned it off. I am out of ideas on what else to try. If anyone else has successfully configured the WAP371 to use a tagged VLAN I would love to hear about what was needed.
Thx
BryanMy name Eric Moyers. I am an Engineer in the Small Business Support Center.
I am sorry to hear that you are experiencing this issue.
What is the management VLAN that is used on the other parts of your network? I would suggest calling in to open a case with one of our phone engineers so that we can work with you.
Eric Moyers
.:|:.:|:. CISCO | Eric Moyers | Cisco Technical Support |
Wireless and Surveillance Subject Matter Expert
Please rate helpful Posts and Let others know when your Question has been answered. -
Configuring Management VLAN for standalone Nexus 5k
Hi All,
The architecture in the attachment doesnt require redundancy and hence has a single N5k with N2k as FEX. The setup is working fine except for the management vlan and mgmt 0 interface being down.
As of now, mgmt0 interface has no link connected to it. The VLAN for nexus management is also down as mgmt0 cant be assigned to vlans.. Configuring management IP to Loopback interface also doesnt allow adding the same to management vlan.
Is mgmt0 an RJ45 compatible port with N5596? and is there a way I can have out of band management for Nexus 5596? Is there a way I can assign a management IP to the FEX?
Thanks for the inputs.
Thanks,
Bala SHello Balachandhar,
Mgmt interface on N5K exists to provide out of band management to the device.
Mgmt interface belongs to management vrf. You can reach the N5K on mgmt interface once you configure IP to mgmt interface and connect it to upstream switch port belonging to mgmt vlan.
The FEX cannot be seperately managed. You need to connect to the parent N5K device and manage it.
HTH
Padma -
1200: Native VLAN & Management VLAN
I want to keep the management VLAN and native VLAN seperate. Is this the correct setup when using VLAN 999 as the native VLAN and VLAN 100 for the management VLAN.
Management VLAN 100 (10.100.0.0/24)
### Trunk SW ###
description "AP"
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
### AP ###
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 99 key 1 size 128bit 7 3831CB248113D952741376BEC352 transmit-key
encryption vlan 99 mode wep mandatory
encryption vlan 11 mode ciphers tkip
ssid xoxoxo
vlan 11
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ssid xxx
vlan 99
authentication network-eap eap_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
station-role root
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface Dot11Radio0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
bridge-group 99 spanning-disabled
interface dot11radio 0.999
encapsulation dot1q 999 native
interface dot11radio 0.100
encapsulation dot1q 100
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
ntp broadcast client
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
interface FastEthernet0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
no bridge-group 99 source-learning
bridge-group 99 spanning-disabled
interface fastethernet 0.999
encapsulation dot1q 999 native
interface fastethernet 0.100
encapsulation dot1q 100
interface BVI100
ip address 10.100.0.110 255.255.255.0
no ip route-cache
ip default-gateway 10.100.0.1This looks correct to me. Do you have a non_root bridge on their other side?
Are you able to trunk all 4 VLANS with this config? -
Hello,
Designing a configuration for a Wireless solution. Have a 2951 with SRE-WLC and 4 port switch module. The documentation at
http://www.cisco.com/en/US/docs/wireless/controller/controller_modules/sre/installation/guide/wlcsreinst.html#wp1072942 arised couple of questions. Exact part of diagram from documentation is attached.
The question is that VLANs configured on SRE-WLC and ones configured on local switched belong to different subnets. Why? For example on SRE-WLC VLAN 20 - 55.20.0.0/24, but on switch - VLAN 20 - 20.1.1.0/24. Why?
Thanks!Hi George,
Today i tried implementing APs on different VLAN than MGMT. Here is what I got:
1. New out-of-box APs didnt join to WLC once placed directly to APs VLAN. However they were able to join the WLC once I put them back to MGMT Vlan. They upgraded their IOS from WLC, joined compeletely. After that I moved them back to APs VLAN and they started to join. So, here is the procedure - Open new AP from box, connect it to MGMT VLAN, wait for joining to WLC and then move them to APs VLAN. This is a little bit strange. Also I noticed that they were unable to join teh WLC even on MGMT vlan if MGMT vlan is tagged on WLC and that tagged vlan is allowed on trunk. I have WLC on SRE, MGF trunk, VLANS and DHCP pools with option 43 configured. Will continue to investigate tomorrow.
2. What was the most difficult and problematic issue is that the LED was disabled on all APs after joining the WLC. I have been thinking that there is an error but only then found that APs by default turned off LED after joining the WLC. Issuing config ap led-status enable all on wlc solved the problem.
3. Also I regularly have been receiving
%PARSER-4-BADCFG: Unexpected end of configuration file.
during the AP joining to WLC. Dont know why. My APs are LAP1041n.
ANyways, will continue digging tomorrow, hopefully will find a stable solution. My ideal solution will be:
1. WLC Management is on MGMT VLAN - tagged vlan 20, static IP assignments.
2. APs on separate AP VLAN - tagged vlan 15 - dynamic IP assignments from DHCP pool on ISR with option 43.
3. Clients are on separate USERS VLAN - tagged vlan 10
The native VLAN will be other VLAN - VLAN 25. -
1300 bridge with native and management vlan in different vlans
Hello,
We are going to set up a wireless bridge between two 1300 accesspoints. In our network the native vlan and the management vlan are different vlan's. Will we be able to manage the ap and switch at the "remote" site? Do we have to set up two ssid's, one for native and one for management?
regards,
RutgerToo answer my own question:
I don't think it is possible. Things work fine by making our management vlan the native vlan on switches and ap's involved. Management IP address on the BVI1 interface and everything works!
Rutger -
Management VLAN Design and Implementation
Greetings, friends. I'm having trouble getting a clear picture of how a management VLAN ought to look. I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches. I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).
Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN. Are you able to point me in the right direction to find such documentation? Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
What is the best practice for accessing the management VLAN? Inter-VLAN routing + ACLs? Multi-homed PCs or servers? Additional PCs to be used as access stations?
Thank you for your wisdom, experience, and advice!
Kevin1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.
2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.
3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.
4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall, but the hardcore customer insist on a second pc connected to the management lan.
Points to consider are as always,
Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.
Find the right balance between security, costs, easy of access for the business your in.
Cheers,
Michel
Maybe you are looking for
-
I'm trying to create a PDF for my students to take notes on during class but I don't want them to be able to copy and paste the notes. I'm using adobe professional to create the PDF.
-
Thunderbolt display non-functional after 10.8.2
I recently purchased a Macbook Pro with Retina Display, along with a 27" Thunderbolt display. IT was working well until I noticed that it was no longer detecting the thunderbolt display. I suspect this is after the 10.8.2 upgrade. When I plug a TB-to
-
How to export all workbook in files using a batch procedure
Hello to everybody, can anybody help me in this issue? I have many workbooks stored on the database and I would like to create a procedure that I can schedule and that backup the workbooks into files. Do you know if exists an utility for this scope?
-
Question about the Timer Objects
According to the API docs, the method Schedule for a Timer object takes the following constructor: schedule public void schedule(TimerTask task, Date time) Schedules the specified task for execution at the specified time. If the time is in the past,
-
Hi, Business needs to get the data back for all the deleted sales orders for a period. Is there any way these data can be retrieved. When I put the sales orders number system says "Sales Document XYZ is not in the database or has been archived".