ID and Dot1q

Includes Dot1q IDS? If so, is there no configuration required on ID when sniffing several VLANS? Should the interface on the switch that connects on port sniffing IDS have Dot1q trunking configured?

Thank you

The sensor is able to interpret the 802. 1 q trunk headers to say what vlan the packet arrived and will report the number of vlan in the alert.

This function of the sensor is always enabled, and no command is necessary.

It is the switch port that would need to be configured as a 802. 1 q trunk port to send packets of trunk to the probe.

For the "Promiscuous" mode, pass the port a trunk port is not enough. In addition, the switch must be configured to send traffic to the sensor using span (or VACL capture if it is a cat 6500).

The expanded command can contain additional parameters to send packets with trunk headers.

You will need to read manuals from your switch to determine which commands are necessary on your switch.

For the online mode, the simplest scenario is to configure your 2 switches (or a switch and a router or a firewall etc..) to be linked together through a 802. 1 q trunk port.

Once everything is working fine, then place your sensor between 2 switches in the Middle than 802. 1 q trunk port.

The probe will analyze packets and pass them without modification. The header vlan packets would be crossed without modification, and the underlying IP packet would be fully analyzed.

Tags: Cisco Security

Similar Questions

Storage circuits and dot1q FCoE

We have live from Netapp for the FIs storage configured as storage fcoe ports, the FIs are in mode switch CF. I see the netapp in FIs flogied so the CF part looks good. On the side of netapp, we have a 10 g interface, e1a, with an IP on this subject. We have another interface of 10g, e1b, with VLAN attached to it for this interface sends and receives frames dot1q tag.

Documentation seems to imply that the ip traffic does not at all on an FCOE storage port. Yet, e1a works very well is not the case of e1b.

Question 1: My theory is the plain ethernet on e1a works well but the dot1q tagging on e1b, is what actually does work on the FCOE storage port. Am I wrong?

Question 2: I think to operate dot1q that I need to change to change the type of port FI FCOE destocking at the port of the unit. Is it as simple as chaning the port enter through the UCS Manager? Who takes the FCOE link offline or anything?

Hi Tod,

Please make sure you have dot1q on Netapp and necessary FCoE VLAN are marked as native on FI and Netapp.

Below the docs can serve as a reference.

Guide to zoning Local UCS

http://www.Cisco.com/en/us/products/ps10281/products_configuration_example09186a0080c09983.shtml

Flexpod Deployment Guide (instead of connecting to N5K, we are Netapp directly to UCS FI connection. NetApp configuration would be similar)

http://www.Cisco.com/en/us/docs/solutions/Enterprise/Data_Center/virtualization/flexpod_deploy.html

Padma

Compare Dot1Q and QinQ with access ports and trunk?

Hi all

How do you compare Dot1Q and QinQ with access ports and trunk?

Thank you

Sunil Kumar

Hey, Sunil,.

With regard to your questions:

1. we have a case of Dot1Q configured on the port of access of habit? If not, then why? - Dot1q aims to tag executives leaving the switch and access is opposite, it does not therefore not used together marking.

2. how the topology would be for QinQ case? - For QinQ as I mentioned in my last post one side will be set to while links to access than others. A simple example is explained on this link:http://networklessons.com/switching/802-1q-tunneling-q-q-configuration-example/

HTH.

Kind regards

RS.

SRW2048 and a Cisco 1841

I am trying to Setup VLAN between a 2 and a Cisco 1841 router SRW2048 switches. I have ports that connect the 2 switches to the other and the port that connect to router as junction ports. I set 2 VLANS. VLAN 1 is just the vlan by default everyone runs and vlan will be the area demilitarized. I have no configuration of access control lists to block traffic, but when I assign vlan 2 on the port that the server is, I can not ping to the gateway. I don't know what is happening, see below for the cleaned configs.

1841:

Current configuration: 4282 bytes
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime localtime show-time zone
encryption password service
!
hostname QCSLOLURTR01
!
boot-start-marker
start the system flash c1841-advsecurityk9 - mz.124 - 25B .bin
boot-end-marker
!
logging buffered debugging 8192
!
AAA new-model
!
!
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + none
!
AAA - the id of the joint session
clock timezone CST - 6
clock to summer time recurring CDT
IP cef
!
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
no ip domain search
IP domain name qcsupply.com
!
!
!
user name x

Archives
The config log
hidekeys
!
!
x IP ftp username
x IP ftp password

!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key QCSLOLU address x.x.x.x No.-xauth
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac ts1
Crypto ipsec transform-set esp - esp-md5-hmac ts2
!
VPN-map 10 ipsec-isakmp crypto map
defined peer x.x.x.x
Set transform-set ts1
match address 101
!
!
!
interface FastEthernet0/0
Description QCSL OLU INTERNET CONNECTION
IP x.x.x.x where x.x.x.x
IP access-group denied-hack-attack in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
No cdp enable
card crypto vpn-map
!
interface FastEthernet0/1
no ip address
automatic duplex
automatic speed
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
IP 10.60.90.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
IP 10.60.89.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Serial0/0/0
no ip address
Shutdown
!
Router eigrp 100
Network 10.60.89.0 0.0.0.255
Network 10.60.90.0 0.0.0.255
No Auto-resume
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 x.x.x.x
!
no ip address of the http server
23 class IP http access
local IP http authentication
no ip http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
IP nat inside source map of route-nat interface FastEthernet0/0 overload
IP nat inside source static tcp 10.60.89.10 80 80 extensible x.x.x.x
IP nat inside source static tcp 10.60.89.10 expandable 443 443 x.x.x.x
IP nat inside source static tcp 10.60.89.10 2021 x.x.x.x extensible 2021
IP nat inside source static tcp 10.60.89.10 6100 6100 extensible x.x.x.x
IP nat inside source static tcp 10.60.90.13 80 80 extensible x.x.x.x
IP nat inside source static tcp 10.60.90.13 expandable 443 443 x.x.x.x
IP nat inside source static tcp 10.60.90.13 1494 x.x.x.x extensible 1494
!
deny-hack-attack extended IP access list
allow udp 0.255.255.255 x.x.x.x any eq snmp
deny udp any any eq snmp
deny udp any any eq tftp
deny udp any any eq bootpc
deny udp any any eq bootps
deny ip x.x.x.x 0.15.255.255 all
deny ip x.x.x.x 0.0.255.255 everything
allow an ip
!
record 10.10.5.30
access-list 23 allow 10.10.10.0 0.0.0.7
access-list 99 allow 10.0.0.0 0.255.255.255
access-list 99 allow x.x.x.x 0.0.1.255
access-list 101 permit ip 10.60.90.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 101 permit ip 10.60.89.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 105 deny ip any host x.x.x.x
105 ip access list allow a whole
access-list 111 deny ip 10.60.90.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 111 deny ip 10.60.89.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 111 allow ip 10.60.89.0 0.0.0.255 any
access-list 111 allow ip 10.60.90.0 0.0.0.255 any
SNMP-server community no RO
map of route-nat allowed 10
corresponds to the IP 111
!
!
RADIUS-server host x.x.x.x
RADIUS-server key x
!
control plan
!
Banner motd ^ C

x

^ C
!
Line con 0
line to 0
Modem InOut
Discovery to automatically configure modem
autohangup
Speed 2400
line vty 0 4
location * Access Virtual Terminal allowed only from internal network *.
access-class 99 in
privilege level 15
transport telnet entry
line vty 5 15
access-class 23 in
privilege level 15
transport telnet entry
!
Scheduler allocate 20000 1000
end

SRW2048 #1:

Port 1: Trunk (to the router)

Port 2: Trunk (SRW2048 #2)

Prot 24: VLAN 2

SRW2048 #2:

Port 1: Trunk (of SRW2048 #1)

Any ideas?

Because the SRW is now part of Cisco Small Business, it would probably be best to ask the Cisco Small Business support community. You find people from Cisco over there.

For SRW configuration, you added the two VLANS to your trunk ports? Configuration of a port in trunk mode adds automatically that all configured VLAN to the trunk.

The server has a static IP address in the DMZ LAN?

Subinterfaces and VLAN

Hi all

I was hired on with a State... Now its been awhile, but I do not remember how subinterfaces and VLAN all link together!

Now correct me where I'm wrong (please), but them VLAN is created on the correct first switches? When you create a VLAN on a switch you don't need ip or gateway address by default because them VLANS are the switch. If you want intervlan routing you need a router. Then, you configure a port trunking between the switch and router (ISL, 802. 1 q). Now in the router, you can create a VLAN, and here you inter the ip subnet or the default gateway addresses correct? This is where I get confused as to what reasons do you need subinterfaces? How they roped VLAN and what would be the logical flow of data?

Anyhelp would be appreciated!

Yes you are right. If you are using the layer 2 switch and want to make the intervlan Routing then you need Layer 3 router device. But you must configure the interfaces sub with the default gateway to route traffic. Because there is a single trunk between swich and router so we need sup interfaces for multiple VLANs.

Interface FastEthernet0/0.1

Encapsulation dot1q 10 (10 represent 10 ID VLAN)

10.1.1.1 IP address 255.255.255.0

If you use a layer 3 switch, then you point all sub interfaces need so then you can create the interface vlan with the default gateway. You must enable ip Routing.

Interface vlan 10

10.1.1.1 IP address 255.255.255.0

Hope this will help.

Please rate if this can help.

Thank you

Split of static traffic between the VPN and NAT

Hi all

We have a VPN from Site to Site that secures all traffic to and from 10.160.8.0/24 to/from 10.0.0.0/8. It's for everything - including Internet traffic. However, there is one exception (of course)...

The part that I can't make it work is if traffic comes from the VPN (10.0.0.0/8) of 10.160.8.5 (on 80 or 443), then the return traffic must go back through the VPN. BUT, if traffic 80 or 443 comes from anywhere else (Internet via X.X.X.X which translates to 10.160.8.5), so there need to be translated réécrirait Internet via Gig2.

I have the following Setup (tried to have just the neccessarry lines)...

interface GigabitEthernet2

address IP Y.Y.Y.Y 255.255.255.0! the X.X.X.X and Y.Y.Y.Y are in the same subnet

address IP X.X.X.X 255.255.255.0 secondary

NAT outside IP

card crypto ipsec-map-S2S

interface GigabitEthernet4.2020

Description 2020

encapsulation dot1Q 2020

IP 10.160.8.1 255.255.255.0

IP nat inside

IP virtual-reassembly

IP nat inside source list interface NAT-output GigabitEthernet2 overload

IP nat inside source static tcp 10.160.8.5 80 80 X.X.X.X map route No. - NAT extensible

IP nat inside source static tcp 10.160.8.5 443 443 X.X.X.X map route No. - NAT extensible

NAT-outgoing extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

permit tcp host 10.160.8.5 all eq www

permit tcp host 10.160.8.5 any eq 443

No. - NAT extended IP access list

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq www

refuse 10.160.8.5 tcp host 10.0.0.0 0.0.0.255 eq 443

allow an ip

route No. - NAT allowed 10 map

corresponds to the IP no. - NAT

With the above configuration, we can get to the Internet 10.160.8.5, but cannot cross it over the VPN tunnel (from 10.200.0.0/16). If I remove the two commands «ip nat inside source static...» ', then the opposite that happens - I can get then to 10.160.8.5 it VPN tunnel but I now can't get to it from the Internet.

How can I get both? It seems that when I hit the first NAT instruction (overload Gig2) that 'decline' in the list of ACL-NAT-outgoing punts me out of this statement of NAT. It can process the following statement of NAT (one of the 'ip nat inside source static... ") but does not seem to"deny"it in the NON - NAT ACL me punt out of this statement of NAT. That's my theory anyway (maybe something is happening?)

If this work like that or I understand something correctly? It's on a router Cisco's Cloud Services (CSR 1000v).

Thank you!

Your netmask is bad for your 10.0.0.0/8. I worry not about the port/protocol or since that can screw you up. A better way to do it would be to deny all IP vpn traffic.

NAT-outgoing extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

...

No. - NAT extended IP access list

deny ip 10.160.8.0 0.0.0.0.255 10.0.0.0 0.255.255.255

allow an ip

Doc:

Router to router IPSec with NAT and Cisco Secure VPN Client overload

Thank you

Brendan

Routing between a router and a switch L3

Hi I have a question where I have two sites we try to connect through an ethernet port. In site 2, I use the port of gig0/0 on router 1941 and configured the port as such:

interface gig0/0

IP 192.168.18.2 255.255.255.252

IP route 10.0.4.0 255.255.255.0 192.168.18.1

site 2, I use a switch 3750 because I have no port available on their router together and is configured as such:

interface FastEthernet4/0/1

No switchport

IP 192.168.18.1 255.255.255.252

IP route 172.20.0.0 255.255.0.0 192.168.18.2

Although the two ports appear as more and I can ping their interfaces locally, I can not ping interfaces aside until now neither their networks.

I tried changed the front door of the local interface, but that does not work either.

The carrier claims that I must have on one vlan and suggested this config on site 1:

Interface gig0/0,955

encapsulation dot1q 955

IP 192.168.18.2 address 255.255.252

And there is the problem. I can not configure a subinterface on the L3 switch and cannot add the vlan as they recommend.

Any suggestions from anyone on how to connect the two sites?

Thank you

Pete

The real port must be configured as a trunk because of the end of the router. If so -.

(1) create a vlan 995

(2) configure the port as trunk but don't allow that vlan 995 on it

(3) create IVR and IP migration

Jon

VG224 and Verifone xx810 chip and pin component terminal modem

Hi members of the community.

I have a very specific problem I'd appreciate help with if anyone else has experienced this or something similar.

We have a VG224 that provides analog lines for fax machines mainly on our campus. Recently, we had our Department of finance use machines to chip and PIN on these connections. Previously, we used streamline machinery, and they connect properly.

The specific case I have is a Verifone vx810 machine which is connected to a VG224. The Verifone unitis able to deal with success and to authorize a transaction, but it cannot complete a download batch process or a TMS. I talked to the support company that rent us machines to and identified that the computer uses the following baud rate, bits of parity and stop for 2 different operations:

For transactions: 2400 baud, parity/stop 7e1 (this works)

For the batch upload/TMS: 19200 baud, parity/top 8n1 (it does not).

In the case of the upload of batch/TMS, the machine connects, gets a connection to the remote end to the PSTN for about 10 to 20 seconds, then he tears because the modem negotiation fails. I've read various articles on forums CIHI and others say that data rates high speed can be a problem for the VG224, but nothing to suggest a problem with 19200. I also tried installing on an ATA186 and ATA showed the same symptoms, so I am inclined to think that this isn't just a firmware issue or bug with the VG224. I tried 3 different chip and PIN machines of the model vx810 and all have the same symptoms.

Here's a copy of my current VG224 config. The VG224 is recorded in the CUCM via SCCP.

version 12.4

no service button

horodateurs service debug datetime localtime

Log service timestamps datetime localtime

no password encryption service

!

hostname vg224

!

boot-start-marker

boot-end-marker

!

forest-meter operation of syslog messages

logging buffered 4096

!

AAA new-model

!

!

AAA authentication login default local radius group

the AAA authentication enable default

AAA authorization exec default local radius group

failure to exec AAA accounting

action-type market / stop

RADIUS group

!

!

!

AAA - the id of the joint session

clock timezone GMT 0

clock summer-time recurring UTC 4 Sun Mar 01:00 4 Sun Oct 02:00

IP source-route

IP cef

no ip domain search

!

!

No ipv6 cef

!

stcapp ccm-Group 1

stcapp

!

stcapp function-access code

!

stcapp speed dial feature

!

!

voip phone service

Modem passthrough codec g711ulaw nse

!

!

voice-card 0

!

username password

Archives

The config log

hidekeys

!

!

!

interface FastEthernet0/0

no ip address

automatic duplex

automatic speed

!

interface FastEthernet0/0.644

encapsulation dot1Q 644

IP 10.1.160.4 255.255.255.0

!

interface FastEthernet0/1

no ip address

Shutdown

automatic duplex

automatic speed

!

default IP gateway - 10.1.160.1

!

IP forward-Protocol ND

IP route 0.0.0.0 0.0.0.0 10.1.160.1

no ip address of the http server

!

exploitation forest installation local6

interface FastEthernet0/0.644 source journaling

logging

SNMP-server RO community

SNMP server location

!

Server RADIUS auth-port 1812 1813 acct-port host

Server RADIUS auth-port 1812 1813 acct-port host

RADIUS 3 server timeout

RADIUS server key

!

control plan

!

!

!

voice-port 2/0

cptone GB

initial delays of 60

timeouts interdigit 60

timeout infinity ringtone

activation of the caller ID

!

voice-port 2/1

cptone GB

initial delays of 60

timeouts interdigit 60

timeout infinity ringtone

activation of the caller ID

!

voice-port 2/2

cptone GB

initial delays of 60

timeouts interdigit 60

timeout infinity ringtone

activation of the caller ID

!

voice-port 2/3

cptone GB

initial delays of 60

timeouts interdigit 60

timeout infinity ringtone

activation of the caller ID

!

voice-port 2/4

no echo - cancel enable

cptone GB

initial delays of 60

timeouts interdigit 60

timeout infinity ringtone

activation of the caller ID

!

!

CCM-manager cisco Protocol fax

CCM-Manager config server

CCM-Manager config

CCM-Manager local FastEthernet0/0.644 SCCP

CCM-Manager sccp

!

!

SCCP local FastEthernet0/0.644

SCCP ccm version ID 1 6.0

SCCP ccm 2 identifier version 6.0

SCCP ccm identifier 3 version 6.0

SCCP

!

SCCP ccm Group 1

associate the ccm 1 priority 1

associate priority 2 CCM 2

associate the ccm 3 priority 3

!

transcode dspfarm profile 1

associate the PCRS application

!

!

voice pots Dial-peer 999200

Service stcapp

port 2/0

!

voice pots Dial-peer 999201

Service stcapp

port 2/1

!

voice pots Dial-peer 999202

Service stcapp

port 2/2

!

voice pots Dial-peer 999203

Service stcapp

2/3 port

!

voice pots Dial-peer 999204

Service stcapp

port 2/4

!

!

!

Line con 0

line to 0

line vty 0 4

!

NTP server

NTP server

end

And a version of the show of the vg224:

System to regain the power ROM

System restarted at 14:30:34 CEST Wednesday 9 may 2012

System image file is "slot0:vg224 - i6s - mz.124 - 22.T5.bin".

Cisco VG224 processor (R527x) (revision 4.1) with 119808 K/K 11264 bytes of memory.

Card processor ID FHK1432F2CC

R527x CPU at 225 MHz, 40, Rev 3.1 implementation

1 voice module 24 analog FXS edge V2.1

2 FastEthernet interfaces

Configuration of DRAM is 64 bits wide with disabled parity.

63K bytes of non-volatile configuration memory.

The system of fpga version is 250027

The system of readonly fpga version is 250027

Option for fpga system is 'system '.

62496K bytes of ATA Slot0 CompactFlash (read/write)

Configuration register is 0 x 2102

This problem is really driving me crazy, if anyone can shed some light on what is perhaps the root cause of that I would be very grateful.

I would say probably yes, devices compatible PCIDSS circulating on the network IP would be the way to go and that is something that we work, but currently we have units that can communicate using analog telephone lines.

OK, PRI is clean so you must relay setup for connection of modem modem high speed work.

I would not waste time with CSPC and go immediately to SIP or H.323.

Meet the VPLS and EoMPLS circuit

Hi all

I have ASR1006 IOS - XE as router PE who have connected to another model with the same PE. And I have VPLS put in place to provide E - LAN service. Interface of multiple GE on the two site have joined this group VPLS. Now that we have an another EP (ISR G2 router, use small scale) who must join that group VPLS. Since IOS ISR G2 do not support VPLS, we can get EoMPLS(E-LINE) service.

Is it possible to interconnect VPLS and EoMPLS. Referring to the below example configuration, can I do 110 the Service Instance as a member in bridge - 10 field? Is who would eventually interconnect EoMPLS to VPLS? All the router currently in production. Any ideas would be much appreciated.

context of PFD l2vpn PFD-TEST / / VPLS
VPN id 10
members 10.166.10.2 mpls encapsulation

Bridge-area 10
Members GigabitEthernet0/0/0 instance-service 101
Members GigabitEthernet0/0/0 service instance-102
Members GigabitEthernet0/0/0-service instance 103
PFD PFD-TEST members

interface GigabitEthernet0/0/0
101 ethernet service instance
encapsulation dot1q 101
rewrite tag pop 1 symmetrical penetration
!
102 ethernet service instance
encapsulation dot1q 102
rewrite tag pop 1 symmetrical penetration
!
ethernet 103 service instance
encapsulation dot1q 103
rewrite tag pop 1 symmetrical penetration
!
110 ethernet service instance
encapsulation dot1q 110
rewrite tag pop 1 symmetrical penetration
XConnect 10.200.149.110 10 mpls encapsulation / / EoMPLS
!

I have not tested but I think it should work. We have the two Eompls/VPLS in a hub-and-spoke topology. However given that this topology is not entirely mesh you must disable split horizon for PE2 and PE3 talk to each other.

PE2 - VPLS - PE1 - EOMPLS - PE3.

PE1:

Manual of PFD VPLS-10 L2

VPN id 10

Bridge-area 10

neighbor 102.102.102.102 mpls encapsulation

neighbor 103.103.103.103 encapsulating mpls non-decoupage of the horizon

PE2:

Manual of PFD VPLS-10 L2

VPN id 10

Bridge-area 10

neighbor 101.101.101.101 mpls encapsulation

PE3:

interface GigabitEthernet0/0/2

no ip address

auto negotiation

XConnect 101.101.101.101 10 mpls encapsulation

Best regards

Anne Isabelle

2960 will not allow "switchport trunk encapsulation dot1q" CLI

I have a Cisco 2960 switch that does not allow me to configure the switchport trunk encapsulation dot1q on a trunking interface.

The features of the watch that the interface can use 802. 1 q, but when I try to CLI the command encapsulation of work is not an option.

Please give us a solution.

Thank you, S

Model - WS-C2960G-24TC-L

Version SW - 12.2 (44) SE6

Image of SW - C2960-LANBASEK9-M

S1 #.

S1 #sh int gi0/23 capabilities

GigabitEthernet0/23

Model: WS-C2960G-24TC-L

Type: 1000BaseLX SFP

Speed: 1000

Duplex: full

ENCAP of trunk. type: 802. 1 q

Trunk mode: on, off, desirable, nonegotiate

Channel: Yes

Removal of broadcast: percentage(0-100)

FlowControl: rx-(off,on,desired), tx-(none)

Fast Start: Yes

QoS scheduling: rx-(not configurable on a per port basis),

TX-(4q3t) (3T: two configurable values and one fixed.)

Rewrite coS: Yes

ToS rewrite: Yes

UNI-DIRECTIONAL: Yes

Food online: no

SPAN: source/destination

PortSecure: Yes

Dot1x: Yes

Several Types of media: rj45, sfp, automatic selection

S1 #.

S1 #.

S1 #.

S1(Config-if) #switchport?

Set the access mode characteristic of the interface

Backup set for the backup interface

block disable them unknown addresses forwarding uni/multi interpreters

host port Set

the interface Set trunking mode

nonegotiate device engage not in the negotiation protocol on this

interface

port-security security associated with order

priority Set 802 .1p device priority

protected configure an interface to be a protected Harbor

trunk trunking features Set of interface

device attributes voice voice

S1 #.

S1 #.

S1 #.

S1(Config-if) #switchport trunk?

admitted only allowed together features VLAN when the interface is in binding mode

native definition trunking features native when the interface is trunking

mode

pruning pruning Set VLAN features when the interface is in binding mode

S1 #.

S1 #.

S1 #.

New devices do not support ISL so you can run 802. 1 q. This means there is no need of an encapsulation command what an encapsulation being supported. If the device has support for ISL, then you must also this command.

Daniel Dib
CCIE #37149

Please evaluate the useful messages.

IPSec on dot1q logical interface

Can we create an IPSec tunnel on dot1q logical interface?

I managed to create the IPSec tunnel on a FastEthernet interface, but when I moved it to a logical interface dot1q, the IPSec tunnel breaks.

When you use cryptographic cards on logical interfaces, the map

must be applied to both physical and logical interfaces

M.

Hope that helps, rate, if

Impossible to get trunk port to work on 4402 and 6509

I'm having a problem getting circuits developed on a pair of 4402 I just expdis preconfigured.

The switches are running Catos.

I've tried both using a SHIFT and individual ports on the WLC, and the only way I can access the WLC is when the switch port is configured as an access port.

Whenever I have change the link mode on, I lose access.

I tried to restart it and that didn't work either.

The subnet manager and ap - manager is in vlan 254, and I put the vlan native of the switch ports to VLANs 254.

I tried all forms of the sheath (desirable, nonegotiate etc.), but I just will not work.

I use this exact set elsewhere without any problems.

Controller was originally on 4.2.130 and is now on 5.1.150.

Someone has an idea or two?

Very well. First make sure that the wlc which management Manager and thus lies on the same vlan. Also, make sure that it is not signposted in the wlc which means that it is set to '0 '. On the trunk dot1q, assign it vlan native what the wlc is configured for. Make sure that you do not have the global command "tag dot1q vlan native. Also male that the service port has an ip address and not routable in your network.

802. 1 x authentication and phones

I have just begun to roll authentication of 802. 1 x and found that although I got the authentication for the PC the data VLAN to work, phones on the VOICE VLAN are not unless I put 'host-mode authentication' to 'stream '.

We did turn not authenticated for 7 years with phones and both work of the PC.

What I want to do (i.e. what management told me to move), is to have phones connect not authenticated (CDP agreeing to handle correct assignment of VLANS) but require PC to authenticate.

I guess the simple question is; is it still possible? If this is the case, any advice is greatly appreciated. (config switch is below).

Thank you

Arch

!
version 12.2
no service button
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
!
switch to hostname
!
boot-start-marker
boot-end-marker
!
emergency logging console
emergency logging monitor
enable secret 5 *.
!
AAA new-model
!
!
Group AAA dot1x default authentication RADIUS
!
!
!
AAA - the id of the joint session
clock timezone cst - 6
clock to summer time recurring cdt
1 supply ws-c3750g-24ps switch
mtu 1500 routing system
VTP transparent mode
no ip domain-lookup
!
!
interface ip igmp snooping mrouter vlan 41 item in gi1/0/27
interface ip igmp snooping mrouter vlan 41 item in gi1/0/28
!
QoS omitted MLS
!

pvst spanning-tree mode
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
VLAN 13
name data - VLAN
!
VLAN 857
name - VLAN VoIP
!
VLAN 1611
name comments - VLAN
LLDP run
!
!
class-map correspondence AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map correspondence AutoQoS-VoIP-control-Trust
match ip dscp cs3 af31
!
!
Policy-map AutoQoS-Police-CiscoPhone
class AutoQoS-VoIP-RTP-Trust
DSCP ef Set
320000 8000 exceed-action of the police controlled-dscp-transmit
class AutoQoS-VoIP-control-Trust
DSCP Set cs3
32000 8000 exceed-action of the police controlled-dscp-transmit
!
!
!
GigabitEthernet1/0/1 interface
switchport access vlan 13
switchport mode access
switchport voice vlan 857
security breach port switchport protect
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
queue-series 2
priority queue
authentication-sense in
no response from the authentication event action allow vlan 1611
stream of host-authentication mode
Auto control of the port of authentication
protect the violation of authentication
MLS qos trust device cisco-phone
MLS qos trust cos
Auto qos voip cisco-phone
dot1x EAP authenticator
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 13,857,1611
switchport mode trunk
bandwidth share SRR-queue 10 10 60 20
form of bandwidth SRR-queue 10 0 0 0
queue-series 2
MLS qos trust cos
Auto qos voip trust
!
RADIUS-server host 10.1.2.10 auth-port 1645 acct-port 1646
Server RADIUS 7 key *.
RADIUS vsa server send authentication
end

Hello

authentication with PC and phone needs "multi-domain of authentication host mode. You con use MAC address or 802. 1 X (username & password) for authentication of IP phone.

Profile authenticatipo must send "device-traffic-class = voice" to the switch. PC fits the DATA cross-domain and phone VOICE-field.

See attachment:

trunk fiber 3750 and 3850

I currently have two 3750's (bunk). We recently bought two new 3850's and have stack as well. My question is, how to I master them? I want to be able to use the new switches with the same VLAN and IP addresses as the existing. The new switches are in the same basket as existing ones.

The current 3750 are the gateway to my network (and they remain such, for now).

I plugged an uplink to switch fiber as in:

3750 (IG 1/0/49)--> 3850 has (IG 1/1/1)

3750 (IM 2/0/49) b--> 3850b (IM 2/1/1)

I gave the fiber ports the following parameters:

3750 a:
int item in gi1/0/49
trunk program dot1q switchport
switchport trunk allowed vlan add ALL
switchport mode trunk
switchport nonegotiate

3750b
int gi2/0/49
trunk program dot1q switchport
switchport trunk allowed vlan add ALL
switchport mode trunk
switchport nonegotiate

3850a / 3850b:
Item in gi1/1/1
Gi2/1/1
switchport trunk allowed vlan add ALL
switchport mode trunk
switchport nonegotiate

At this point, I thought I'd be able to ssh in the new (3850) switch and ping current (3750), but I can't. Assistant network on the switch curent 3750 'sees' the new 3850, but has he appears as "unsupported device". The switches are on the same subnet (10.11.1.0/24).

Tandem switch (3750) is 10.11.1.2 and new 3850 is 10.11.1.14. If I connect my laptop on the 3850 and give me an IP 10.11.1.x, I ping the switch itself (10.11.1.14), but I can not ping to the gateway (10.11.1.2). If I SSH in switches, I can not ping each other.

Do I need to set up the uplink fiber as an Etherchannel? Or are my settings incorrect switchport? I don't know what I'm missing. I'm certainly not an expert in the field, even if its something that may be obvious to others, it's quite possible I forgot.

Hope it makes sense. Any suggestion would be appreciated. Thank you.

Hey,.

Provide the following information to learn more:

3750 side:

#sh ip int br | ex-United Nations

#sh int g1/0/49 trunk

#sh int g2/0/49 trunk

#sh vlan br

3850 side:

#sh ip int br | ex-United Nations

#sh int g1/1/1 trunk

#sh int g2/1/1 trunk

#sh vlan br

Kind regards
RS.

Problem with VLAN between Cisco Catalyst (3560G) and SG300-52

I am having trouble with the creation of a trunk of vlan between a SG300-52 and a Cisco Catalyst 3560 G. I have 4 VLANS (1, 2, 10 and 11) on the 3650 and I need ports on the SG300 to be able to communicate with them.

On the 3560, port 14 is defined as:

interface GigabitEthernet0/14

switchport trunk encapsulation dot1q

switchport mode trunk

spanning tree portfast

On the Sg300 port 52 is defined as:

interface GigabitEthernet52

point to point link type spanningtree

switchport trunk allowed vlan add 1,2,10,11

description macro switch

Try to understand what the problem... Any help would be appreciated.

Thank you

Chris

Hi Chris, the first problem is the spanning tree portfast, it shouldn't be on an interconnection network switch. You may have a mismatch of vlan native as well, but that shouldn't matter.

A suggestion, however, the value of the port SG300 general mode and disable the input filter.

-Tom
Please mark replied messages useful

ID and Dot1q

Similar Questions

Maybe you are looking for