WiSM - Interface Vlan Overlapping within AP Group

Hi there,
Need help on this. Wism that deployed on the network had found issue in interface vlan overlapping. Had configured the vlan interface and assign to a group. The group had been define on specific lwapp APs. However user that manage to associate with the particular AP had used the different group that not specify to that APs. It had been using the group that been specify to other APs that located at different location.
Any ideas on this? Is this internal bugs? I had checked with the bugs listed in Cisco software. But not mentioned about this. Fyi, we are running on software version 4.1.171.0. and also we are operates almost of 80 Aps under 40 interface vlan assign to the groups.

Could you provide the details of the wism configuration?

Similar Messages

WiSM interface vlan requirement

Can anyone tell me why the AP-Manager and Management interfaces have to be on the same VLAN? I'm probably missing something about WiSM operations but if I'd appreciate the input.
thanks
js

That is the only supported way. Any other way will not work. This goes for any WLC configuration and not just the WiSM. The management interface so you can manange the wlc it is aslo the defaut interface used when an ap first joins the wlc and then the ap-manager is used for the lwapp tunnel. If you have the management and ap-manager interfaces on a different subnet, then you will see a vlan mismatch on the switch. Also it is important to note that both these interfaces need to be native vlan on the trunk port.

WISM Interface

Hello
I am having trouble to upgrade our Catalyst 6509 from s72033-ipservicesk9-mz.122-33.SXH4.bin to 72033-ipservicesk9-mz.122-33.SXJ1.bin. I am upgrading because of installation of a WISM2 controller.
The Catalyst configuration is:
1   10 WiSM WLAN Service Module               WS-SVC-WISM-1-K9
2   10 WiSM WLAN Service Module               WS-SVC-WISM-1-K9
3   10 WiSM WLAN Service Module               WS-SVC-WISM-1-K9
4   6 Firewall Module                                            WS-SVC-FWM-1
5   2 Supervisor Engine 720 (Active)         WS-SUP720-BASE
7   24 CEF720 24 port 1000mb SFP             WS-X6724-SFP
The problem is with our WISM controllers, when rebooting with the new IOS 122.33.SXJ
The interface configuration in startup-config is erased completely for all WISM interface.
interface GigabitEthernet1/1
description WISM A
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 4060
switchport trunk allowed vlan 780-788
switchport mode trunk
no snmp trap link-status
no cdp enable
channel-group 8 mode on
The only way to keep the Interface konfuguration is witch IOS s72033-ipservicesk9-mz.122-33.SXH4.bin.
Regards
Johan

Johan,
We introduced the auto-configuration wism commands starting in 12.2(18)SXF5, and in the SXI code and later (SXJ included) it is now the only way to configure the WISM modules.
If you were previously using the manual port configuration, you will need to migrate to the new set of wism commands:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a00808330a9.shtml#config
wism module controller <1/2> native-vlan x
wism module controller <1/2> allowed-vlan x,y,z...
-Patrick Croak
Wireless TAC

Can multi-interfaces share the same hsrp group id on the c6500?

case:
c6509A+msfc2 and C6509B+msfc3
configurating hsrp...
question:
msfc2 supports total 16 hsrp group id,however msfc3 256.How hsrp group Can configurate?How vlans can configurate inside the same group id?

Hi,
MSFC2 supports only 16 HSRP group duw to the limitaion on PFC2.The new MSFC3 supports 256 HSRP groups as you mentioned above.
The workaround to get over this problem is to use multiple Vlan interface to a single HSRP group like
Vlan1,3,5,7 in HSRP group 1
Vlan 2,4,6,8 in HSRP group 2.
It works perfectly as already pointed out by Glen.
HTH,
-amit singh

How do you select individual items from within a group?

Hi, All.
New poster. Forgive me if I miss any forum etiquette.
Currently using Indesing CS6 on Mac Osx 10.7.4
I'm a relatively recent convert to Indesign from Quark, and one thing I seem to have continual problems with is selecting individual items from within a group.
For example I will have a grouped item, such as price marker that is comprised of several individual items, some text boxes, some rectangles.
I find there is no way to select a rectangle that is currently placed behind a transparent text box without ungrouping the entire item - which isn't really an option.
The select options (slect next item below etc. just don't work)
For any Quark users out there, the equivalent command I'm looking for is the cmd+opt+shift click through, which just worked absolutely perfectly.
I have scoured the internet and forums looking for an answer for this, as I assumed it must be my own lack of knowledge, but I can't find an answer.
Any help much appreciated.
Thanks

Hi, winterm.
Thanks for the super quick repsonse. Unfortunately that hasn't seemed to have helped me.
That works fine as long as the grouped items are overlapping or apart, but not when items are entirely behind another item (ie, no part protruding from the group)
The problem is that if I double click to try and get through a text box to an item that is entirely behind it, then it just switches into text edit mode for the top text box.
If it helps, could you imagine a transparent text box that is 20x20 with red rectangle centred beneath it that is 10x10. If the 2 items are grouped I cant find any way to select through to the red rectangle without first ungrouping the two.
Am I going mad?

VLAN Overlapping - Don't Get it

Ok, I have a 1700 Switch with the FastEthernet 0/0 set as 10.10.10.1
If I create various VLANs, they give me the "hey buddy, it overlaps with Fastethernet 0/0" error if they are in the same
10.10.10.X range.
Naturally, I could define each of the VLANs and FastEthernet ports as 10.10.11.X and 10.10.12.X nets, but isn't there some way to have one or two of the FastEthernet ports in my basic 10.10.10.X networking scheme on this thing?
Clearly, I need some very basic knowledge here, but I don't understand why the additional VLANS couldn't be defined as unique 10.10.10.X addresses.

fa0/0 is a layer 3 port (router's built in port) and it cannot be tied to any vlan. Only fa0/1 through fa0/4 can be assigned to a vlan or make them a layer 3 port by using the command "no switchport".
int fa0/0
ip add 10.10.10.1 255.255.255.0
int fa0/1
ip add 10.10.20.1 255.255.255.0
no switchport
int fa0/2
switchport access vlan 3
int fa0/3
switchport access vlan 3
int fa0/4
switchport access vlan 3
int vlan 3
ip add 10.10.30.1 255.255.255.0
Now you have three subnets 10.10.10.0, 10.10.20.0 and 10.10.30.0.
The first subnet is tied to fa0/0 (router';s built in port)
The second subnet is tied to fa0/1 (the port fa0/1 has been made a layer 3 port using "no switchport" command)
The third subnet is tied to fa0/2,3 and 4 using a Layer 3 SVI interface (Vlan 3).
You should be able to route between these interface as long as PCs or other devices in each subnet are set with the right default gateway.
HTH

Interface vlan - ACL - pinging issues.

I'm trying to understand why an ACL which is applied to an interface vlan is affecting the traffic for a different interface vlan.
Both vlans are configured on the same device and there's a trunk connecting the "access" switch to the "distribution" switch.
so, what we have is:
UD-1 UD-1B
UA
Int vlan are configured in both UDs and the vlan is allowed in the trunk that connects the UD to the UA.
There's an ACL blocking traffic to the int vlan 225 ip that is configured in the UA, but there's no ACL on the vlan 185 (the same IP that Im trying to ping).
So , why is this happening?
configs:
UD-1A:
interface Vlan185
ip address 10.8.185.3 255.255.255.0
interface Vlan225
ip address 10.18.225.3 255.255.255.0
ip access-group ud1 in
int gi1/1
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
UD-1B
interface Vlan185
ip address 10.8.185.4 255.255.255.0
interface Vlan225
ip address 10.18.225.4 255.255.255.0
ip access-group al_rpf_sre_ud1_pro in
interface GigabitEthernet4/4
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
interface Vlan185
ip address 10.8.185.7 255.255.255.0
ip access-group ro in
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 225
switchport trunk allowed vlan 185,225
switchport mode trunk
so, when I ping 10.8.185.7
I get:
GMT-3: ICMP: dst (10.8.185.7) administratively prohibited unreachable rcv from 10.8.185.4
%SEC-6-IPACCESSLOGDP: list ud1 denied icmp 10.8.185.7 (GigabitEthernet1/1) -> 10.18.232.58 (0/0), 3 packets
anybody?

Hello Paresh,
thanks for replying.
But, actually I dont think this is what happening.
Because 10.18.232.58 comes from an uplink - core router, which enters from a different interface.
Let me give you the configs:
uplinks:
interface GigabitEthernet3/1
no switchport
ip address 10.18.192.26 255.255.255.252
And the core are doing load-balancing to reach the UA.
So, icmp packets are arriving from these 2 interfaces, the uplink gi3/1 (router port) and from the link that connects the UA switch.
so, pinging from the BC you have 2 ways to get to the UA, from UD1 and UD1-B, when it reaches UD1-B it goes to the vlan (ie. goes down to the UA and up to UD1A).
Not sure if this is helping.
If you need any other info let me know.
this is killing me.

Disabling ''igmp snooping'' in a VLAN (no interface VLAN) on Catalyst 6500

Can please some help?
On 4948 or 3560 I can disable igmp snooping in a specific VLAN:
sw4948(config)#no ip igmp snooping vlan ?
<1-1001>     Vlan number
<1006-4094> Vlan number
sw4948(config)#no ip igmp snooping vlan 10 ?
explicit-tracking           Enable IGMP explicit host tracking
immediate-leave             Enable IGMPv2 immediate leave processing
last-member-query-interval Last member query interval
mrouter                     Configure an L2 port as a multicast router port
static                      Configure an L2 port as a member of a group
<cr>
BUT, in 6509-E this command is not enabled:
sw6509(config-if)#no ip igmp snooping ?
access-group IGMP group access group
limit         IGMP limit
I have just found on my 6509 that I can disable igmp snooping in a SVI interface (Interface VLAN)
sw6509(config)#int vlan 20
sw6509(config-if)#no ip igmp snooping ?
access-group                IGMP group access group
fast-leave                  Enable IGMP fast leave processing
last-member-query-interval Configure IGMP leave query timeout
limit                       IGMP limit
minimum-version             Minimum IGMP version
mrouter                     Configure an L2 port as a multicast router port
querier                     Enable IGMP querier processing
report-suppression          Force a report suppression
ssm-safe-reporting          Enable SSM Safe Reporting
static                      Configure an L2 port as a member of a group
<cr>
My current 6509-E IOS version is:
System image file is "sup-bootdisk:s72033-advipservicesk9_wan-mz.122-33.SXH8b.bin"
Do I need to upgrade my IOS version?... or how can I disable ''igmp snooping'' per specific VLAN (no Interface VLAN)?
Any help would be apreciated !
Regards
guruiz

Hi Guruiz,
So, to disable igmp snooping in some VLANs in the 6509, do I need to disable it globally?
Would it be the only way?
That appears to be the only way. If you have an SVI for the vlan you want to run Multicast in, then simply enable PIM and not worry about IGMP snooping. I think, the reason you don't see this command under the layer-2 vlan is because most of the time the 6500 is used as layer-2/layer-3 and not just layer-2.
How could "no ip igmp snooping" applied globally impact my 6509 switch?
It will impact only the vlans that are running Multicast. In general, ip IGMP snooping is used when you have a flat vlan and no SVI. If you have multiple vlans and are running Multicast between them, then you can just enable PIM.
HTH

Route map does not applied on interface vlan

Hi all,
could you pls tell me why i can't apply a route-map on an interface vlan,
belown my config:
SWBBO(config-if)#ip policy route-map TEST
                           ^
% Invalid input detected at '^' marker.
Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 15.0(2)SE1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Fri 04-Jan-13 01:38 by prod_rel_team
ROM: Bootstrap program is C3750E boot loader
BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
BBWMASALE01 uptime is 40 weeks, 1 day, 6 minutes
System returned to ROM by power-on
System restarted at 22:12:07 UTC Mon Feb 18 2013
System image file is "flash:/c3750e-universalk9-mz.150-2.SE1.bin"
Best regards,
James

Hi jon,
belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
SWBB0#sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses:                  6K
number of IPv4 IGMP groups + multicast routes:    1K
number of IPv4 unicast routes:                    8K
    number of directly-connected IPv4 hosts:        6K
    number of indirect IPv4 routes:                 2K
number of IPv6 multicast groups:                  64
number of directly-connected IPv6 addresses:      74
number of indirect IPv6 unicast routes:           32
number of IPv4 policy based routing aces:         0
number of IPv4/MAC qos aces:                      0.5K
number of IPv4/MAC security aces:                 0.875k
number of IPv6 policy based routing aces:         0
number of IPv6 qos aces:                          0
number of IPv6 security aces:                     60

Policy-map input on an interface VLAN

Hi there,
I have a problem with a policy-map on an interface VLAN on my Cisco 6509-E.
The switch has the IOS Version 12.2(33)SXI10, RELEASE SOFTWARE (fc2).
I have configured this policy-map:
policy-map PM-10Mbit
class class-default
   police cir 10000000 bc 1875000 be 3750000    conform-action transmit     exceed-action drop     violate-action drop
I bind this map on a physical interface
interface GigabitEthernet2/2
description <removed>
ip vrf forwarding <removed>
ip address <removed>
ip access-group <removed> out
service-policy input PM-10Mbit
service-policy output PM-10Mbit
and get this result:
show policy-map interface
GigabitEthernet2/2
Service-policy input: PM-10Mbit
    class-map: class-default (match-any)
      Match: any
      police :
        10000000 bps 1875000 limit 1875000 extended limit
      Earl in slot 5 :
        6428065284 bytes
        5 minute offered rate 14696 bps
        aggregate-forwarded 6294160565 bytes action: transmit
        exceeded 133904719 bytes action: drop
        aggregate-forward 584 bps exceed 0 bps
Service-policy output: PM-10Mbit
    class-map: class-default (match-any)
      Match: any
      police :
        10000000 bps 1875000 limit 1875000 extended limit
      Earl in slot 4 :
        10335145381 bytes
        5 minute offered rate 21536 bps
        aggregate-forwarded 10142894661 bytes action: transmit
        exceeded 192250720 bytes action: drop
        aggregate-forward 128 bps exceed 0 bps
      Earl in slot 5 :
        263335780 bytes
        5 minute offered rate 176 bps
        aggregate-forwarded 263335780 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 448 bps exceed 0 bps
But when I bind it on an interface VLAN i see no incoming traffic:
show policy-map interface
Vlan1012
Service-policy input: PM-100Mbit
    class-map: class-default (match-any)
      Match: any
      police :
        100000000 bps 18750000 limit 18750000 extended limit
      Earl in slot 4 :
        0 bytes
        30 second offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
      Earl in slot 5 :
        0 bytes
        30 second offered rate 0 bps
        aggregate-forwarded 0 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 0 bps exceed 0 bps
Service-policy output: PM-100Mbit
    class-map: class-default (match-any)
      Match: any
      police :
        100000000 bps 18750000 limit 18750000 extended limit
      Earl in slot 4 :
        1005376843668 bytes
        30 second offered rate 33016448 bps
        aggregate-forwarded 1005362388151 bytes action: transmit
        exceeded 14455517 bytes action: drop
        aggregate-forward 30943792 bps exceed 0 bps
      Earl in slot 5 :
        1828318775 bytes
        30 second offered rate 1296 bps
        aggregate-forwarded 1828318775 bytes action: transmit
        exceeded 0 bytes action: drop
        aggregate-forward 1272 bps exceed 0 bps
Is this a bug or am I doing something wrong here?

Hello
As I understand it , this is command is required in mls qos because on a SVI ( L3 vlan interface) runs in a vlan-based mode which differs from normal L3 routed interfaces which run in interface mode.
As per cisco ="In VLAN-based mode, the policy map that is attached to the Layer 2 interface is ignored, and QoS is driven by the policy map that is attached to the corresponding VLAN interface."
Lastly regards
Try matching on all traffic incoming on the trunk interface on that switch for it to successfully police incoming traffic:
class-map V102
match input-interface x/x
Policy-map POLICE
class V102
Police xxxx xxxx
res
Paul

FWSM - Sharing interface Vlan

Hi guys,
I am trying to share two vlans in two different contexts but when I try to add the same vlan in the second context I receive this message: “Interface Vlan15 cannot be allocated to context. Interface is allocated to another context in a different failover group”. I have seen same example where you can share the same vlans; so I don’t know where is my fail.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/exampl_f.html#wp1029314
thanks.

It sounds like what you're asking is about the concept of switched virtual interfaces - "interface vlan 10", for instance, is a switched virtual interface. This is different than a VLAN in that a VLAN is a logical network segment, a broadcast domain, whereas an SVI is a logical interface.
If SW2 is a layer 3 switch, you don't HAVE to have the SVI configured there. You could operate both SW1 and SW2 entirely as layer 2 devices, configure an interface on R1 to handle the inter-VLAN traffic, and configure the links from SW1-SW2 and SW2-R1 as trunks.
But that wastes the l3 capability of the switch. The idea is that you don't need to involve a router. When you have a vlan (layer 2), it has no way to communicate with other vlans (layer 2). That's where an SVI on a layer 3 switch, or an interface on a router (router-on-a-stick) using dot1q encapsulation comes in. It gives your devices in that VLAN something to point to as a gateway, something for routable traffic to address. So, think of a VLAN as a self contained network, and an SVI as the door that allows it to talk to everything else.
Also, in practice, assigning each discrete switch an IP address for management traffic makes things much easier - how else can you telnet/SSH into it? Beats having to use the console all the time!
HTH

ACE Mod20 interface vlan

Hi,
is it possible to setup the service-policy on the server side vlan interface and still have it available for clients with a client subnet ip?
What i'm currently trying it to reach is the other side through the ace. And ping the interface vlan's in a context. But i don't get any answer.
Trying to reach the interface vlan adress 2.1.1.1 from a host in vlan1, but with no success. I can ping the interface vlan 1 though and can route through the module also.
Setup is simple as that:
access-list anyone line 18 extended permit ip any any
interface vlan 1
desc client vlan
ip address 1.1.1.1 255.255.255.0
alias 1.1.1.2 255.255.255.0
access-group input anyone
service-policy input remote-mgmt
no shutdown
interface vlan 2
desc server vlan
ip address 2.1.1.1 255.255.255.0
alias 2.1.1.2 255.255.255.0
access-group input anyone
service-policy input remote-mgmt
no shutdown
Greetings,
Frank

Hi Frank,
Service-policies need to be applied to the incoming/ingress interface, hence the 'input' keyword when applying them. As for ping, by design, the ACE will not allow you to ping a remote interface on the ACE. In other words, a host on VLAN 1 will be able to ping IP 1.1.1.1, but not 2.1.1.1. A host on VLAN 2 will be able to ping 2.1.1.1, but not 1.1.1.1.
Hope this helps,
Sean

Unknown interface vlan on fwsm

ive done the ff. on the msfc
firewall module 2 vlan-group 1
firewall vlan-group 1 100,200,300
interface Vlan100
no ip address
interface Vlan200
no ip address
shutdown
interface Vlan300
no ip address
shutdown
BUT WHEN I DO THE FF ON THE FWSM
int vlan 300
i get the foloowing
FWSM# conf t
FWSM(config)# int vlan 300
Unknown interface vlan.
the fwsm is not recognizing my vlan. what is missing?
thanks

Hi
Have you created the vlans at Layer 2 ie. if you do a "sh vlan" on the 6500 do you see your vlans ?
You do not create layer 2 vlans by entering
int vlan300
no ip address
shutdown.
If you want vlan 300 to be firewalled then please
1) remove the "interface vlan 300" from the 6500 ie.
6500(config)# no interface vlan 300
2) Add the vlan at layer 2 on the 6500 ie.
6500(config)# vlan 300
6500(config-vlan)# name vlan300
Do this for all vlans you want to firewall.
Jon

Interface VLAN inbound ACL?

Hi, I maybe over thinking this but I have an ACL that is applied inbound on an interface vlan. I have a line to permit udp any any log which is temporary. I see hits but the source ip is off network to destination interface vlan ip address. I expect to see source ip addresses only in the 192.168.1.128/25 ip range. What do you think? Thanks
Interface vlan 100
ip address 192.168.1.132 255.255.255.128
ip access-group ACL_IN in
ACL Hit
%SEC-SW1-6-IPACCESSLOGP: list ACL_IN permitted udp 192.168.6.100(137) -> 192.168.1.132 (137), 1 packet

Hi,
It does seem strange, though I have to admit that I rarely nowadays configure ACLs in any other devices than actual firewalls and there the behaviour and logging is a bit different.
Cisco firewalls have a decent documentation about all the different log messages and their description but I am not sure about the switch/router side. Can't seem to find those.
What also seems strange is the port seen in the log messages and why would it be targeted to the actual Vlan interface IP address.
The ACL you have should only really control the traffic that is coming inbound towards the Vlan interface.
- Jouni

Page break within a group(s)

I have a report that uses a group that contains three parts, a details part, a blank lines part, and a totals part.
What I am attempting to achieve, is to produce the report so that there are page breaks within this group. The page breaks should happen after each part.
I have been able to achieve the desired look by adding a group for each part, with an additional 'blank' group to provide a page break between the Details Part and the remaining 2 parts.
This, however has left me with 3 issues;
Throughout the report, there will be pages with only the heading and no details.
There are pages that show 2 headings (one for the ending detail group and the other is for successive detail group)
How to remove the headings for the blank lines part and totals part (which is now on their own separate pages)
The major pain point for me is issue #3. Anyone able to offer suggestions with the amount of information provided?

Hello,
Based on your description, you have three part in one group. You have add page break between each part. You have mentioned that the heading will repeat in each page. You have set the tablix repeat headers on each page, right?
Since you have blank line part in the group, when we add page break between each part, we will get a blank line page. When we have set the heading will repeat in each page, we would also have repeat page header in blank page.
Now, what your requirement is not get the repeat header in the blank page and total page, right? Please refer to the following steps below:
Cancel the headers repeat in each page configuration.
Add a total row before of the detail group. Change these text box values with headers values.
Please refer to the screenshot below:
If there are any misunderstanding, please feel free to let me know.
Regards,
Alisa Tang
If you have any feedback on our support, please click
here.
Alisa Tang
TechNet Community Support

WiSM - Interface Vlan Overlapping within AP Group

Similar Messages

Maybe you are looking for