Wlan - subnet size
I'm wondering if there's a best practice regarding the subnet size of the dynamic interface.
Is for example a /16 recommended, knowing broadcast/multicast to the clients are disabled.
I've a setup where via aaa override, the users are placed in their corresponding vlan: admin (wlan I), staff
(wlan II), guest (wlan III). There's only a wlc on the central site. So all wireless traffic from all sites (connected via fiber) are passing through the wlc.
I'm wondering if there's a difference (performance,other?,...) between a solution with three vlans (one for each ssid but large enough) versus
1)ap group solution with dedicates vlan
2)assign a vlan via aaa override based on 'location' and function (admin,...)
(staf from site 1 = staf from site 2)
So what are you thinking?
Pro's /contra's of a big subnet in this situation and in general deployment
Davy,
I chuckle when people ask this question. I say this because we are all use to small subnets, because of the broadcast / multicast drama that happens on the wired side. As you pointed out, the WLC proxys this for the clients so its never sent over the wireless.
Ive designed many a WLANs. I normally lead with /21 or /22 which in most environments works well.
If there are specific location needs, perhaps NATing or special security segmentation one could venture to use AP groups. This would allow then piece of mind knowing each location is defined by an AP group. Good example would be something like PCI. This could also aid in management as well.
So if you find yourself needing more control in the future, ap groups will give that ability.
Similar Messages
-
I understand that a voice over wireless deployment needs its own VLAN but the question is what is the best practice size of the single voice vlan? Once exceded what is the best practice subnet size for AP Groups?
William,
You will get many different answers here:) So in my experience, a /24 is good, you keep the broadcast domain small. I have also had clients with a /16 and no issues, but not with voice since that would be a lot of wireless phones in general. I think the largest subnet I had wireless voice, my client was using a /23 subnet.
AP Groups woul be the same in a way, you need to define how large of a subnet you need. With the 7.0.116.0, they added a new feature called interface groups that allows you to bundle interfaces together. So you can bundle 2+ /24 if you wanted to.
Thanks,
Scott Fella
Sent from my iPhone -
Subnet Size for Service Vlan e AP-Manager in WiSM
Hi guys,
Is there any recommendations about the size of the subnets used to communicate the supervisor 720 with the wism.
I think I will waste address, for example, if I use two subnets /24 for service vlan e ap-manager.
Thanks in Advanced,
Andre LomonacoYour subnet should be big enough to accomodate all the hosts which will need addresses. A /28 or /29 is probably plenty big for your service vlan.
On the other hand, RFC 1918 gives you close to 18 million addresses worthof private space to work with, so it's unlikely you're going to run out in most deployments. -
We have two buildings with separate subnet's that are about 100 yards apart. We have two AP's in each location and the coverage is very good. The issue we are having is when someone goes from one building to the other, the wireless holds onto the IP address which is on the wrong subnet, so we have to have the users disconnect and reconnect to the wireless network. Besides making a campus and expanding the subnet location, is there any other way we can force laptops to reconnect when accessing the other subnet or AP's?
Any information would be greatly appreciated.I'm assuming you have an autnomous setup? 100 yards aprat is pretty far and intersting that a device anc still stay connected even though they walk into the other building. The only thing you can do is disable some of the lower data rates on your AP. I would disable everything below 11mbps and keep 11mbps as mandatory and the rest supported. Give that a try. You might also maybe lower the TX power down to 50mW, but play with the data rates first.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
ASA 5505 9.1(2) NAT/return traffic problems
As part of an office move we upgraded our ASA to 9.1(2) and have been having what seem to be NAT problems with some services ever since. These problems manifest themselves with return traffic. For example, network time sync (NTP, port 123) works fine from the ASA, but hosts on the inside network cannot access external NTP servers (ntpq -pe shows all servers stuck in .INIT. status), creating problems with drifting clocks. Services like XBox Live also do not work; the XBox device can contact the internet, but return traffic from the service never gets back to the device.
For NTP specifically, I've tried allowing NTP 123 through the firewall, but it doesn't help. Conceptually, this should not be required since an inside host is initiating the connection and the NAT rules "should" allow the return packets. To further muddy the waters around NTP, a Linux VM CAN get NTP if it's network adapter is in NAT mode (so it's NAT'ing through the host workstation, then through the Cisco) but CAN NOT get NTP if the adapter is running in bridged mode (so the VM is talking directly to the ASA as if it were just another machine on the inside network).
I've stripped down the ASA config to the basics level, but still can't get this resolved. The main symptom of the problem is that if I disable the access-list rules around ICMP, I'll see lots of ICMP warnings in the ASA logs, which seems to indicate that there are traffic problems communiating with the inside hosts. I've narrowed the problem down to the ASA since replacing the device with a simple Netgear consumer-grade "firewall" lets all this traffic flow just fine.
Network is extremely basic:
DHCP ASSIGNED IP from ISP <----------> ASA <-----------------> inside (192.168.50.X)
^
|----------------------- guest vlan (10.0.1.X)
show running-config:
Result of the command: "show running-config"
: Saved
ASA Version 9.1(2)
hostname border
domain-name mydomain.com
enable password aaa encrypted
passwd bbb encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport trunk allowed vlan 1,3
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif Guest-VLAN
security-level 10
ip address 10.0.1.1 255.255.255.0
boot system disk0:/asa912-k8.bin
boot system disk0:/asa911-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.104.2.36
domain-name domain
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 255.255.255.0
object network Guest-WLAN
subnet 0.0.0.0 255.255.255.0
description Interent access for guest Wireless
object network xbox-nat-tcp3074
host 192.168.50.54
object network xbox-nat-udp3074
host 192.168.50.54
object network xbox-nat-udp88
host 192.168.50.54
object service xbox-live-88
service udp destination eq 88
object network xbox
host 192.168.50.54
object network obj-inside
subnet 192.168.50.0 255.255.255.0
object network obj-xbox
host 192.168.50.54
object network plex-server
host 192.168.50.5
object network ubuntu-server
host 192.168.50.5
description Ubuntu Linux Server
object network ntp
host 192.168.50.5
object network plex
host 192.168.50.5
object network INTERNET
subnet 0.0.0.0 0.0.0.0
object-group service xbox-live-3074 tcp-udp
port-object eq 3074
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service plex-server-32400 tcp
description Plex Media Server
port-object eq 32400
access-list outside_access_in extended permit object-group TCPUDP any object xbox object-group xbox-live-3074 log alerts
access-list outside_access_in extended permit object xbox-live-88 any object xbox log alerts
access-list outside_access_in extended permit tcp any any eq echo
access-list outside_access_in remark Plex Live access
access-list outside_access_in extended permit tcp any object plex-server object-group plex-server-32400
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network xbox-nat-tcp3074
nat (inside,outside) static interface service tcp 3074 3074
object network xbox-nat-udp3074
nat (inside,outside) static interface service udp 3074 3074
object network xbox-nat-udp88
nat (inside,outside) static interface service udp 88 88
object network plex
nat (inside,outside) static interface service tcp 32400 32400
object network INTERNET
nat (inside,outside) dynamic interface
nat (Guest-VLAN,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=border
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xxxx
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate xxxx
quit
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh 192.168.50.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign local reuse-delay 60
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.50.5-192.168.50.132 inside
dhcpd address 10.0.1.50-10.0.1.100 Guest-VLAN
dhcpd dns 208.104.244.45 208.104.2.36 interface Guest-VLAN
dhcpd lease 86400 interface Guest-VLAN
dhcpd enable Guest-VLAN
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.50.0 255.255.255.0
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 152.19.240.5 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
username xxx password xxx/ encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email protected]
profile CiscoTAC-1
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:xxx
: endHi,
Configuration seems fine.
With regards to the ICMP, you could also add this
class inspection_default
inspect icmp error
I would probably start by trying out some other software level on the ASA
Maybe some 8.4(x) software or 9.0(x) software. See if it some bug perhaps.
One option is ofcourse to capture traffic directly on the ASA or on the hosts behind the ASA. And go through the information with Wireshark.
- Jouni -
One ssid to multiples vlan without hreap, flex connect
Hi my name is Ivan
I have a question about a wireless solution
I have one cisco wlc 2112 with ios 7.0.230.0 with license to support 12 access points. My access points are nine (9) lap1231ag and one (1) lap1310
I just have one wlan (ssid). My scenario of deployment is in layer 3. I have one interface management and ap manager in the WLC. All my Access Points
have differents ip address that WLC. I need to configure a unique ssid to associate my six (6) dynamics interfaces (each dymanic interface with different vlan subnet).
Each wlan profile (ssid) should have the same security in phase 2 (wpa2/psk). My cisco access points don't support hreap. My wlc support only (4)
interface into an interface group, and i need six (6) dynamics interfaces.
Is this possible to configure this scenario?
I have a research about it, and i found this link:
https://supportforums.cisco.com/thread/2180009
They mention there, that i need HREAP, but my AP's dont support it.
How can i do it?
Regards1° It doesn't matter that my buildings are connected between layer 3 links, having my WLC in a different VLAN/Subnet.
Correct. The APs do not have any requirement of being L2 adjacent to the WLC. If your APs are already joined, they will no how to find the WLC once you move them to their new network. I would suggest making sure you have High Availability configured specifying the APs primary WLC. Regardless, if joined already, the AP "knows" the controller it wants to join. If you have "new" APs that are installed at a different L3 network, you just want to make sure you have discovery methods for these new APs to find the WLC (option 43, dns, etc)
2° It doesn't matter what interface is associated to the WLAN in the WLAN profile.
That depends on your design. "IF" you have "all" your APs placed in to respective custom AP groups, then no it doesn't matter as the group interface assignment will override the WLAN interface assignment. "IF" you still have APs in the "default group" that are not being placed in a new AP group, then these APs will inherit the WLAN configuration so the interface should be assigned accordingly. In some cases, customers may choose to build a dummy/blackhole interface that the WLAN is bound to in the event an AP winds up in the default group. Just make sure any dummy interfaces you create are non-routable on your network.
3° It is not necessary to create an interface group.
No. An interface group will bundle multiple dynamic interfaces in to a single group that can be assigned. For instance, if you bundle all these in to a group and then assign, via an AP group, for a WLAN to use the new interface "group", then clients will be placed on the respective dynamic interfaces within that group in a round-robin fashion (or whatever algorithim is in use depending on code release), therefore clients at site A may end up on any of the 6 interfaces. The interface group is traditionally used when customers are running out of usable space and would like to expand through the use of additional network segments, rather than increasing a subnet size through a mask reduction. -
Hi guys,
This is my VLAN background:
VLANs are used to segment the network and break up the broadcast domains in order to reduce congestion and isolate network problems as well as providing scalability, performance improvement, security and making network additions, moves, and changes easier and more manageable.
And this is my wireless VLAN background with the controllers:
Host A is a wireless LAN client communicating with the wired device, Host B. At the access point, the access point adds an LWAPP Header to the frame and send it to the controller. After processing the 802.11 MAC Header by WLC, it extracts the payload (the IP packet), encapsulates it into an Ethernet frame, and then forwards the frame onto the appropriate wired network, typically adding an 802.1Q VLAN tag.
According to Cisco's "Fundamentals of Wireless Controllers" video (starting at 2:53), the 5508 controller allows you to use much larger subnets and less wireless VLANs. So with a 5508 controller in a completely wireless infrastructure (no wired hosts),
1. I don't need to break up broadcast domains and have multiple subnets and I'm free to use a giant flat network?
2. If I'm allowed to use large subnets, as far as the broadcast traffics (other than ARP and DHCP which are specially handled by WLC) are concerned, how does the controller handle that? I think I still will need multiple VLANs to control them according to my following WLC broadcast handeling background:
"All traffic including broadcast sent to any destination by wireless client get forwarded to WLC from its connected AP. WLC places the broadcast message on to that VLAN, both wired and wireless clients that are part of that vlan interface will get this broadcast message. Now, the receiving wireless clients on that vlan can be associateded on to any/different APs, APs mapped to different AP groups, even APs using different L3 addresses from one or multiple WLCs, WLC inteligently identifies the mapped VLAN interfaces and its respective APs through AP group and forwards the broadcast(encapsulates) as Multicast packet to those specific AP groups. Once APs receives the Multicast(broadcast), it places it on the respective Radio's BSSID(where WLAN/ssid mapped) of AP to reach the right wireless client. AP Radio's BSSID to SSID/WLAN to interface mapping is pushed to AP by WLC at AP join. Also, Wired PCs will receive the broadcast on its vlan as tagged(if tagged, otherwise untagged) from WLC's interface, so does the other WLCs that spans this vlan interface."
Regards,
SamanYou should still follow your best practice for your subnet size. Remember that wireless is half duplex and only one device can talk at a given time. Also... The AP can be in a different vlan, ap group, etc, but the clients are still on the same vlan. So it means that the clients need to be on the same vlan, but the AP's can be on a different subnet since this doesn't matter.
Sent from Cisco Technical Support iPhone App -
Adaptiva Software Distribution not working with Cisco APs in Local Mode
A worldwide customer would like to use a new Software distribution system called Adaptiva to replace SCCM within Windows environment. As far as I understand, Adaptiva is designed to work like a snowball system. A single PC at a remote side can be "infected" with new Software and will distribute the package to other PCs within the same IP-subnet, saving WAN bandwidth.
First tests are showing that it is working well with Cisco WLAN solution as long as we are using Flexconnect WLAN APs.
Customer locations with Local WLAN AP design create problems for this new software distribution method.
The WLAN-PCs can be reached from outside, but the establishment of the Client/Server-model between the WLAN Clients is not working. The Port used by this software for communication between clients in each WLAN subnet is UDP Port 34329.
Our WLCs are running at 7.4.130.0. The problem is appearing independently of AP Multicast settings or Broadcast Forwarding. Enabling Broadcast forwarding without Reboot did not improve the situation.
Global Multicast Mode and IGMP Snooping are also of no influence.
P2P Blocking Action is "Disabled" within the WLAN setup.
Who has any idea what might cause this communication problem between WLAN clients in Local Mode of APs ?
Thank You for answers
WiniI can think of two solutions. You could 1: turn the "auto-lock" to never, so that your phone never sleeps. Or, you could 2: jailbreak your iPhone and install "insomnia". I wish we had the Cisco Mobile app. I usually use wifi/insomnia and turn data off at work since we have wireless pretty much everywhere...
Sent from Cisco Technical Support iPad App -
I have a question about how wireless data traffic flows between 2 wireless clients that are associated with the same AP/WLAN/subnet. It doesn't have to go through the WLC, does it?
Is this documented some where on Cisco website that I can find?
Thanks
Binh DinhWhen the access point (AP) joins a Wireless LAN (WLAN) controller, a Lightweight Access Point Protocol (LWAPP) tunnel is formed between the two devices. All traffic is sent through the LWAPP tunnel, which includes all client traffic. The only exception to this is when an AP is in REAP mode. When the AP is in Remote-Edge Access Point (REAP) mode, the control traffic is still tunneled to the controller but the data traffic is bridged locally on the local LAN.
Here is the link info:
http://supportwiki.cisco.com/ViewWiki/index.php/In_LWAPP_network,_does_all_the_network_traffic_both_from_and_to_the_WLAN_client_tunneled_through_a_4400_series_WLAN_controller_that_runs_firmware_version_3.2,_once_a_connection_is_established -
Clients not receiving addresses from DHCP
I have a Cisco 2811 router and have configured it to be a DHCP server at a remote site. It seems like it should be pretty straight forward to configure DHCP. Apparently I'm missing something because I can't get clients to receive an address. Below are the applicable parts of the config. I also have tried associating the DHCP pool with the Claims vrf and that did not work either.
ip dhcp excluded-address 10.10.30.0 10.10.30.99
ip dhcp excluded-address 10.10.30.201 10.10.30.255
ip dhcp pool Claims_Office
network 10.10.30.0 255.255.255.0
domain-name fmi.com
default-router 10.10.30.253
dns-server 10.10.10.191
lease 7
interface FastEthernet0/0
description Claims Office
vrf forwarding Claims
ip address 10.10.30.253 255.255.255.0
duplex auto
speed auto
no mop enabled
interface FastEthernet0/0/0.1205
description Claims Office
vrf forwarding Claims
encapsulation dot1Q 1205
ip address 192.168.103.2 255.255.255.252Unfortunately that didn't work. Here is the output before:
Pool Claims_Office :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.10.30.1 10.10.30.1 - 10.10.30.254 0
And after:
Pool Claims_Office :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
10.10.30.1 10.10.30.1 - 10.10.30.254 0
What I want is for it to assign addresses from 10.10.30.100-199 -
Creating "guest" VLAN on WLC 4400, created interface not selectable
Presently have an internal network WLAN (HREAP) setup and running. I'm trying to create a guest Internet-only WLAN referencing this link http://www.cisco.rw/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
Created dynamic interface "corp-26" and verified it was enabled. When I create the Internet-only WLAN... under Interface Name, only "management" appears in the drop down list; "corp-26" doesn't appear.
How do I assign "corp-26" to my Internet-only WLAN?The management & ap-management are for the APs themselves. You will want a seperate vlan/wlan/subnet for your guest ssids altogether.
You can provide dhcp from the controller or from a dedicated server.
if you select override for dhcp under the wlan settings, provide a dhcp server address, otherwise add the dhcp server entries under the interface settings.
What is really cool is that 1.1.1.1 appears as the dhcp server (unless you changed it on the controller to something else.) It has caused some confusion at times -
We are migrating from WLSM (yes, so old) to the WLC infrastructure. we have around 400 APs scattered all around the campus. (it is university campus). I would like to get some details on how shall we proceed with the implementation of WLC 5500.
We have around 40 Buildings, and currently we have more than 1500 wireless users, they are expected to increase rapidly.
My question is regarding the networking operations (not WLC configurations per say). Here are the questions:
1- How many Vlan interfaces should we create in our networking infrastrcutre to catter the SSIDs. Since any SSID will be binded to one interface in WLC which in turn will connect to VLAN interface in the switch.
2- How big can be the user subnet?
In our previous setup. we had two SSIDs, Secure WPA2 (internet+intranet) and Unsecure (Internet only). What i want is to have these 2 SSIDs, plus one Special SSID to be broadcasted when needed (Guest/event).
For the implementation easiness. I though that Three Vlans would do the job. And i would keep their Subnet big, say /20 or /19.
Please do recommend.I think you really would need to did in this deeper. The reason I ask, is that you can either keep what you have now and migrate to that using local mode ap's where the WLC is located and then you can take advantage of FlecConnect fro your remote buildings. FlexConnect is almost the same design as you would have an autonomous AP. The FlexConnect AP would put the users local to that subnet and not tunnel traffic back. So if you already had two vlans for your existing two, and the subnet size was fine, then you would just map the ssid to that vlan again and then place your AP's in the vlan the AP's are still in if you want. All you would need to do is add a third SSID and a third vlan to your buildings. I'm guessing that you are doing layer 3 to each building.
SO in short, if you have a LAP in local mode, all traffic is tunneled back to the WLC, so your vlans would reside where the WLC is connected. In FlexConnect, you have a choice to tunnel traffic back or place traffic local.
If you search the forum, you will see various recommendations for subnet size. Some have used /16 with no issues. -
Configure DHCP on router and switch
Good afternoon,
I'm trying to configure DHCP using CLI on a 2610 router and 2950 switch. With my present config, the host at the end of the switch (configured to receive ip via DHCP) is not getting anything assigned. Here are some shows:
Router:
Router_1#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.10.1 YES manual up up (leading to switch)
Serial0/0 unassigned YES unset administratively down down
Serial0/1 unassigned YES unset administratively down down
Ethernet1/0 unassigned YES unset administratively down down
Ethernet1/1 unassigned YES unset administratively down down
Ethernet1/2 unassigned YES unset administratively down down
Ethernet1/3 unassigned YES unset administratively down down
Router_1#show ip dhcp pool
Pool acer_pool :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
192.168.10.1 192.168.10.1 - 192.168.10.254 0
Switch:
Switch_1#show ip int br
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM up up
FastEthernet0/1 unassigned YES unset up up (leading to router)
FastEthernet0/2 unassigned YES unset down down
FastEthernet0/3 unassigned YES unset down down
FastEthernet0/4 unassigned YES unset down down
FastEthernet0/5 unassigned YES unset down down
FastEthernet0/6 unassigned YES unset down down
FastEthernet0/7 unassigned YES unset down down
FastEthernet0/8 unassigned YES unset down down
FastEthernet0/9 unassigned YES unset down down
FastEthernet0/10 unassigned YES unset down down
FastEthernet0/11 unassigned YES unset down down
FastEthernet0/12 unassigned YES unset down down
FastEthernet0/13 unassigned YES unset down down
FastEthernet0/14 unassigned YES unset down down
FastEthernet0/15 unassigned YES unset down down
FastEthernet0/16 unassigned YES unset down down
FastEthernet0/17 unassigned YES unset down down
FastEthernet0/18 unassigned YES unset down down
FastEthernet0/19 unassigned YES unset down down
FastEthernet0/20 unassigned YES unset down down
FastEthernet0/21 unassigned YES unset down down
FastEthernet0/22 unassigned YES unset up up
FastEthernet0/23 unassigned YES unset down down
FastEthernet0/24 unassigned YES unset down down
What other info can I supply to resolve this?
Thanks.Hi Moh,
First, thanks for pointing out that I'm in the wrong section of the forums. My bad. I'll pay closer attention next time.
Second, I tried your suggestion but it failed to work. I cleared the configs of the router so I could start with a clean slate and followed your commands to the letter. The host can't seem to get an IP assigned and the here's what I get with a Show IP DHCP Pool:
Router_1#show ip dhcp pool
Pool vlan1 :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 0
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
192.168.10.1 192.168.10.1 - 192.168.10.254 0
Am I missing something? -
IPv4 private addressing tradeoff: small footprint vs even VLSM length?
Is minimising one's use of the private address space to avoid unnecesary potential overlap worth the hassle of having un-even VLSM lengths?
I am designing my first non-trivial IPv4 addressing scheme in the 10.0.0.0/8 range. Just two small branch offices, but on the access-layer, I'm putting servers, printers, desktops and phones onto separate VLANs. (In fact, when doing L3 at the access-layer, you can quickly end up with multiple VLANs).
Now, few of these VLANs are so big that they'll need a /24 all to themselves. In fact, a /27 for phones and printers will be fine. I'll give a /24 to desktops because 255.255.255.0 is the only mask which semi-technical users understand. Maybe a /25 for servers, which gives a bit of room for further subnetting and putting VMs onto their own VLANs.
I'll summarise each site over DMVPN as a /21 subnet. Neat.
But at each site the routing tables look messy, with the router sporting addresses like 10.9.13.129/27 and there isn't any real pattern between the L3 address and the VLAN number.
Why don't I just dole out /24's to each VLAN, After all, I'm hardly going to minimise conflict with private IP addresses chosen by prospective partners by using /20's instead of /21's for each site (right?), and even if they do, NAT can handle all these situations elegantly (right?).
What about you, would you minimise your footprint in the address space and deal with 'unevenness' in subnet sizes? Or would you be easier on your eyes now and simply bite the bullet if you had to NAT one day?
thanks!
David.
Message was edited by: David Bullock - tries to get the crux of the question closer to the top of text.I chose Alessio's as the 'correct' answer, since it mentioned route summarisation. But both answers were correct in the sense that they were quite reasonable.
In the end, I decided to go wtih my varying-length VLSM approach, to keep the address-sprawl at each site confined to a /21 subnet. I don't find the varying-length VLSM to be much of an nuisance in practice. I miss out on being able to make the 3rd octet 'line up' with the VLAN, but I feel that's a pretty delicate affair anyhow. Some person just has to give VLAN100 as a 'best practice' for the Voice VLAN, for example, and you either start working with a /17 at each site (minimally), or abandon your numbering scheme. You'd really have to go with a /16 for each site to ensure you can number 254 VLANs in this fashion. And that means for each site that you chose, there's a 1-in-256 chance you'll pick the same second octet as someone else. With my scheme, there is a 1 in 8192 chance that I'll pick the same address range, so I've decreased the likelyhood of a conflict by a factor of 32.
At the end of the day though, so long as route summarisation works, all other considerations seem to be a matter of taste. -
DHCP issue on Cisco IOS router
Hi experts,
I recently got complaints that some clients can't get IP address through the DHCP server configured on a Cisco IOS router. I turned on debugging on DHCP events and packets and I see the following logs.
Mar 22 15:33:41: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:33:41: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:33:41: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:33:41: DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:33:41: DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:33:41: DHCPD: circuit id 00000000
Mar 22 15:34:02: DHCPD: DHCPREQUEST received from client 0100.1b63.f246.8c.
Mar 22 15:34:02: DHCPD: Finding a relay for client 0100.1b63.f246.8c on interface FastEthernet1/0.10.
Mar 22 15:34:02: DHCPD: Seeing if there is an internally specified pool class:
Mar 22 15:34:02: DHCPD: htype 1 chaddr 001b.63f2.468c
Mar 22 15:34:02: DHCPD: remote id 020a0000cf6050011000000a
Mar 22 15:34:02: DHCPD: circuit id 00000000
Then it will repeat and repeat for this MAC. Any reason why the router is not assigning an IP to it? It actually happens to some other MACs as well... They are from different vendors and located on different switches... I can't really find a pattern for this problem... The DHCP pool hasn't run out and it still has available IPs in it.
ThanksHi Alain, thanks for quick reply. The followings contain the output that you required. I hided the prefix of the IP with a.b.c. Thanks!
interface FastEthernet1/0.10
description : DHCP for EXHIBITION VLAN
encapsulation dot1Q 10
ip address a.b.c.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
end
r#sh ip dhcp pool
Pool EXHIBIT :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 126
Leased addresses : 47
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
a.b.c.118 a.b.c.1 - a.b.c.126 47
#sh run | in/be dhcp
no ip dhcp use vrf connected
ip dhcp excluded-address a.b.c.1 a.b.c.11
ip dhcp excluded-address a.b.c.126
ip dhcp excluded-address a.b.c.100 a.b.c.101
ip dhcp excluded-address a.b.c.51
ip dhcp pool EXHIBIT
network a.b.c.0 255.255.255.128
default-router a.b.c.1
dns-server 207.172.3.8 207.172.3.9
domain-name xyz.com
#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
a.b.c.19 0168.7f74.6260.9b Mar 23 2011 01:56 PM Automatic
a.b.c.52 0100.4854.897d.17 Mar 23 2011 12:53 PM Automatic
a.b.c.56 0100.4063.e7b5.b2 Mar 23 2011 03:33 PM Automatic
a.b.c.57 0100.1b63.f246.8c Mar 23 2011 03:34 PM Automatic
a.b.c.68 015c.5948.0b97.d6 Mar 22 2011 05:59 PM Automatic
a.b.c.69 0168.7f74.626d.67 Mar 23 2011 07:07 AM Automatic
a.b.c.70 0198.fc11.5027.1d Mar 22 2011 07:04 PM Automatic
a.b.c.71 01dc.2b61.04ba.af Mar 22 2011 10:26 PM Automatic
a.b.c.72 017c.c537.58e6.64 Mar 22 2011 08:37 PM Automatic
a.b.c.73 017c.6d62.3303.57 Mar 23 2011 03:54 AM Automatic
a.b.c.74 0124.ab81.cda4.68 Mar 23 2011 05:01 AM Automatic
a.b.c.75 0100.1e52.8f11.a5 Mar 23 2011 02:47 PM Automatic
a.b.c.76 0100.264a.5fc8.e3 Mar 23 2011 07:13 AM Automatic
a.b.c.77 017c.6d62.38cd.40 Mar 23 2011 02:06 PM Automatic
a.b.c.78 0100.1d4f.f647.79 Mar 23 2011 02:37 PM Automatic
a.b.c.79 0100.26b0.8637.3d Mar 23 2011 01:16 PM Automatic
a.b.c.81 0130.694b.e9de.82 Mar 23 2011 03:19 PM Automatic
a.b.c.82 0100.21e9.6864.80 Mar 23 2011 12:04 PM Automatic
a.b.c.83 0124.ab81.63e6.b5 Mar 23 2011 09:38 AM Automatic
a.b.c.84 0100.16b6.0455.c2 Mar 23 2011 09:42 AM Automatic
a.b.c.85 0100.1302.4c96.9e Mar 23 2011 09:49 AM Automatic
a.b.c.86 0140.a6d9.741c.e0 Mar 23 2011 12:12 PM Automatic
a.b.c.87 0100.264a.b8e9.50 Mar 23 2011 10:16 AM Automatic
a.b.c.88 0140.a6d9.4911.67 Mar 23 2011 03:19 PM Automatic
a.b.c.89 013c.7437.1e32.96 Mar 23 2011 10:27 AM Automatic
a.b.c.90 01d8.3062.689c.4b Mar 23 2011 11:55 AM Automatic
a.b.c.91 0158.946b.4df8.bc Mar 23 2011 10:49 AM Automatic
a.b.c.92 0100.2215.7368.26 Mar 23 2011 10:23 AM Automatic
a.b.c.93 0100.23df.76ea.90 Mar 23 2011 02:33 PM Automatic
a.b.c.94 0124.ab81.708d.83 Mar 23 2011 03:58 PM Automatic
a.b.c.95 0100.1cb3.163d.5a Mar 23 2011 03:13 PM Automatic
a.b.c.96 01cc.08e0.2aeb.96 Mar 23 2011 01:27 PM Automatic
a.b.c.97 0188.c663.d0d0.55 Mar 23 2011 01:57 PM Automatic
a.b.c.98 0100.1b77.08bb.89 Mar 23 2011 01:15 PM Automatic
a.b.c.99 0100.1ec2.47d7.19 Mar 23 2011 12:43 PM Automatic
a.b.c.102 0100.1310.8e74.78 Mar 23 2011 12:41 PM Automatic
a.b.c.103 0100.24d6.58b0.82 Mar 23 2011 01:44 PM Automatic
a.b.c.104 0100.2608.7df2.68 Mar 23 2011 03:23 PM Automatic
a.b.c.106 01c8.bcc8.1a86.41 Mar 23 2011 03:56 PM Automatic
a.b.c.107 01a4.6706.1e54.94 Mar 23 2011 04:08 PM Automatic
a.b.c.108 017c.c537.46ac.0e Mar 23 2011 02:41 PM Automatic
a.b.c.111 0100.037f.0ea2.19 Mar 23 2011 02:47 PM Automatic
a.b.c.112 01d8.3062.75c5.9c Mar 23 2011 03:33 PM Automatic
a.b.c.113 0021.9116.449e Mar 23 2011 03:36 PM Automatic
a.b.c.114 0100.1ff3.46d9.a9 Mar 23 2011 03:40 PM Automatic
a.b.c.116 0104.1e64.4a0d.a3 Mar 23 2011 04:21 PM Automatic
a.b.c.117 0190.27e4.4ae8.94 Mar 23 2011 04:24 PM Automatic
Thanks!
Maybe you are looking for
-
Restore lion after hard drive failure
My Hard drive has become corrupted and is going to need reformat. I have managed to mount the iMac as a firewire drive on my Macbook and pulled off quite a bit of data. The repair utility wont fix the drive so I have no choice other than to reforma
-
I can't open a jpg file says file may be damaged?
I can't seem to open a jpg file emailed to me. This person has emailed them before and I could open them, now I can't. I get the message that it could be damaged or to use a different file format. Nothing seems to work.
-
I can't select my phone number for iMessage (-sigh- Yeah, this problem again)
Let me explain the whole scenario: My iMessage and FaceTime worked perfectly fine this morning. I turned off my iMessage to check if I would be able to get messages from other iPhones. My observation is that when an iPhone has their iMessage turned o
-
OK button on parameter input screen not rendering correctly
We just recently changed intranet servers. Both old and new servers running IIS 6 on Windows 2003 server. I had several Crystal Reports XI Release 2 reports running on the old web server. They were called from an ASP.NET application On the new se
-
Keyboard and screen not working
hi everybody so i took my keyboard out with the laptop turned on to check my airport and now i got no screen and no keyboard help please