WLC Per VLAN STP

Similar Messages

• SF200 vs C3560-X and per-VLAN RSTP: Turn off STP on SF200s?

  I have a network with pairs of 3560-X switches servicing nearly 150 access switches (44 access switches per pair) and several hundred clients. The access switches are a mixture of SF100-D (unmanaged) and SF200 (managed). I have an odd business requirement that no more than 100 clients can reside in a LAN, so I have VLANs set up on the 3560-X pairs. They're doing load balancing between the VLANs using per-VLAN rapid spanning-tree protocol, and for the SF100-D endpoints this load balancing is working out as I planned. Failover works as intended whether that be a cable failure or a 3560-X failure.
  With the SF200s, that load balancing is not working, instead sending all traffic to one 3560-X for all VLANs, and it's because the SF200s do not support per-VLAN RSTP. So I thought, why not just turn STP off on the SF200s? That would take them out of the spanning tree process and make them behave like SF100-Ds.
  When I try that, I can observe ports on the 3560-Xs forwarding or blocking VLANs as I intended; even if I accept traffic on alternating VLANs on the SF200, the 3560-Xs show me it's blocking or forwarding each VLAN on those ports as I wanted them to. Multicast filtering still works, as does other SF200 functionality.
  But is this a good idea? MSTP isn't an option for me since the SF200 doesn't support MSTP either, and the sheer volume of access switches make the 200s a better bargain than 300s. I found an example here that explains how to do it with MSTP and SG300s but I don't like the idea of access switches being STP root, and there would be too many of them to manage that.
  (As an aside, the 3560-X pairs do IP routing up to our cores, so any STP traffic remains isolated to that pair and any access switch that speaks STP. This way, I don't affect the cores with any STP or cabling mistakes caused to a given pair.)

  Thanks for confirming what I found. I'll keep the setup like this, then.
  As for port security, the access switches are in locked cabinets at their locations, and the distribution switches are in locked and ventilated closets. Getting to either of those requires signing keys out, someone watching behind whoever's working in there, audit trails, and so on.
  And even with all of that, endpoint devices get changed too often that port security would be a big, big support headache. So I think we're good.
  (I practice port security in other locations that are more accessible, and that has caught some users thinking they can cheat the system.)

• One logical network per VLAN?

  I am not using network virtualization and currently using traditional VLANs. Now what I did currently is I have one logical network, one network site, and in that network site contains all my VLAN's (23 right now).
  What I noticed is when I create a cloud I can't choose the network... I can only choose the logical switch which will give that cloud complete access to all VLAN's right?
  So in my situation would it be better to just create a logical switch for each VLAN we have? Keep in mind this is a multi-tenant environment so that is why there are so many VLANs. 
  Most of the videos I find go into Network Virtualization which is not what I'm trying to do :-(

  Hi se
  This is how I do it (I don't have WLSE):
  - Create a ssid per vlan in the AP.
  - Configure switch to AP connection as a trunk.
  - If needed, configure helper addresses in switch.
  If you need routing between VLANs, you will need a router, afaik AP cannot do it.
  HTH

• 4500 Aggregate policers and Per-Port Per-VLAN QoS

  Hello,
  I want to limit the aggregate traffic of multiple VLANs on a trunk using an aggregate policer. I also need Per-Port Per-VLAN QoS for other VLANs on the same trunk.
  To cut a long story short, will the example config below work?
  qos aggregate-policer pol_aggr_10Mbit 10m 12.5k conform-action transmit exceed-action drop
  policy-map Aggr_10Mbit
  class class-default
  police aggregate pol_aggr_10Mbit
  policy-map Limit_10M
  class class-default
  police 10m 12.5k conform-action transmit exceed-action drop
  interface GigabitEthernetx/y
  switchport trunk encapsulation dot1q
  switchport mode trunk
  ! Aggregate 10Mbit VLANs
  vlan-range 208, 316, 909
  service-policy output Aggr_10Mbit
  ! 10 Mbit VLANs
  vlan range 20, 50-100
  service-policy output Limit_10M
  Regards, Jan

  Your config looks good . Actually Per-port per-VLAN QoS (PVQoS) offers differentiated quality-of-services to individual VLANs on a trunk port. It enables service providers to rate limit individual VLAN-based services on each trunk port to a business or a residence. In an enterprise Voice-over-IP environment, it can be used to rate limit voice VLAN even if an attacker impersonates an IP phone. A per-port per-VLAN service policy can be separately applied to either ingress or egress traffic.

• RV220W Max DHCP Users (Max Connections) per Vlan

  We assign (reserve by MAC actually) static IPs to all of our devices.  Over time we have gotten rid of some devices but haven't begun (or finished really) re-using the old IPs.  On our WRVS4400N v2 routers we are able to set the max number of DHCP users per Vlan.  This prevents unauthorized devices trying to connect to our LAN.
  For example.  I set the range from 192.168.1.100 - 192.168.1.103.  IPs 100, 101, and 103 are in use (reserved via MAC address).  We set max number of DHCP users to 3.  This prevents someone from gaining access to 192.168.1.102.  Does this make sense?  Or at least this was the initial goal and it tested out successfully back when we implemented it.
  How can I do the same for with the RV220W?  I can set the range, assign static IPs (reserve IPs by MAC address), but can't keep others from gaining accessing to our LAN via the unused IPs (not assigned a static IP).
  My initial thought was to create static IPs (for the unused IPs) using dummy MAC addresses.  I'm sure there is a much better way of accomplishing what I am trying to do.

  I still want to use the DHCP server because we don't configure the IPs in the devices.  I shouldn't have mentioned static IPs.  That was bad word choice on my part.  We reserve IPs by MAC address in the router, then usually set the maximum number of DHCP users in the router.  The RV220W seems to only allow start and end IPs addresses.

• WLC 5508, vlan select, reserved address in external DHCP server

  Hi guys,
  I have a deploy with a WLC 5508 version 7.0.116.0, APs mode local and vlan select feature enable. The issue is that the reserved IP address in external DHCP server not work. The DHCP contains a reserved IP address associates with mac address, but the assignement of IP is not match with de policies in DHCP. All others services operate normally.
  This reserved assignment operate previusly to modificate the WLAN to vlan select feature. Help me to improve this situation.
  Thanks.-
  Best regards

  Hello Abhishek, thanks for you quick answer....
  the link was a document used for the deploy, but not especifict nothing about the reserved IP address for particular host. In other words, the reserved IP address (through MAC address) in external DHCP server not work when "vlan select" its enable.

• WLC- dynamic Vlan assignment with Radius

  Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
  I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
  It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
  Could you please help me?

  There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

• Number of APs per VLAN

  I know that is a best practice don't put more than 20 Access Points in the same vlan where is the management interface of the controller. But i would like to know the recommendation about other vlans.
  I have serious problems when I put more than 20 APs in the same VLAN I loss conectivity with the other APs and i have to disconnect the 21th AP in order to recover communication with all the APs
  I'm using WLC-4404, AP 1522 and Enterasys switches. What could be the reason of this problem?

  You can have up to 60 ap's on a subnet other than the subnet the wlc is on. This is Cisco's recomendations. The reason why is the amount of broadcast generated by the ap's.

• Max. number of WLCs per WCS

  Hi,
  I know this is a fairly basic question but I can't find answer in WCS Q&A's etc.
  I'm looking at a deployment where there will be many small sites with only 5 or 6 APs and a 2106 WLC. Each site will be in a different mobility group.
  I know WCS licensing counts APs, but is there a max. number of WLCs?
  Thanks, MH

  Hi Mark,
  The supported number of WLC's per WCS is based on the WCS Platform used :)
  Minimum server requirements
  Cisco WCS High-End Server
  • 3000 lightweight access points, 1250 standalone access points, 750 wireless LAN controllers
  • Two Intel® Xeon Dual Core CPU's; 3.0 GHz, 8 GB RAM, 200 GB HDD
  Cisco WCS Standard Server
  • 2000 lightweight access points, 1000 standalone access points, 150 wireless LAN controllers
  • Intel® Dual Core CPU; 3.2 GHz, 4 GB RAM, 80 GB HDD
  Cisco WCS Low-End Server
  • 500 lightweight access points, 200 standalone access points, 50 wireless LAN controllers
  • Intel® CPU; 3.06 GHz, 2 GB RAM, 30 GB HDD
  CiscoWorks WLSE Models 1130-19 or 1133 running Cisco WCS
  • 1500 lightweight access points, 100 wireless LAN controllers
  • Intel Pentium 4 CPU; 3 GHz, 3 GB RAM, 38 GB HDD
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5755/ps6301/ps6305/product_data_sheet0900aecd802570d0.html
  Hope this helps!
  Rob

• 2106 wlc different vlan accessibility

  I have 1 2106 wlc 6 1131AG LAPs that are going to be placed in three vlans. All three vlans are created and configured on a 3550G switch.
  I created two additional virtual interfaces on the WLC, tagged it with appropriate vlan number and connected the port with untagged vlan identifier to a dot1q enabled trunk port on the 3550 switch. That is,
  man int - untagged, port 1
  vlan2, tagged -2, port 2,3
  vlan3, tagged -3, port 4,5
  vlan4, tagged - 3, port 6
  and port 1 is connected to a trunk port on the 3550G switch with dot1q.
  I am not able to reach the created vlan interfaces on the WLC !?1?!
  Kindly help?

  jeff.velten, wouldn't that break the very use of the WLC? documents I referred from cisco recommend to connect the WLC to a trunked port. Like here: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml
  So how are the vlan tags from the wlc not passed on to the trunk port? Is there something I missed, somewhere?

• WLC DHCP & VLAN issue

  Hello,
  I configured on my WLC 5508 a new Interface & VLAN . The WLC act as DHCP Proxy.
  I enabled also Flex Connect local switching . Then I removed on my Switch under the
  VLAN settings the IP helper because as I know the WLC act as  IP helper.
  What is still not clear for me is where I have to insert the DHCP server adress
  on my WLC controller. Must I insert the DHCP server IP under my management Interface
  or where I have to enter the DHCP server IP.
  I tested this with the new VLAN interface and added the DHCP server IP but without success.
  Thanks for help.
  Regards

  Hi,
  I addedd an IP helper under the L3 configuration without success. Same, WLAN clients don´t get an IP .
  I configured following:
  add a new VLAN into the switch with layer 3 and addedd IP helper on the L3 switch.
  add the VLAN into the WLC controller wth a new SSID and Interface for this VLAN.
  Enabled Flex Connect under the SSID.
  Done a test with a wired client direct on a switch without problems.
  If I try to connect over the WLAN then the client don´t get an IP.
  Regards

• CSS11800 mac table per switch or per VLAN

  Hello
  I have a scenario where the CSS11800 is seeing th same mac address from bultiple interfaces on an extreme switch as this is the way the extreme works.
  Does the CSS11800 have a seperate mac database for each VLAN configured or does it have 1 per switch.
  If it is per switch then I have a problem where the packets are being forwarded to the wrong interface sometimes.
  Is there any way to resolve this on the Arrowpoint side as it cannot change on the extreme side.
  Thanks
  Micheal

  Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.
  To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen
  If anyone else in the forum has some advice, please reply to this thread.
  Thank you for posting.

• WLC & Swich vlan-int communication issues

  Hello,
  I have a Cisco-Switch configured with 3-VLANs (1,3 & 6) .  im using VLAN-1 as the management vlan for communication between WLC & Switch.
  I have 1-management interface and 2-dynamic interfaces created on WLC.  management-int is using untagged vlan.  and from the Cisco-Switch i can ping WLC Management-int ip.  but i can not ping other WLC Dynamic-interfaces,  while all the subnets-ips are configured properly.  also wifi clients can not connect through those dynamic-interfaces ssids
  can any one help please,  here is some config outputs from my WLC >>>>>>>>>>>>>>>>>
  (Cisco Controller) >show wlan summary
  Number of WLANs.................................. 3
  WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
  1        FMFB-WIFI-MGT / FMFB-WIFI-MGT          Enabled   management
  2        FMFB-HO-LAN / FMFB-HO                  Enabled   vlan-3
  3        FMFB HO Guest / FMFB-Guest             Enabled   vlan-6
  (Cisco Controller) >show interface summary
  Number of Interfaces.......................... 4
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  management                       1    untagged 192.168.2.239   Static  Yes    No
  virtual                          N/A  N/A      1.1.1.1         Static  No     No
  vlan-3                           1    3        192.168.100.239 Dynamic No     No
  vlan-6                           1    6        192.168.110.239 Dynamic No     No
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >show interface detailed management
  Interface Name................................... management
  MAC Address...................................... 50:06:04:ca:97:20
  IP Address....................................... 192.168.2.239
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 192.168.2.250
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. untagged
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1
  Primary Physical Port............................ 1
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. 192.168.2.250
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  ACL.............................................. Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Disabled
  --More-- or (q)uit
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >show interface detailed vlan-3
  Interface Name................................... vlan-3
  MAC Address...................................... 50:06:04:ca:97:24
  IP Address....................................... 192.168.100.239
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 192.168.100.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 3
  Quarantine-vlan.................................. 0
  NAS-Identifier................................... HO_WLC
  Active Physical Port............................. 1
  Primary Physical Port............................ 1
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  ACL.............................................. Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... No
  Guest Interface.................................. No
  --More-- or (q)uit
  L2 Multicast..................................... Enabled

  it is my switch port config,
  interface FastEthernet0/23
  description  connected-to-ap
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,6
  switchport mode access
  no ip address
  interface FastEthernet0/24
  description  connected-to-WLC
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,3,6
  switchport mode access
  no ip address
  I also enabled LAG, but with no result still>>>>>>>>>

• WLC 4402 vlan questions

  I am trying to implement a Cisco Wireless solution. I have some Cisco knowledge, but it is limited. I did successfully configure the WLC 4402 with 1200 series APs. Created two WLANs, each with its own SSID. SSID ?guest? uses WEP, and gets addresses via the internal DHCP server. The DCHP range I chose exists within out current network, something I need to change according to the documentation I have read. This network should not see our network, but can browse the internet. SSID ?secure? uses WPA with MAC authentication. I can connect to either SSID and access all network resources. However this only works with two caveats.
  1) I have to use the management interface
  2) The DHCP range for the guest network needs to fall within our network
  Trying to implement any kind of security for the ?guest? network has not gone so well. I have problems just about at every point. After reading some documents, I decided I needed to add 2 interfaces for the 2 WLANs. My interface info is below.
  Interface Name Mgr Port Vlan Id IP Address Type Ap
  ap-manager LAG untagged 10.1.104.154 Static Yes
  guest LAG 10 192.168.10.10 Dynamic No
  management LAG untagged 10.1.104.153 Static No
  production LAG 20 192.168.20.20 Dynamic No
  service-port N/A N/A 192.168.1.1 Static No
  virtual N/A N/A 1.1.1.1 Static No
  My intention was to apply an access list the guest VLAN so as to limit its traffic. If I apply the guest interface ?VLAN 10 (instead of the management-VLAN 0) it doesn?t work. I found a doc that addresses this so I added trunking to the interface the WLC is attached to on our 6509 (CatOS)switch.
  MySwitch (enable) set trunk 2/6 on dot1q
  Trunking is enabled, but no dice. I thought this might be a routing issue between my switch and my gateway. So I changed the VLAN on the management interface. I thought this would at the very least allow me to ping the switch, but I was wrong. I changed that back and added this entry into our gateway
  interface Vlan10
  ip address 192.168.20.1 255.255.255.0
  I thought that way the wireless controller would be able to see the IP address, on the router, but it didn?t work.
  Also I cannot use the new DHCP range I chose (192.168.10.x), I assume because it is not 10.1.x.x, so it can?t find it.
  I would really appreciate some help from someone who has done this. I am very confused.

  Hi
  Okay number of things here.
  Firstly you are correct about needing a trunk interface between the WLC and your switch. Make sure that all the vlans you have created are allowed on the trunk link.
  On the 6509 run
  "sh int trunk" and confirm that the status is up.
  You will need to create vlan interfaces for each of your WLC vlans on the 6500. You say you have created vlan 10 interface on the 6500.
  What is the default gateway on the WLC set to ?
  For DHCP addressing to work you will need to us eth "ip helper-address "DHCP IP address" under the vlan interface eg
  vlan 10
  ip address 192.168.20.1 255.255.255.0
  ip helper-address "DHCP server address"
  You need to do this for all vlan interfaces you want to pick IP addresses up for clients.
  HTH
  Jon

• QoS roles on WLC, Per user or per conection?

  Hi guys.
  This morning I`m talking with my colleages about QoS roles on WLC and their behaviour, then a question has arisen me, because I know when I apply a QoS role or QoS profile it is a per-user role. Ok said my colleage, but What is the behaviour when several devices are using the same user with a QoS role applied?
  Good question, I always assumed that this QoS role applies to every different connection managing it like a new user connection, that is, every new connection with the same user (if the QoS role is, for example, 256k for this user) will have a bandwitdh of 256k, but now I'm not sure if the WLC manages every connection at this way or divide the bandwitdh defined for that used into as many parts as connection have with this user ( for ten connections, for example, 25,6k).
  Anyone can tell me how is the behaviour of the WLC in this scenario???
  Thanks in advanced.
  Best Regards.

  My2c.
  If you apply the values on QoS profile instead of User profile then it is applicable to users connected to that WLAN mapped QoS profile. This way total no. of users will divide the available bandwidth. However, user with p2p application might consume all available bandwidth.