Cisco Switching/Routing :: SG-300 52 Native VLAN Blocking Network Packets
Jun 15, 2013SG-300 52 native VLAN blocking network packets
View 3 RepliesSG-300 52 native VLAN blocking network packets
View 3 RepliesIn our network environment, we have a 2960 switch sitting behind our router. Off of this we have a lot of external connections, like our external DNS, firewall, and VPN concentrators. I've configured a VLAN other than the default, moved everything into it and then shut VLAN 1. In this hardening guide it says that your native VLAN should be something other than the user VLAN, but if I am not using any trunk links, wouldn't I not really have a native VLAN? I attempted to make the link to our firewall a trunk link and then set the native VLAN to something else.
View 5 Replies View Related1 week ago, I got a call from a client that reported a network outage, the client told me that, 3 switch has crashed he try to console but it just hang. I ask him, did you change something? he said he didn't change anything, he just pluged a nortelswitch to the cisco switch number 9, but that switch doesn't crash like the others (3,4,8). I check the uptime, and yes the switch never been powered off..
the topology look like this
____ 6500 ____
/ / |
1 2 3 4 5 ...... 9
the vlan is end to end vlan, so vlan span between all those switches. transparant. this is collapsed topology, core and distribution is the 6500 itself all of the 1-9 access switch are in the same rack, with no loopguard, and bpdu guard configured. and connected to the core using etherchannel. the problem is there is no log available to start the troubleshooting/investigation.
I am having trouble after creating a management vlan (99) on a 3550 switch.I have configured the vlan (99) and given it an IP (192.168.1.100) and a default gateway (my router address - 192.168.1.99).I can ping to the switch from a PC and vice versa. The management VLAN IP is fine but now I cannot ping to the router from either the PC or the switch.It seems that just by adding VLAN 99 with it's own IP address has now prevented pings from the switch/ PC to the router ?Due to the fact that I have created a new switch management VLAN with an IP, does this mean I have set up the router as a 'router on a stick' scenario ? [code]
View 4 Replies View RelatedWe are trying to setup a new configuration with 2960S as access switchs and a 4507 as a core switch.I want to protect the management IP VLAN of the swich using vrf on the 4507 so we :
SHUT VLAN 1 on every switch (2960 + 4507)
CREATE A NEW VLAN 289 (management vlan) -> IP network : 10.32.126.192/26
L3 VLAN on every switch
VLAN 289 in the VRF XXX on the 4507
create tunk between the switch and the 4507 :
switch mode trunk allowed vlan 200-230
sw trunk native vlan 289
so with this configuration on the 2960 the vlan 289 is UP/DOWN and UP/UP on the 4507 I can access to the 4507 using the IP in the VLAN 289 but i cannot access to the 2960 behind the 4507 CDP connectivity is ok?
I am migrating an existing LAN from 3550 to 3750X-12S. In the existing configuation, I´ve got some trunks with native VLAN <> 1. The native VLAN is also used for user data transport. With IOS 15.0(1)SE3 on 3750X I recognized, that per default behavior PVST is not active for a VLAN defined as native, even if the corresponding trunk is up and trunking. My current workaround is to add a "switchport access vlan" command on the trunk even this one never should become an access port. With this statement only the switch is activating the PVST for the native VLAN. For all other vlans PVST works as exspected. [code]
View 6 Replies View RelatedI have several closets with Cisco 3560 on the edge that I'd like to change the vlan that's used for the management vlan on each. In the core I have a Cisco 6509 with Sup720's.
I'd like to do this by changing the native vlan on the trunk port on the core 6509 interface that connects to the 3560. and leave the management vlan on the 3560 as vlan 1.
Seems trivial but what I tried didn't work and I didn't have the window to troubleshoot. I'll paste the simplified configs for the interfaces below
!
6509 configs:
!
interface Vlan50ip address 172.16.50.2 255.255.255.0!interface FastEthernet
[Code]....
We have a problem with CDP packets on sent by our Cisco 6509's. Unlike our other Cisco switches (4948G, 5020, etc.), the 6509 tags administrative traffic on the native vlan. As a result the CDP packets are sent with an 802.1Q header with a tag of 1. The other switches send the CDP packets untagged on the native vlan. This causes problems because we have non-Cisco devices in our lab that also receive and send CDP, but they do not process the packets that are tagged by the 6509. They see the packets from the 4948 and 5020 just fine.
How can I disable the administrative native vlan tagging on the 6509? Here is the current setup:
nwkdev-6509-1#show vlan dot1q tag native
dot1q native vlan tagging is disabled globally
nwkdev-6509-1#show interfaces gigabitEthernet 1/9/1 switchport
[Code].....
I've been experimenting with the 'vlan dot1q tag native' command on a switch and it seems as though tagging the native vlan breaks vty access to my access point.With the 'vlan dot1q tag native' commnand applied, I lose management connectivity to the AP with 'no vlan dot1q tag native' applied, connectivity is restored. Why is this? Is it safe to say that one can access the AP via vty lines using ONLY untagged packets?
SWITCH
Model: WS-C3560G-24PS
Code: c3560-advipservicesk9-mz.122-46.SE
--Abbreviated CONF
vlan dot1q tag native
[code]....
We have a group of computers on their own VLAN. A router allows internet access while keeping them sandboxed. We don't want them accidentally connect to our production network. We blocked their wireless MACs in unauthorized WAPs. I'd like to do the same thing for their ethernet MACs on our switches, (a mixture of 2950,2960 and 2960G currently testing on C2960-LANBASE-M, Version 12.2(25)SEE2). I've been unable to locate the correct method on google, by searching these boards or in the command reference.
What is the best practice for blocking a group of MACs from accessing a particular VLAN on a network consisting of several Layer 2 Switches?
I've a big problem with a loss of packets ICMP sent by different hosts in differents VLAN. Here my architecture:
Core Switch : 2 Switch's C6509 (Version 15.0 (1) SY1)- Mode VSS - One lien VSL , the other link is defective.Access Switch: C3750 , Connected to Core Switch through 2 fibre optique wires.Topology: redundant ring
When I send consecutive ping message I found always a missing of packets . Furthermore When I insert the "show ip traffic" command., the parameter "bad hop count" increase after a loss of packets. I've 2 hosts connected in my network and they send packets with TTL =127.
In the Core Switch I haven't configured the MEC because it gave me troubles with the packets multicast.
We have 2 6513 switches with SUP720/PFC3A and various POE modules and a 6748-GE-TX facing our servers. Additionally, we have a 4Gbps portchannel trunk interconnecting the switches. We have approximately 300 Nortel IP 1140e phones in use between the two switches.For the purpose of call recording, we've attempted to mirror the voice vlan using various approaches and have been met with limited success. We mirrored the VLAN using tx, rx, and both. When using both we appear to get duplicate packets at the destination interface.We seem to lose packets completely going in one direction or another for a given call. Packets are lost before they get to the destination interface?
View 2 Replies View RelatedI am using 1841 LAN router. Recently some broadcast is happening in our network when some users are connected. I need to block them automatically by detecting who are they.
I can block them manually but i want router to detect them and block.
what NATIVE VLAN is . What are the benifits of using this and when do we use this.
View 1 Replies View RelatedI have the following problem in LMS 4.0. I see a lot of CDP syslog messages about Native Vlan Mismatch, but the LMS doesn't report it in the disrepancy report. Why?? The similar problem is with TRUNK VLAN Mismatch. The customer doesn't use VTP in his network. All switches are in the VTP transparent mode.
View 1 Replies View RelatedI have a simple question: In 6500 CatOS, we had that feature of image synchronization, which added the ability to download the image from the active supervisor to the standby via internal TFTP of the CatOS. Can this be done on IOS? I was looking fot this over the Internet and couldn't find anything.
View 1 Replies View Relatedif i have this config:
switch port mode trunk
trunk aloved vlan 50
will travel over this trunk untagged packets? For eg the V LAN 1 is by default native V LAN without tag. If i have created a bog ring with catalyst 3560x switches with no spanning tree on V LAN 1 can be the case of this config a loop ???
I am using upper config on interfaces that are connected the switches together in ring.
Other interfaces on switch have this config:
int range 0/1-4
switchport mode acc
switchport acc vlan1
int range 0/5-24
switchport mode acc
switchport acc vlan50
I am using vlan1 just for local switching without connection to internet! I am asking just because i have this king of messages in logs:
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet1/0/27 (1), with SW3560x_BR8874 GigabitEthernet1/0/19 (50).
GI 1/0/27 and GI 1/0/19 have this config:
switchport mode trunk
trunk aloved vlan 50
I have a 2811 Router (config below) with VPN configured. I can connect through the VPN and access devices on the native VLAN but I can't access the 10.77.5.0 (VLAN 5) network (I don't care to access the 10.77.10.0 - VLAN 10 network). This issue has been plagueing me for quite a while. I believe it's a NAT or ACL issue. VPN client IP pool is 192.168.77.1 - 192.168.77.10. [code]
View 4 Replies View RelatedIs PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
I have a scenario where I have a prexisting production LAN of 192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
The original production LAN is connected via an unmanged switch.I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
I am planning on inserting a second Sup720 in my 6506 running in native mode. Here is how I have redundancy configured:
redundancy
mode sso
main-cpu
auto-sync running-config
The IOS version is:
s72033-ipservices_wan-mz.122-18.SXF8
I have a small home network currently using a cisco 841 which is working great. Host a web site and Exchange plus all 10 computers access the net using Verizon FIOS all works. I can even VPN in to my newtwork remotely.I can only VPN using the Cisco client. I would like to use the Native Windows Client and Ipads and Iphones. I believe they use PPTP and the Cisco client is using IPSEC.Which Cisco router can I get that would support all the above?
View 14 Replies View RelatedJust trying to figure out how LAP manage clients in a h-reap setup.Have a setup with native vlan on 144 (switch and AP) and ssid tagging in other vlan... Got this on switch:
Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.
Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144
Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.
Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144
Wonder why clients MAC is seen on native vlan (and ofcourse also on taged vlan) ...?
I am working on wi-fi networks (ISP), So I need to block the peer to peer on my network.My network involves cisco switch 2950/2960, cisco 2800 routers and Access Points, config for peer to peer blocking, for this where I need to config either switches or router.My network basic setup is, The internet will pass from router to switch and then Access Points.
View 1 Replies View RelatedI have a DLink DIR-615 rev. B2 firmware 2.25. A few days ago, I started using Comodo Unite for VPN access with friends and LAN gaming. However, just recently the program stopped working correctly. I have reset my configuration, tried multiple different settings, and nothing at all has remotely worked.
View 3 Replies View RelatedI have just configured up a sg500 with a lacp trunk to an upstream switch.
I am getting native vlan mismatch on the individual ports of the lacp team.
24-Jan-2013 12:54:48 %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi1/1/24.
24-Jan-2013 12:57:35 %CDP-W-NATIVE_VLAN_MISMATCH: Native VLAN mismatch detected on interface gi1/1/48.
[Code].....
I was searching a lot , but I couldn't find any good example, how to configure DHCP server for our wireless clients on Cisco Autonomous AP. I'm looking for example how to configure Dot 11 radios and BVI interfaces.
I have no problem to configure DHCP server on BVI 1 and VLAN 1 ( native VLAN ) interfaces, but there is a problem with other BVI's and VLANs. Maybe this feature isn't supported? Maybe DHCP server feature is supported to work just with default BVI and native VLAN?
Adding a vlan 820 to existing port channel trunk which currently allows many vlans. What is the best way to add vlan820 with least impact to network. Portchannels from 6513 core with IOS to Nexus 5k,Copy existing vlans, add 820 and paste under: switchport trunk allowed vlan 1,2,5,12,20,820
View 6 Replies View RelatedI have problems in my Cisco network until I connected some Moxa devices.This Moxa are models EDS-316 and EDS-208
My principal trouble is the traffic UDP. Suddently the network don't permit the traffic UDP in VLAN where are connected Moxa devices.
During an hour the Moxa can send TCP traffic, but can't send UDP. If a Moxa device is unplugged from network, all devices connected to him can work offile from principal network, but if I plugg again the Moxa is like disable.
After one hour (more or less) the system restart all functions and work fine.I catch the logs from TXerrorsInPorts and all the ports where is connected a Moxa have errors all time.
I don't know which is the problem, but I think that problem is in negotiation from Moxa to Cisco.This is the configuration from a port where is connected a Moxa: [code]
we have an heterogeneous network with Cisco devices (6509-E, 3750G and 3560) and Alcatel 6850 devices. We have to enable a PTP Wifi line as a backup for the fiber line between two buildings. For this purpose, we have connected a wifi device to GigabitEthernet 0/47 of SWIHGJ1 and configured it as: [code]
View 2 Replies View RelatedWe have Nexus 7k running as my core with a 6500 manageing my server farm and IP services servers (call manager, IPTV ...)My edge switch are 4500s. We currently have RIP2 running between and the switchs and each 4500 is managing its own VLANs.The IPTV uses IGMP snooping and multicasting to broadcast the video feed. The problem that came up is that the we cannot configure a gatewar for the setup boxs for the IPTV system. They will only work on a single VLAN and they are spread all over the network.Can we configure only this VLAN to be propagated over our RIP network???
View 2 Replies View RelatedI am position to migrate from CatOS 6509 switch to native IOS 6509 switch. long time ago, there was some site to convert automatically based on copy and paste onto the tool, but i can not find.
Does anybody know how to convert CatOS configuration to Native IOS configuration ? It is not IOS change, but it is configuration convert.
Is it possible to assign 2 ports to a vlan on this switch and have the 2 machines connected to those ports be able to see each other without having to go off of the switch? If so, how would it need to be setup on the switch?
View 4 Replies View RelatedI was given a task of creating a vlan and isolating one pc to access an internal website (192.168.90.15) on a specific port (port 8080)The pc is connected in the following manner:
PC--> HP Switch --> Cisco Small Business SG200 switch --> 3550 Catalyst 1, 3550 Catalyst 2 and 3550 Catalyst 3.
I have created a vlan 110 on the Main 3550 Catalyst switch and successfully added the pc to that vlan.However, that PC must be able to access the internet and an internal website on port 8080.I have placed an access-list on the main 3550 catalyst switch which is connected to our router as below:
Client ip address: 192.168.100.2
VLAN 110: 192.168.100.3
access-list 110 permit tcp host 192.168.100.2 host 192.168.90.15 eq 8080access-list 110 permit icmp host 192.168.100.2 anyaccess-list 110 deny ip 192.168.100.0 0.0.0.255 ? I was unable to access the webserver even after many attempts.