Using VLANs with Cisco 1240AG

Similar Questions

• Compatibility of VLAN with Cisco

  Hello

  We just bought 10 x new Netgear switches (all M4100) to add to an existing Cisco infrastructure.

  Simple configuration with only 6 Valns.

  5: Admin, 30: VOIP, 101: management, 100: a set of Workstations, 102: second series of Workstations, 200: IPTV, 400: Internet, 401: Wireless Management

  All I wanted to do was: 2 last ports each switch netgear = T and all the VLANS. I have not identified all ports if I want to use in the appropriate vlan

  101 of VLAN is my Managementt Vlan. (Need to configure inter vlan routing for this to work)

  I only turned on three switches up to now and all three do not work. They work for a while and that packets but do not receive all.

  What I am doing wrong?

  What I need to get rid of the original vlan1 on the netgear?

  Is that what I need config in the STP to make these compatible with Cisco (300 and 400 series) switches.

  I use an optical backbone on Cisco and Netgear switches.

  Sincere greetings,

  OLAF

  Hi Moussa,.

  Thanks for reaching out.

  We got it working.

  Step 1: upgrade to the latest firmware.

  Step 2: Forget the MISTLETOE.

  We had a few questions about the old firmware - causing links to trunk have some incompatibility with their tag and removed the images between Cisco and Netgear brand.

  After the upgrade of the firmware that we had access to "switchport mode access" and "switchport mode trunk" orders fixing the access port and trunking issues.

  Thank you Mr President,

  OLAF

• VLANS with Cisco ASA 5505 and non-Cisco switch

  I have an ASA5505 and a switch Netgear GSM7224 L2 that I try to use together.  I can't grasp how VLANs (or at least how they should be put in place).  When configuring my VLAN on the ASA5505 it seems simple enough, but then on my switch, I thought I'd create just the same VLAN numbers that I used on the SAA and then add the ports that I wanted to use for each VLAN.

  Currently on my ASA, I have the following VLAN configured...

  outside - vlan11 - Port 0/0

  inside - vlan1 - Port 0/1

  dmz_ftp - vlan21 - Port 0/2

  Port of Corp - vlan31 - 0/3

  I need to do the same thing on my switch as well...  On my way, I'm a little confused as to how I need to configure the VLAN.  Below is the screenshot of web GUI...

  

  Note: Normally you can now change the VLAN ID (red), but in this case the default vlan (vlan id 1) may not be changed or deleted, you can does not change its settings.

  Tagged (green), Untagged (purple) and Autodetect (yellow) you must select at least 1.  I'm not sure how to in one place to tell my inner vlan (vlan1).

  I want VLAN1 ports 1-8 on my Netgear switch used alone to talk to interface/0/1 on the ASA5505 port.  I don't want to NOT port 9-24 able to talk to ports 1-8 on the Netgear switch ports OR 0/0, 0/2 - 0 / 7 on the Cisco ASA 5505.

  So, how can I configure my inner Vlan1 on ports 1-8 on the switch?  Do mark, UNTAG, autodetect them?  What about tours?  I've been a bit the impression that I would set up my VLAN on both devices, then trunk port 1 and dedicate this port on both devices to nothing other than the sheath and the security of vlan would then take the packages where they need to go.  Is this the wrong logic?

  Hi Arvo,

  If the port of the ASA is just part of a single VLAN (i.e. e0/0 single door 11 VLAN), this is called an access port. If the port of the ASA had to carry several VLANs, it would constitute a Trunk port.

  To access ports (VLAN unique), you must set the switch corresponding to be unidentified for port this VLAN individual. If you decide to configure a trunk port, then the port of the switch must be set for labelling for each of VLAN who win the trunk.

  For example, ASA I have:

  interface Ethernet0/1
  switchport access vlan 20
  !
  interface Vlan20
  nameif inside
  security-level 100
  ip address 192.168.100.254 255.255.255.0
  

  With the above configuration, the configuration of the switch would look like this (assuming the e0/1 port of the SAA is connected to 0/1 on the switch):

  VLAN 20 - 0/1 = untagged

  If instead you use a trunk port, the config would look like this:

  interface Ethernet0/0
  switchport trunk allowed vlan 10,20
  switchport mode trunk
  !
  interface Vlan10
  nameif outside
  security-level 0
  ip address dhcp setroute
  !
  interface Vlan20
  nameif inside
  security-level 100
  ip address 192.168.100.254 255.255.255.0
  

  Assuming that the ASA e0/0 port is connected to 0/1 on the switch):

  VLAN 10 - 0/1 = tagged
  VLAN 20 - 0/1 = tagged
  

  Hope that helps.

  -Mike

• Query VLANS with Cisco configuration example

  List of expensive,

  I was wondering if there is an error on the Cisco documentation below.

  The schema and configuration shows the LWAPs attached to the switch on vlan 5, but the trunk to the WLC is pruning vlan 5.

  If this is true, how the LWAPP LWAPs with the WLC to talk?

  The proposed config is a few lines of the diagram below.

  Thanks for any comments.

  http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a0080665cdf.shtml#DIA

  Chris.

  Management of the AP is on vlan 5, so there's no reason to be vlan 5 allowed on the trunk for the wlc.  Only the interfaces configured on the WLC should be allowed.

  Management, AP-Manager and all dynamic interfaces... service-port can be included, but should not be routable.

  Hope that explains it... If not let me know :)

• Problem of trunking routing\802.1 Q inter - VLAN SGE2000P - Cisco 2821

  I am to evaluate the EMS and is unable to get routing inter - VLAN to work on aid and the external router via a 802. 1 q trunk. I have a 2821 with 3 secondary interfaces and I use the VLAN 1 as the VLAN native. G0/0 on router is connected to the port of G1 to the port of the EMS. I can create a VLAN and devices in the VLANs can reach devices in their VLAN respective, but they can't get the router IP address to access the other subnets. Currently I have the port connected to the configuration of the router, as a trunk by using VLAN 1, which is not marked. The EMS has the latest firmware and I tried some types of access ports, general & trunk, changed the PVID, nothing has worked for the other ports on the switch. What would have taken two minutes on a Cisco Configuration switch left flabbergasted me, it could be a defective switch? I was not able to find documentation or examples of this configuration scenario.

  For reference, config the router interface:

  G0/0.1

  encapsulation dot1q 1 native

  IP 1.1.1.1 255.255.255.0

  G0/0.2

  encapsulation dot1q 2

  2.2.2.1 IP address 255.255.255.0

  G0/0.3

  encapsulation dot1q 3

  3.3.3.1 IP address 255.255.255.0

  Any help\direction is appreciated.

  Thank you

  Burt

  Burt Hello, good evening,

  Have you included the VLAN 2 and 3 on the trunk port and ensured that they are labeled?  It should be set to tagged.  The Web interface can be confusing with this config / operation.

  Please check this and let me know, and if necessary I'll lab this for you as well.  Please let me know,

  Andrew

• Cannot save the new DA with Cisco Smart Net Total Care

  I get the following error when configuring a Director of several browsers. I also cleared my browser cache.  Any ideas to go beyond this issue?

  "We encountered an error while processing your request. Please refresh this page or try again. »

  It was first recording attempt of DA, but group account has been used and we got after the support response:

  Thank you for your request to become a Managing Director for Smart Net Total Care. Unfortunately, this application using what appears to be a shared account. Cisco access policy requires that each account is associated with a single person, and this policy must be strictly applied when this account is used to manage access to other accounts. Smart Net Total Care registration must be performed by a competent person, using their individual Cisco.com account that clearly identifies them by name. Please re - submit a new registration request online by using your individual Cisco.com user ID. Once this request is received, we will proceed with your Smart NET Care total integration.

  Maybe there's some cleaning must be performed in the database before the client can retry to register?

  Best regards

  Resad

• AnyConnect + possible PSK (pre-shared key) as under with cisco vpn client ikev1 and ikev2

  Is it possible to create a VPN Anyconnect of RA with just the name of user and password + pre-shared key (Group) for the connection, as could do for ikev1 with cisco VPN client? I am running 8.4.X ASA code and looks like tunnel-group commands have 8.2.X somewhat change. If you change the group type of the tunnel for remote access, now there is no option for IKEv2 PSK. This is only available when you choose the type

  Type of TG_TEST FW1 (config) # tunnel - group?

  set up the mode commands/options:
  Site IPSec IPSec-l2l group
  Remote access using IPSec-IPSec-ra (DEPRECATED) group
  remote access remote access (IPSec and WebVPN) group
  WebVPN WebVPN Group (DEPRECATED)

  FW1(config-tunnel-General) # tunnel - group TG_TEST ipsec-attributes
  FW1(config-tunnel-IPSec) #?

  configuration of the tunnel-group commands:
  any required authorization request users to allow successfully in order to
  Connect (DEPRECATED)
  Allow chain issuing of the certificate
  output attribute tunnel-group IPSec configuration
  mode
  help help for group orders of tunnel configuration
  IKEv1 configure IKEv1
  ISAKMP policy configure ISAKMP
  not to remove a pair of attribute value
  by the peer-id-validate Validate identity of the peer using the peer
  certificate
  negotiation to Enable password update in RADIUS RADIUS with expiry
  authentication (DEPRECATED)

  FW1(config-tunnel-IPSec) # ikev1?

  the tunnel-group-ipsec mode commands/options:
  pre-shared key associate a key shared in advance with the connection policy

  I'm getting old so I hope that it is not in another complaint curmudgeonly on the loss of functionality. :)

  Many small businesses do not want to invest in the PKI. It is usually a pain to deploy, backup, make redundant, etc..

  But it would be nice to have a bit more security on VPN other than just the connections of username and password.

  If this is not possible, it is possible to configure the Anyconnect customer to IKEv1 with PSK and name at the level of the Group client?

  If this is not possible, WTH did cisco end customer VPN cisco as a choice of VPN connection (other than to get more fresh mail of license)?

  I really hope that something like this exists still!

  THX,

  WR

  You are welcome

  In addition to two factors, you can also do double authentication (ie the two using the user name and password). Each set of credentials can come from a Bank of different identities.

  With this scheme, you can can configure a local user name (common) with password on the SAA (think of it as your analog PSK) and the other be the AD user identification information.

• ISA500 site by site ipsec VPN with Cisco IGR

  Hello

  I tried a VPN site by site work with Openswan and Cisco 2821 router configuration an Ipsec tunnel to site by site with Cisco 2821 and ISA550.

  But without success.

  my config for openswan, just FYI, maybe not importand for this problem

  installation of config

  protostack = netkey

  nat_traversal = yes

  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%4:!$RIGHT_SUBNET

  nhelpers = 0

  Conn rz1

  IKEv2 = no

  type = tunnel

  left = % all

  leftsubnet=192.168.5.0/24

  right =.

  rightsourceip = 192.168.1.2

  rightsubnet=192.168.1.0/24

  Keylife 28800 = s

  ikelifetime 28800 = s

  keyingtries = 3

  AUTH = esp

  ESP = aes128-sha1

  KeyExchange = ike

  authby secret =

  start = auto

  IKE = aes128-sha1; modp1536

  dpdaction = redΘmarrer

  dpddelay = 30

  dpdtimeout = 60

  PFS = No.

  aggrmode = no

  Config Cisco 2821 for dynamic dialin:

  crypto ISAKMP policy 1

  BA aes

  sha hash

  preshared authentication

  Group 5

  lifetime 28800

  !

  card crypto CMAP_1 1-isakmp dynamic ipsec DYNMAP_1

  !

  access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

  !

  Crypto ipsec transform-set ESP-AES-SHA1 esp - aes esp-sha-hmac

  crypto dynamic-map DYNMAP_1 1

  game of transformation-ESP-AES-SHA1

  match address 102

  !

  ISAKMP crypto key address 0.0.0.0 0.0.0.0

  ISAKMP crypto keepalive 30 periodicals

  !

  life crypto ipsec security association seconds 28800

  !

  interface GigabitEthernet0/0.4002

  card crypto CMAP_1

  !

  I tried ISA550 a config with the same constelations, but without suggesting.

  Anyone has the same problem?

  And had anyone has a tip for me, or has someone expirense with a site-by-site with ISA550 and Cisco 2821 ipsec tunnel?

  I can successfully establish a tunnel between openswan linux server and the isa550.

  Patrick,

  as you can see on newspapers, the software behind ISA is also OpenSWAN

  I have a facility with a 892 SRI running which should be the same as your 29erxx.

  Use your IOS Config dynmap, penny, you are on the average nomad. If you don't have any RW customer you shoul go on IOS "No.-xauth" after the isakmp encryption key.

  Here is my setup, with roardwarrior AND 2, site 2 site.

  session of crypto consignment

  logging crypto ezvpn

  !

  crypto ISAKMP policy 1

  BA 3des

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 2

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  lifetime 28800

  !

  crypto ISAKMP policy 3

  BA 3des

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 4

  BA 3des

  md5 hash

  preshared authentication

  Group 2

  !

  crypto ISAKMP policy 5

  BA 3des

  preshared authentication

  Group 2

  life 7200

  ISAKMP crypto address XXXX XXXXX No.-xauth key

  XXXX XXXX No.-xauth address isakmp encryption key

  !

  ISAKMP crypto client configuration group by default

  key XXXX

  DNS XXXX

  default pool

  ACL easyvpn_client_routes

  PFS

  !

  !

  Crypto ipsec transform-set esp-3des esp-sha-hmac FEAT

  !

  dynamic-map crypto VPN 20

  game of transformation-FEAT

  market arriere-route

  !

  !

  card crypto client VPN authentication list by default

  card crypto VPN isakmp authorization list by default

  crypto map VPN client configuration address respond

  10 VPN ipsec-isakmp crypto map

  Description of VPN - 1

  defined peer XXX

  game of transformation-FEAT

  match the address internal_networks_ipsec

  11 VPN ipsec-isakmp crypto map

  VPN-2 description

  defined peer XXX

  game of transformation-FEAT

  PFS group2 Set

  match the address internal_networks_ipsec2

  card crypto 20-isakmp dynamic VPN ipsec VPN

  !

  !

  Michael

  Please note all useful posts

• Cannot reset the user vmail with Cisco Unified CM Administration password

  We use Cisco Unified CM Administration ver 7.1 with Cisco 7945 IP phones. I have a user who came to tell me that they could access is no longer the voicemail, getting PIN disabled. Ichanged the PIN with the Cisco Unified CM Administration that accepts the new pin without problem, but when we try from the phone, it does not work. Any ideas... Thank you Don

  Hi Don,

  For voicemail partners changes/updates, you should choose

  2 cisco Unity Connection Administration.

  Then; Users > Find/list > user associated with selectect > drop-down Edit > change passwords >

  Change voicemail password

  See you soon!

  SoC

  "Spend your life waiting,
  a moment that all do not come.
  Well, don't waste your time waiting.

  -Springsteen

• Problem with Cisco ACS and different areas

  Hello

  We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:

  We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.

  Then we have our Cisco switches with the following configuration,

  AAA new-model

  AAA-authentication failure message ^ CCCC

  Failled to authenticate!

  Please IT networks Contact Group for more information.

  ^ C

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  AAA authorization network default group Ganymede + local

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  AAA - the id of the joint session

  But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.

  There may be something wrong with the ACS?

  Thank you

  Jorge

  Try increasing the timeout on IOS device using radius-server timeout 10.

  Do we not have journaling enabled on the ACS server remotely?

  -Philou

• How to configure the VLAN for Cisco SG500 - switch 28

  Hello

  First of all, it's my first post here, I hope that someone can help me and please be patient because I am very little known.

  OK, so let me explain to you the scénarion I face and I hope someone can help me.

  We have a Cisco SG500 - 28 port gigabit switch in our workplace.

  Our goal is to create 3 VLANs and separate networks between the various departments.

  Vlan1 (which is the default VLAN in the switch)-will be used for the COMPUTER service and management.

  VLAN100 - will be used for business.

  VLAN200 - will be used for clients who need to connect to internet via WiFi.

  I created VLAN100 and VLAN200, and VLAN1 is there by default.

  I want to use port 13 for VLAN200 and to connect the-Wifi access point there.

  The uplink is in port 25.

  I would be happy if you could explain things first to a more general, abstract level, and then we can look at the specific scenario that we have.

  SG500 Cisco - 28 Gets a Sophos UTM 9 router internet.

  I need to take care of the inter - VLAN routing so, subnet and DHCP

  Thanks in advance,

  Sincere greetings,

  D

  Hi Desmond, looking at this DHCP pool it looks correct.

  For the second part, you waant VLAN 200 only work on VLAN 200, that's fine. So if you have an access point, and everything on the VLAN 200 connects to the access point, you can make an access to this list. The access list is entered only, which means the inbound interface.

  So if you have a gateway connecting to #1 port. You'll need to build the access list and apply it to port number 1. That's assuming you make a list of access 'decline' subnet source IP of VLAN 200 destined for the other subnet, that you do not want access.

  The image on another post to fill out your reference numbers, then for the ACL link, it should be placed on the interface VLAN 200 first comes to the switch (IE, the port the access point connects, make sure that you choose to bind by port instead of per VLAN)

  -Tom
  Please mark replied messages useful
  http://blogs.Cisco.com/smallbusiness/

• How does them VLANS in Cisco UCS

  Hi guys,.

  I wanted to help better understand the notion VLANS in Cisco UCS.

  I ask this because even if we create a VLAN in UCSM but where can I define which port should apply this VLAN?

  Is it possible that this can be done by using the user interface or api XML?

  Thank you

  Hello

  All the VLANS created will be assigned to the uplink ports. There is no option to have on the same fabric of interconnection of VLANs on an uplink and other VLANs on another. As on the side of the blade, you choose what VLAN is assigned to a blade when you create the vNIC.

  Kind regards

  Bogdan

• SealthWatch intrgration with Cisco ISE-3315

  Hello Experts,

  I have Cisco ISE-3315 version 1.3

  Can I order and SealthWatch Lancop and use it with this series of ISE 3315? Or I must have the SNS?

  Hi Imran-

  3315 unit supports all personas running ISE 1.3

  http://www.Cisco.com/c/en/us/TD/docs/security/ISE/1-3/Release_notes/ise13_rn.html#pgfId-527567

  Now, that being said, don't forget that this devices has a lot less resources compared with the NHU devices. So, if you decided to run all personas on it then you will be greatly limited the number of concurrent endpoints.

  Thank you for evaluating useful messages!

• SX 20 with Cisco Call Manager

  Dear team,

  If I add the SX20 with Cisco Call Manager, do I need to install the software cmterm - s52010tc6_2_1.cop.sgn the SX20. If this isn't the case, then what I have to do, I can see only administrator external field in my SX20, where I gave my callmanager IP address but it is not save.

  BR

  Hello

  In order to save the SX20 in CUCM you for CUCM version 8.6.2 or later, and your SX20 must be running TC5 version or a later version.

  This file you mentioned, cmterm - s52010tc6_2_1.cop.sgn, is just a upgrade file that you install on CUCM, so that CUCM can update your point of SX20 endpoint automatically. But you can upgrade your SX20 manually using the file s52010tc6_2_1.pkg.

  To get help on how to register to CUCM SX20, take a look at these guides with the name "administer endpoints TC on CUCM". The Guide according to the version of CUCM you run:

  http://www.Cisco.com/en/us/partner/products/ps11424/prod_maintenance_guides_list.html

  I hope this helps.

  Concerning

  Paulo Souza

  My answer was helpful? Please note the useful answers and do not forget to mark questions resolved as "responded."

• can plan us the Conference from Outlook with Cisco TMS

  Hi team,

  is it possible to provide to the Conference by the prospect with Cisco TMS, we have no license to Exchange provisoning. Y at - it a plugin that can be used with Microsoft outlook.

  Please advise.

  See above for my response, either you need to purchase the license and install / configure Setup

  or you program something yourself.

  I would not exclude that there could be tools external hookin upward on the MSDS as well, but I'm not aware of anything.

  The other way is to do it by politics, rent rooms and is a participant dials up to the

  others or if the meeting is greater everyone connects the mcu...