Wrvs4400n vlans/ssid/dhcp issue
Hi all,
it will be great if someone will help me with my problem.
the problem is : our wrvs4400n wifi router configuration.
network description: we need 2 separated wifi networks one for guests and one for internal access, and i configured them on router, and also configured each one of them to different vlan, guests to vlan 200 and internal use default vlan 1.
vlan 1 configured as dhcp relay and its working pritty well.
vlan 200 configured as dhcp and the problem begins here.
somehow on vlan 200 i get dhcp from our externam dhcp server,
wrvs4400n conected as follow> lan port1/vlan 200 connected to firewall port(configured as vlan 200) and lan port 4/vlan1 conected to our main switch wich connected to firewall also.
i guess that my knowlege in networking its not so good......
how can i prevent from our internal dhcp to comunicate with vlan 200 ,
any help will be very appreciated.
Hi Rich,
You cannot have different L3 VLANs sharing the same subnet.
Each VLAN must have it's own subnet and then you have a routing device routing between both VLANs.
You should have a DHCP pool also for VLAN 111 configured on the DHCP server.
Even if you have ip helper address configured and this should be done on the VLAN111 interface of the switch, you still need a DHCP pool for VLAN 111 because the DHCP discovery is coming on VLAN 111.
Please take a look into this document:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.
Here it explains how to configure 2 ssids on 2 vlans and dhcp pool (on the switch itself) for each vlan.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Similar Messages
-
802.1X dyanmic VLAN assignment DHCP issue (Vista client)
I am labbing dynamic VLAN assignment and have run into a small problem. The switchport is succesfully changing to the new VLAN, but my test PC seems to get an IP address in the native data VLAN before being moved to the new dynamic assigned VLAN. So when the switch changes the VLAN the PC keeps its old IP address and nothing talks any more.
Is this a Vista issue? I thought all of these problems were just issues in XP? Do I need to tweak any interface dot1x timers?
(Cat3750 with 12.2.55 / ACS5.1. Everything else is running fine by the way.)if i do a show run on the switchport the config hasnt changed, but i dont expect it to, as its not a permanent config change that you would want to be saved by a different admin user saving the config. You can see the debug report it is changing the VLAN:
Apr 19 09:22:56.263: %AUTHMGR-5-START: Starting 'dot1x' for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
Apr 19 09:22:58.604: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/19, changed state to up
Apr 19 09:22:59.560: %DOT1X-5-SUCCESS: Authentication successful for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID
Apr 19 09:22:59.568: %AUTHMGR-5-VLANASSIGN: VLAN 12 assigned to Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
Apr 19 09:22:59.585: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan12, changed state to up
Apr 19 09:23:00.307: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/19, changed state to up
Apr 19 09:23:00.315: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.c209.896f) on Interface Gi1/0/19 AuditSessionID C0A8FE250000000900291476
as well as checking with the show int switchport command and it is in v12 which is the dynamically assigned vlan
DHCP server is the cat3750 for all local VLANs -
Hy all,
I have a CISCO RV042 in a network with 2 subnets 192.168.1.x and 192.168.2.x and I want multiple DHCP on both subnets. How can I do that?
If I use a second router for the second subnet (192.168.2.x) to use its DHCP. The bandwith management will work? Do I need port VLANs?
The network is like this:
The RV042 is the main router thru it we acces the internet, it also suplies DHCP 192.168.1.x, I enabled multiple subnet for 192.168.2.x.
The reason I want 2 subnets is beacause I have 2 acces points for wireless clients and I want to use rate control on WAN with bandwith management from RV042 too give wired clients more bandwith than wireless clients.
I know that RV042 doesn't supply multiple dhcp like RV180,but I needed dual WAN.
Thank YouHi,
Thank you for the answer, but my issue remains, below I tried to write a little bit more
If I make the configuration like this:
On CISCO RV042:
Port based VLANs:
VLAN 1 on LAN 1
VLAN 2 on LAN 2
On AT-FS750/24 switch:
Port-based VLANs:
VLAN 1 for 2,3,4 ports where 2,3 are the AP's (TL-WA901ND) and 4 uplink to RV042
VLAN 2 for the rest, let's say 5,6,7,8,9, etc ports that are for wired clients.
Tagged-based (802.1q):
VLAN ID 11 for 2,3,4 ports where 2,3 ports are tagged are the AP's (TL-WA901ND) and 4 untagged uplink to RV042.
VLAN ID 22 for 2,3,4 ports where 2,3 ports are tagged are the AP's (TL-WA901ND) and 4 untagged uplink to RV042.
On AP's (TL-WA901ND):
Multi-SSID with tagged based VLAN:
SSID 1 on VLAN ID 11
SSID 2 on VLAN ID 22
If I use the second router (not supporting VLANs) only for DHCP for the wired clients with the configuration:
-In the WAN I'll plug RV042 LAN 2 (VLAN 2) and from its LAN 1 I'll connect LAN 5 (VLAN 2) in the switch.
second router WAN:
IP: 192.168.2.2
SM: 255.255.255.0
DG: 192.168.2.1
DNS: 192.168.2.1
For DHCP
LAN1:
IP: 192.168.3.3
SM: 255.255.255.0
It will work to split wireless from wired ?
How can I split the 2 wireless networks in guests and business more efficient?
Let's say the wireless clients from "SSID 1" have to have a guaranteed bandwidth.!
How can I set it up so the wireless clients gets different IP class on the 2 wireless networks?
Can I use the rate control from RV042 on the IP (192.168.2.2) of the second router?
My problem is that I need all the subnet available from RV042 DHCP for the wireless clients (192.168.1.x), because RV042 can route only in class C (254).
I configured the static IP's in 192.168.2.x subnet for Ethernet equipments, I used multiple subnets from RV042.
Momentarily I use COS from the switch for the tagged VLAN to prioritize the traffic, but this is no longer an option for me.
Can a CISCO RV180 make a difference in this configuration?
Thank you,
Dragos -
WRVS4400N - Multi SSID problem
Hi,
I recently purchased this router (WRVS4400N), excelent product!
I've update the firmware to the lastest version available (WRVS4400Nv2-fw-2.0.0.8-K9).
Now I'm trying to enable the Multiple BSSID to create a second SSID.
I've tryed all possible combination, b/g/n, security settings, VLAN, SSID Isolation, I've tryed with WPA/WPA2, WEP, w/o security.
All wireless client can connect to the first SSID, w/o any problem, but can't connect to the second SSID.
Is my configuration error? Is a known firmware issues?
Anyone know how to configure a second WLAN?
Best Regards
Fabio CastagninoThe goal is to create one WLAN (wifi) with wpa2 and mac filtering that connect direcly to the physical network with server access, and the other WLAN (public) with only wpa2 protection and in isolated VLAN, for the guest.
Suppose to have two SSID wifi and public (the second in the router web ui), both WPA2 Personal w/o MAC Filtering and w/o VLAN.
I use only PC.
With my laptop (windows 7) and two other laptop (win XP, win 7), I can see both SSID in wireless list, can connect to the first SSID.
When I try to connect to the second SSID, the connection fail
In the attachment you can see the actual router configuration.
In the page Status -> Wireless LAN, ONLY one SSID is displayed (but is this web ui bug?).
Thanks in advance -
10.5 DHCP issues with Wireless - self assigned IPs?
We're having an issue with Mac OSX 10.5.4 clients, running the latest software updates, not getting an IP address via DHCP on our wireless network.
We're using Cisco APs, with multiple VLANs & SSIDs. They authenticate, but get automatic self-assigned IP addresses. None of our PC clients are experiencing this issue, nor older 10.4.x OSX clients. This looks like a bug, from what I was able to discover:
http://forums.macrumors.com/showthread.php?t=384947
Is Apple aware of this, and/or working on a fix? I've seen many issues over the last year or so with Airport clients and wireless connectivity..This is a "user to user" help forum that is designed as a self-help system, independent of Apple's Technical Support system. No one here can say what Apple knows or is doing about a specific issue (pure speculation is discouraged). We share experience and suggest possible solutions or workarounds.
One way to ensure that your issue is brought to Apple's attention is to use their feedback form for OSX - http://www.apple.com/feedback/macosx.html
Since the link you posted is from late last year, there have been many updates to Leopard. Some of the updates mention network reliability. Even though Apple has stated that the Pram chips don't control network connections, I have had some luck by Zapping The Pram - http://support.apple.com/kb/HT1379 - Remember to check your System Prefs for things like date/time settings after you Zap. -
Hello All,
I facing a very wierd DHCP issue and would like to know your thoughts on it.
I have my wired clients on vlan 1 and wireless cleints(eap-peap) on VLAN 2.
We are facing an issue where multiple wired clients who were on access port vlan 1 are receiving IP address from wireless subnet(vlan2) -their DHCP server was the WLC virtual gateway IP address(1.1.1.1). This is causing an outage to few wired clients.
The WLC trunk does not have vlan 1 allowed on its ports and all APs are in local mode and all on access vlan.
I'm not entirely sure whats causing this, but only way I think this is possible is that 'A Client' laptop has his network connections bridged - his wired nic on VLAN 1 and wireless NIC on vlan 2, acting like a WGB, which is causing new wired clients(vlan1) DHCP broadcast request forwared through the bidge mode laptop to AP--> WLC. Do you think this is possible??
Havent been able to identify which client is causing this issue yet.
Has anyone faced a similar issue and anyway to block this through WLC/ACS policy?
Thanks
JinoHi,
Might we consider to make use of network monitor to take a look at the traffics for the 1.1.1.1 address?
How to use Network Monitor to capture network traffic
Download link here:
Microsoft Network Monitor 3.4
Best regards
Michael Shao
TechNet Community Support -
We've started 're-vlanning' our main location here, breaking up depts
into their own vlans.
All seems ok so far, aside from a real doozy.
For the IT vlan, we have one address that will not talk to our web
content mgmt appliance. It's the 2nd address in our assignable pool,
and it doesn't matter if it's dhcp or statically assigned, that address
will not talk to that device.
That is the *only* device that cannot be reached from this particular
address in our dept vlan, every other one works fine.
Any ideas on this?
Stevo-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> and it doesn't matter if it's dhcp or statically assigned, that
> address
So.... the title of this thread should actually be 'Very weird non-DHCP
issue', since your own testing confirms this has nothing to do with DHCP?
If you do a LAN trace on this machine as well as your web content
management appliance do you see packets on either side? Both sides? If
not on both sides but you do on the source (workstation) side see
packets going out, then get LAN traces after each network device
(switch, router, firewall, etc.) to see when the packets disappear.
Feel free to post the LAN traces somewhere with descriptions of IPs,
ports, and what you should be seeing, if you want to post them somewhere
for review.
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJP4jFPAAoJEF+XTK08PnB55aMP/3Rg9u6LX6jFCXGYuex/oXdS
NZ/liqfCgjyIcykWWeKGgdtm2I7JZOcFiG8YW2le55mcltvCL1VJW +1VGng4kZER
0f4hjfyQ3CcQ6HIU3RM6VL5U2Pblb80MsEQe0qo0xgtPXipmjs i7Q0xIv9p0wT7A
7JMkfgM9tfuI5Yro+BDLfSIkFWicKuKs1sKpNugKalPuyyRrzW IiznoalIKFshon
a40ETLJVZmngBYfqfeZL9nPNsFlveFNXrDkdbl2WbaprsHtNnA NwZfVUIlc5kOCT
MknY0GXof4/tk149OVCCLgjEzoRtTIZH0BJTHQwW7ANkWUUNYwi49+Mk46V0o awl
oe1aA+NK9gl2bWXWLCtTro4ERSVMvkcI0OffytrfcBsqdCKg/g3QPMjV3kiVEULI
xnSTsqFgOl2qO8qGaL6FJtk39ZBnCwqDPtmoNt93OK4hAhWBuA Xihc+kiQHrwkpO
O04quZu8qQG6A6qwFDr+r+QqarFR3kielfvi7H6o5iLfZn/sDhvijGOAknJVctH8
j8fezki9PMznkcT+of2Oe4T99K9fChN2WFSgUKdlpkYSjbkmjP fdbWloou+WBjCm
7hHwnAbKPPgoN8aPPfw9rG9E+K/0YW2kt4wRu79BEDvF6eMv0UdDPE1qPuw1ttmm
jg2zzMZDkgIG39A0P3u7
=+fCy
-----END PGP SIGNATURE----- -
VRF and DHCP issue
We have a 6500 ( 12.2 (33) SXH5 ) that has a VRF running for our guest network. On this 6500 resides the DHCP pool with a range defined for our guest network. We have a stack of 3750's (12.2 (46) SE) connected to the 6500 with a L3 connection. The 3750's have a local guest VLAN with its gateway defined in a VLAN interface. This VLAN on the 3750 has an IP helper address pointing to an IP within the VRF on the 6500. When debugging DHCP on the 6500, a request is received and sent back out. The client never receives this request.
If a static IP is applied, the client is able to communicate anywhere within the VRF successfully (including pinging the IP within the helper-address. As many posts have pointed out - there is no VRF <name> under the ip dhcp pool <name> within the 6500. I am just wondering if anyone else has run into this and what their solution was.
Thanks.Hi,
I have tested the dhcp server and vrf on Cisco 3640 and it is working without VRF under the ip dhcp pool. Please ensure that you have configured routing for the dhcp-relay agent(VLAN facing dhcp client on 3750 in your case). -
We are trying the new 7821 and it won't pull an address from the dhcp server/router. It's set up as standard dhcp with option 150 for voice. Our 7962s receive an address right away, so the only difference one is using the skinny protocol and the other SIP. Should I be using a different option?
This was an issue in phone firmware as it turns out:
This is the BugID that is the most likely cause of the issues:
78xx Cannot join VLAN if broadcast over 30kbps
CSCun23612
Description
Symptom:
78xx Devices are not able to process CDP response to gain VLAN knowledge from switch when large amount of broadcasts (30kbps / approx 40 to 60 pps) on VLAN/Subnet are occurring.
The phone looks like it will still follow through with DHCP requests but will not accept the offered DHCP address due to the phone not knowing the VLAN structure.
** Issue does not occur when same amount of traffic is sent directly to the phone; only when it is broadcast traffic.
Conditions:
78xx on a switch port with a VLAN with a large amount of broadcasts occurring in subnet.
Workaround:
Reduce Broadcast traffic below 30kbps and reboot phone
or
Remove VLAN from Switch port that has the high Broadcast traffic.
Confirmed by only have access vlan on the switch port and phone registered and upgraded all perfectly fine.
Neil -
Dynamic VLAN/SSID assignment using 4402/MS IAS
Greetings,
In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
Any input/information would be greatly appreciated.
JoeShaun,
My LAG - etherchannel interface
interface Port-channel8
description WLC-portchannel
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
end
My 2 WLC Fiber ports:
Current configuration : 382 bytes
interface GigabitEthernet7/47
description CiscoWLC-LAG-Ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree bpdufilter enable
channel-group 8 mode on
end
2200-3A#sh run int g7/48
Building configuration...
Current configuration : 382 bytes
interface GigabitEthernet7/48
description CiscoWLC-LAG-Ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree bpdufilter enable
channel-group 8 mode on
end
I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.
One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.
interface FastEthernet4/48
description AP-PoE
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-1004
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
end
Jim -
Dynamic VLAN/SSID assignment w/IPv6
I have followed the answer in this discussion which instructs on how to get Dynamic VLAN/SSID assignments using WLCs + MS IAS:
https://supportforums.cisco.com/thread/339396
This works great for IPv4. This does not appear to work for IPv6.
I have CT2504 WLCs running v7.0.116.0 and AP 3502s. I have a Windows 2003 IAS working for 802.1x authentication using PEAP and per-user/group dynamic VLAN/SSID assignments. Based on who you authenticate as, you are placed on the appropriate VLAN.
However, IPv6 does not function properly. I believe this is due to the nature that the WLC only bridges IPv6 from the Interface Group that the WLAN is assigned to and/or whatever Multicast VLAN you assign.
If I connect as a user assigned to the same matching VLAN as the WLAN Interface / Multicast VLAN, IPv6 works just fine. I do not even have to have the "Enable IPv6" box checked in the Advanced tab, nor does the "Multicast Vlan Feature" need to be enabled - IPv6 still works.
If I connect as a user that is assigned to a different VLAN than the WLAN Interface / Multicast VLAN, I see the IPv6 Router Advertisement from the WLAN Interface / Multicast VLAN, and not the VLAN that "Allow AAA Override" switched me to. Naturally since I'm getting as IPv6 prefix for a different VLAN, when I try to route traffic through the IPv6 default gateway (which isn't on the VLAN I'm connected to), it doesn't work.
One work-around to have IPv6 support is to use distinct, non-dynamic per VLAN/SSID assignments. This is ugly and doesn't scale (16 max SSIDs).
Has anyone else experienced this and know of a solution?
For now I'll just have to set the WLAN Interface to a VLAN which does not have IPv6 enabled and my wireless users won't have IPv6 unless they VPN on top of Wifi. Rather disappointing.this sounds alot like another implication of IPv6 with "more than one VLAN on the same SSID".
see this thread:
https://supportforums.cisco.com/thread/2157621?tstart=60
not with dynamic vlan, but vlan select - which, on the L2/L3 on SSID-side is essentially the same.
as mentioned in the thread, 7.2 has a feature that "automatically sends the correct RA to the correct clients via L2 wireless unicast. By unicasting the RA, clients on the same WLAN, but a different VLAN, do not receive the incorrect RA."
lucky for you, 7.2 is available for the 2504 - with my WiSM1s I am out of luck :-(
so this feature *could* solve this problem, as the problem is that the wrong IPv6-RAs are broadcasted for the client (because the SSID is the same) -
4500X L3 MEC + VRF + DHCP issue
Good morning -
I have a pair of 6513 in a VS40 (VSS quad sup) connected via L3 MEC to a VSS pair of 4500X. Active to Active and Standby to Standby connected in a L3 MEC port-channel that is also a vnet trunk:
(Core)
interface Port-channel5
description Distribution Uplink
no switchport
vnet trunk
ip dhcp snooping limit rate 100
ip address 172.20.68.1 255.255.255.252
ip ospf message-digest-key 1 md5 XXX
spanning-tree guard root
(4500 Distribution)
interface Port-channel1
description Core Uplink
vnet trunk
ip arp inspection trust
ip address 172.20.68.2 255.255.255.252
ip ospf message-digest-key 1 md5 XXX
The interfaces are all using LACP mode Active inside the channels
On the 4500 we have a global routing table and a vrf. Both have helper addresses pointing to the DHCP server which is extranet service behind the 6513 Core.
interface Vlan2301
description Global Routing Table
ip address 172.19.68.1 255.255.255.0
ip helper-address 10.4.16.222
interface Vlan2512
description VRF
vrf forwarding RED
ip address 10.217.5.1 255.255.255.0
ip helper-address 10.4.16.222
DHCP for the Global Routing Table subnet works. DHCP for the VRF does not.
What is interesting is if we shut down the link that is connected to the standby 4500 (Te2/1/1) DHCP starts to work for the VRF.
Using <debug ip dhcp server packet detail> at the 4500 here is what I am seeing.
When both links are up and DHCP is failing for the VRF:
Mar 10 20:02:02.419: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
Mar 10 20:02:10.473: DHCPD: Reload workspace interface Vlan2512 tableid 3.
Mar 10 20:02:10.473: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
Mar 10 20:02:10.474: DHCPD: client's VPN is RED.
Mar 10 20:02:10.474: DHCPD: using received relay info.
When I shut the Te2/1/1 link down in the L3 MEC at the 4500 DHCP starts to work for the VRF RED:
Mar 10 20:04:41.354: DHCPD: BOOTREQUEST from 0100.1a6b.3a56.13 forwarded to 10.4.16.222.
Mar 10 20:04:41.369: DHCPD: Reload workspace interface Port-channel1.2002 tableid 3.
Mar 10 20:04:41.369: DHCPD: tableid for 172.20.68.2 on Port-channel1.2002 is 3
Mar 10 20:04:41.369: DHCPD: client's VPN is .
Mar 10 20:04:41.369: DHCPD: forwarding BOOTREPLY to client 001a.6b3a.5613.
Mar 10 20:04:41.369: DHCPD: no option 125
Mar 10 20:04:41.369: DHCPD: broadcasting BOOTREPLY to client 001a.6b3a.5613.
Mar 10 20:04:41.369: DHCPD: no option 125
Mar 10 20:04:44.808: DHCPD: Reload workspace interface Vlan2512 tableid 3.
Mar 10 20:04:44.808: DHCPD: tableid for 10.217.5.1 on Vlan2512 is 3
Mar 10 20:04:44.808: DHCPD: client's VPN is RED.
It is like there is a bug that is treating the L3 MEC as a L2 MEC when both links are present; or the VNET trunk is not being processed correctly.
Has anyone else used a L3 MEC with a VRF and a DHCP helper with success? Is this a bug?
03.05.01.E is the code we are running on the 4500X-32(SPF+)
This is also with TAC but I thought I would share with the community in case anyone else has a similar environment or if Cisco experts want to comment.Hi,
I have tested the dhcp server and vrf on Cisco 3640 and it is working without VRF under the ip dhcp pool. Please ensure that you have configured routing for the dhcp-relay agent(VLAN facing dhcp client on 3750 in your case). -
I'm implementing a large WLAN for a hospital. they will be using Cisco VPN and RSA OTP to provide authentication and data confidentiality/integrity. They also desire a Wireless LAN Solution Engine.
I wish to create a "user" VLAN-SSID mapping, and a "wireless network management" VLAN-SSID mapping, so I can require users to use VPN to get off their local segment, but also use WLSE & HPOV to manage the WAPs via a managment interface.
To trunk the mgmt vlan, I think i need to map it to an ssid on the WAP. However, I do not want the mngmt vlan/ssid to accept client associations. I basically only want the mngmt vlan to exist on the wire and at the AP, not on the RF.
How would I accomplish this?It is a little bit of a kludge to do this but.
On the vlan SSID page set the max allowed associations to 1 ( 0 will mean max number of associations will be 2047) This will allow only on client to associate, now you can block this one by creating a MAC address filter on that VLAN that has no MAC address in it and the default action for both multicast and unicast is discard.
You could do just the filter but if the filtre is ever turned off then you have the added bonus of only one client getting through
David -
Hello All,
I am having an issue do DHCP from the 6500, and was hoping someone cant help. So, I tried to setup DHCP from the FWSM to the clients and this worked fine with giving out the IP, however the gateway for devices on the inside is supposed to be the 6500, not the FWSM, which is why the clinets wouldn't get out to the internet. Do I need to set up DHCP relay on the FWSM or does anyone know the way I can setup DHCP on the 6500 to give out IP's to the clients. Again just to reiterate, when I setup DHCP on the FWSM the clinets get the IP's but do not get out to the internet and when I setup DHCP on the 6500 the clients do not get an IP. Also I know tghis is a dhcp issue becasue when I assign a static address on the network the clients get out fine. Thanks in advance for the help!
6500 Config
ip dhcp pool TEST
network 1.1.1.0 255.255.255.0
default-router 1.1.1.1
dns-server x.x.x.x y.y.y.y
FWSM Config
FWSM/TEST# show run
interface Vlan3
nameif outside9
bridge-group 1
security-level 0
interface Vlan203
nameif inside9
bridge-group 1
security-level 100
interface BVI1
ip address 1.1.1.4 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
access-list INSIDE1_IN extended permit ip any any
global (outside1) 1 x.x.x.x
nat (inside1) 1 1.1.1.0 255.255.255.0
access-group INSIDE1_IN in interface inside1
route outside1 0.0.0.0 0.0.0.0 1.1.1.1 1
FWSM/TEST#Hello Alain,
Thanks for your quick response. I attached a Diagram of the layout. Just to let you know this is an FWSM with many virtual contexts and most including this one that are Transparent. I understand that I need an access-list on both ends to specifiy so the FWSM opens it, I am just having issue because the FWSM sees this as unsual traffic and the access-list needs to be on-point to work. Thank you for the response and I'll look forward to hearing back from you. -
Heads Up: Private VLAN Sticky-ARP DHCP Issues
Here is the scenario:
Private VLANs are configured on a 6500 Sup720 with SVIs routing for the PVLANs.
DHCP Snooping and IP ARP Inspection are also configured for the PVLAN subnets.
A DHCP Server is offering 3 day leases.
A laptop connects to the network and receives a 3-day lease. The user leaves the office and returns 4 days later. The DHCP server offers a new lease with a different IP address. Furthermore, the previous IP address leased to the laptop has been handed out in a new lease to another host. Both systems receive their DHCP lease but have no network connectivity.
The problem occurs because, by default, PVLAN SVIs use Sticky-ARP and never age out their ARP cache. Since the laptop has a different IP address to MAC address mapping than recorded in the Sticky-ARP cache, a violation occurs and the switch prevents the new IP address from populating the ARP table on the switch.
Sticky-ARP is a security feature that prevents one system from stealing another systems IP address.
Log messages show the following:
%IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry
The 6500 PVLAN configuration guide Restrictions and Guidlines section suggests that Sticky-ARP is fundamental to Private-VLANs, and the only work-around for this problem is to create manual arp entries for the new IP address. This is clearly not a viable workaround for this scenario.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979
However, the 6500 Command Reference shows that Sticky ARP can be disabled, but makes no reference to PVLANs
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/i1.htm#wp1091738
There appears to be two sensible solutions to this problem:
1) Disable Stick-ARP on the 6500 for the PVLANs. Since DHCP Snooping and IP ARP Inspection are configured, sticky-arp can be disabled without relaxing network security. This is assuming the 6500 will accept the command and will not break the existing PVLAN functionality.
2) Extend the DHCP lease longer, to 45 or 90 days perhaps. This will catch most transient activity and keep the IP address to MAC address relationships the same, wherever possible. The downside here is that DHCP address pools could collect stale entires that would take the lease time to flush, thus reducing the overall available IPs in the pool.
Has anyone else run into this problem? If so, what was your solution? Did you attempt either option above? I am planning on using solution #1 above, but I wanted to ping the NetPro community with this as I am sure we are not the first customer to run into this. Or are we??
Regards,
BradExcellent question.
Sticky-ARP is NOT intended to be a pain-in-the-butt that should disabled right away, rather, it is a security mechanism that prevents a system from stealing an active IP address on the subnet and causing a lot of problems. Sticky-ARP works best on subnets that have all static IP addressing where there is no expectation that a host would frequently change its IP address.
Yes, I would recommend keeping Sticky-ARP on subnets with all static IP addresses.
In DHCP subnets with no static IP addressing, DHCP Snooping and IP ARP Inspection provide the same security coverage that Sticky-ARP does, they prevent a system from claiming an illegitimate IP and MAC address. Furthermore, in DHCP subnets, it is reasonable to expect that a host would change its IP address from time to time when its lease expires.
Sticky-ARP does not provide any addtional securtity benefits when DHCP Snooping and IP ARP Inspection are active and it only causes problems when a lease expires.
When Cisco made Stick-ARP the default behavior for Private VLANs, they certain did not have DHCP in mind.
In Summary, it should be known as a Best Practice that when using Private VLANs on user segments with DHCP that DHCP Snooping and IP ARP Inspection should be enabled and Sticky-ARP be disabled.
Brad
Maybe you are looking for
-
Change quantity (MENGE) field in G/L posting
Hi gurus. I need to be able to change the quantity (BSEG/MENGE) field in a G/L document that has already been posted. I found the area in config to add the field to be able to change. So I made the change in config. Then I pulled up a document th
-
Reg :Production order cost report day wise.
Dear Expert, 1.We want a report for a particular Production order cost day wise. The scenario is like this Production order is Released for 100 Qty. Today they confirmed only 50 Qty. Tomorrow they will confirm 50 qty. Now they want to see the cost f
-
How do I download my photo's on Iphoto on to an external hardrive
I'm trying to download just my photo's from Iphoto onto an external hard drive. A western Digital My Passport for Mac. Can I just drag my photo's onto the hard drive? and how? Thanks,
-
Firefox closes immediatly after opening on MAC
i have a imac that i have used firefox on since i purchased this. Out of no where i open firefox and it immediatly closed?? i tried again and nothing worked. I have since tried every "fix" posted - nothing works! - i have removed ALL traces of it, mo
-
I accidentally deleted some purchased songs off itunes, how can i get them back?
Can anyone help me! Whilst getting used to an updated version of itunes i accidentally deleted half of my purchased song off itunes. Is there any way to get them back without having to rebuy them? Help!!