Clarification on VLANS native and management

Discussion in 'Cisco' started by madmax, Mar 12, 2006.

  1. madmax

    madmax Guest

    Hello Group,

    I am wondering if someone can clarify a configuration for me. I posted
    earlier regarding this but my post may have confused people. So here
    goes,

    In our company we have a Cisco 871 router (with the 4-port switch built
    in) a 2950 switch and a 1231 Access Point. We are trying to configure
    VLANS to support guest internet access and corporate internet access on
    the Access Point. In all documentation in states for good security to
    place all trunk ports in a VLAN that is not being used on any other
    port. Our configuration is as follows.

    Router
    Fastethernet0
    switchport trunk native vlan4
    switchport mode trunk

    Interface VLAN2 (corporate VLAN)
    IP Address 192.168.10.0 255.255.255.0

    Interface VLAN3 (guest internet access)
    ip address 172.16.29.1 255.255.255.0

    interface vlan4 (trunk VLAN)
    ip address 172.16.99.1 255.255.255.0

    VLAN1 is disabled

    switch

    interfaceFE0/24 (trunk port)
    switchport trunk native vlan 4
    switchport mode trunk

    Interface Vlan2
    ip address 192.168.10.2 255.255.255.0

    Interface VLAN1 is shutdown

    Access Point

    Inteface BVI1
    ip address 172.16.99.11 255.255.255.0

    Interface DOT11Radio0.2 (corporate VLAN)
    bridge group 2

    Interface DOT11Radio0.3 (guest VLAN)
    bridge group 3

    Interface DOT11Radio0.4 (native VLAN)
    bridge group 1

    interface Fasteth0.2
    bridge-group 2

    interface Fasteth0.4
    bridge-group 4
    encaps dot1q 4 native

    So my question is I have the native VLAN on the switch AP and Router
    set up for VLAN4. SHould the IP Address of the AP's BVI1 interface be
    in the 192.168.10.0/24 range or is it correct to place it in the VLAN4
    range of 172.16.99.0/24. If I change the IP address of the access
    point to 192.168.10.12/24 everthing seems to work, but if I leave it as
    172.16.99.12/24 I can authenticate to the radio but can not pull down
    an IP address or if I manually assign myself one cannot ping anything
    at all. Another point is that if I assign the access point an IP
    address of 192.168.10.12/24 everything seems to work but I can nolonger
    manage the AP or ping it from a PC on the 192.168.10.0/24 network
    unless I configure a switch port for swithport access vlan 4 and then
    use a pc connected to that. Right now I do not have any restrctions on
    the router in terms of access-lists.

    Thanks you very much,

    Joe
     
    madmax, Mar 12, 2006
    #1
    1. Advertisements

  2. Hi Joe,

    (I guess I should have read all your postings before responding to any
    of them ... this is why it's best practice to post your followups using
    the same subject line.)

    Anyway ... this is a misconfiguration. It is required that BVI1/bridge-group 1
    on the AP be in the native VLAN. In the config below, there is no wired
    VLAN in bridge-group 1, so nobody on the wired side is going to be able
    to talk to this AP.

    If you want for some reason to call your native VLAN "4" rather than "1"
    (although see my last posting for a reason why not), then you should
    configure your AP like this:

    interface faste0.4
    encaps dot1q 4 native
    bridge-group 1

    Aaron

    ---


    ~ Hello Group,
    ~
    ~ I am wondering if someone can clarify a configuration for me. I posted
    ~ earlier regarding this but my post may have confused people. So here
    ~ goes,
    ~
    ~ In our company we have a Cisco 871 router (with the 4-port switch built
    ~ in) a 2950 switch and a 1231 Access Point. We are trying to configure
    ~ VLANS to support guest internet access and corporate internet access on
    ~ the Access Point. In all documentation in states for good security to
    ~ place all trunk ports in a VLAN that is not being used on any other
    ~ port. Our configuration is as follows.
    ~
    ~ Router
    ~ Fastethernet0
    ~ switchport trunk native vlan4
    ~ switchport mode trunk
    ~
    ~ Interface VLAN2 (corporate VLAN)
    ~ IP Address 192.168.10.0 255.255.255.0
    ~
    ~ Interface VLAN3 (guest internet access)
    ~ ip address 172.16.29.1 255.255.255.0
    ~
    ~ interface vlan4 (trunk VLAN)
    ~ ip address 172.16.99.1 255.255.255.0
    ~
    ~ VLAN1 is disabled
    ~
    ~ switch
    ~
    ~ interfaceFE0/24 (trunk port)
    ~ switchport trunk native vlan 4
    ~ switchport mode trunk
    ~
    ~ Interface Vlan2
    ~ ip address 192.168.10.2 255.255.255.0
    ~
    ~ Interface VLAN1 is shutdown
    ~
    ~ Access Point
    ~
    ~ Inteface BVI1
    ~ ip address 172.16.99.11 255.255.255.0
    ~
    ~ Interface DOT11Radio0.2 (corporate VLAN)
    ~ bridge group 2
    ~
    ~ Interface DOT11Radio0.3 (guest VLAN)
    ~ bridge group 3
    ~
    ~ Interface DOT11Radio0.4 (native VLAN)
    ~ bridge group 1
    ~
    ~ interface Fasteth0.2
    ~ bridge-group 2
    ~
    ~ interface Fasteth0.4
    ~ bridge-group 4
    ~ encaps dot1q 4 native
    ~
    ~ So my question is I have the native VLAN on the switch AP and Router
    ~ set up for VLAN4. SHould the IP Address of the AP's BVI1 interface be
    ~ in the 192.168.10.0/24 range or is it correct to place it in the VLAN4
    ~ range of 172.16.99.0/24. If I change the IP address of the access
    ~ point to 192.168.10.12/24 everthing seems to work, but if I leave it as
    ~ 172.16.99.12/24 I can authenticate to the radio but can not pull down
    ~ an IP address or if I manually assign myself one cannot ping anything
    ~ at all. Another point is that if I assign the access point an IP
    ~ address of 192.168.10.12/24 everything seems to work but I can nolonger
    ~ manage the AP or ping it from a PC on the 192.168.10.0/24 network
    ~ unless I configure a switch port for swithport access vlan 4 and then
    ~ use a pc connected to that. Right now I do not have any restrctions on
    ~ the router in terms of access-lists.
    ~
    ~ Thanks you very much,
    ~
    ~ Joe
     
    Aaron Leonard, Mar 13, 2006
    #2
    1. Advertisements

  3. madmax

    madmax Guest

    Hello Aaron,

    Sorry about posting twice. So much to learn. Thanks for your help. I
    guess I am still confused a little regarding the Native Vlan on the
    access point and want to understand completely. I have researched this
    extensively but remain a bid cloudy on this. So the question I have is
    can I assign VLAN1 on the Access Point as native and have the switch
    port it is attached to as switchport trunk native vlan 4? or must the
    switch port be switchport trunk native vlan 1 if the Access point's
    native vlan is 1. A diagram follows; Is this diagram correct?


    Thanks,

    Joe

    2950 Switch
    __________
    Interface Fasteth0/23 (to access point)
    switchport trunk native vlan 4
    switchport mode trunk
    interface vlan2
    ip address 192.168.10.2/24
    Interface Fasteth0/24 (to Cisco 871 Router)
    switchport trunk native vlan 4
    switchport mode trunk
    |

    |

    |

    Cisco 871 Router

    interface Fasteth0

    switchport trunk native vlan4
    switchport mode trunk

    interface vlan2 (corporate users)
    ip address 192.168.10.1/24
    interface vlan 3 (wireless guest access vlan)
    ip address 172.16.29.1/24
    interface vlan4 (Trunk vlan)
    ip address 172.16.99.1/24)


    Cisco 1231 AP (Connected to switch Fasteth0/23 port)
    interface Dot11Radio0.2
    bridge-group 2
    interface Dot11Radio0.3
    bridge-group 3
    interface Dot11Radio0.4
    encaps dotQ 4 native
    bridge-group 1
    interface Fasteth0.2
    bridge-group 2
    interface Fasteth0.3
    bridge-group 3
    interface Fasteth0.4
    encaps dotQ 4 native
    bridge-group 1
    interface BVI1
    ip address 172.16.99.12/24
     
    madmax, Mar 13, 2006
    #3
  4. Hi Joe,

    ~ Sorry about posting twice. So much to learn. Thanks for your help. I
    ~ guess I am still confused a little regarding the Native Vlan on the
    ~ access point and want to understand completely.

    No worries; I've spent plenty of time being confused on this point myself ...

    ~ I have researched this
    ~ extensively but remain a bid cloudy on this. So the question I have is
    ~ can I assign VLAN1 on the Access Point as native and have the switch
    ~ port it is attached to as switchport trunk native vlan 4? or must the
    ~ switch port be switchport trunk native vlan 1 if the Access point's
    ~ native vlan is 1.

    OK, so here's the key:

    If you are doing 802.1q trunking, then the VLAN IDs for each frame are
    carried in the frame header. If one side is sending out frames tagged
    VLAN 47 but the other side is not configured for VLAN 47, then those
    frames will go into the bit bucket. So VLAN n on one side of the trunk
    has to match up to VLAN n on the other side of the trunk.

    BUT there is an exception: the "native" VLAN, meaning the UNTAGGED VLAN [*].
    Since the native VLAN is untagged, then one side of the trunk can call
    the native VLAN 1 and the other side can call the native VLAN 4, and neither
    will be any the wiser ... the number assigned to to the NATIVE VLAN is only
    of local significance.

    ~ A diagram follows; Is this diagram correct?

    Yes, I believe this is correct (but for one small issue[**]):

    BVI1 on the AP is 172.16.99.12/24
    bridge-group 1 on the AP bridges to FastE0.4 which is configured for "native VLAN4"

    So the AP is in subnet 172.16.99/24 in the native VLAN.

    The switch is configured with native VLAN "4" on both the trunk to
    the AP and the trunk to the 871.

    The 871 is configured with native VLAN 4 and with 172.16.99.1/24 on
    interface VLAN4.

    Therefore, I predict that 172.16.99.1 and 172.16.99.12 will be able to
    ping each other.

    Cheers,

    Aaron

    ---

    Notes.

    [*] This assumes that the switch is configured for the native VLAN to be
    untagged. If the switch is configured for a tagged native VLAN, then the
    AP's management interface will not be reachable.

    [**] The problem with calling the AP's native VLAN "4" rather than "1"
    is that the AP will always transmit its CDP packets on VLAN 1 (even if
    VLAN 1 isn't explicitly configured). In this case, since VLAN "4" is
    native, CDP will be transmitted in TAGGED VLAN 1. The switch might be
    unable to understand this (unless you have explicitly configured a
    tagged VLAN 1 on the switch.) So if you really really want to call
    the native VLAN "4" on the switch,then it's best to call the native
    VLAN "1" on the AP.

    ---

    ~
    ~
    ~ Thanks,
    ~
    ~ Joe
    ~
    ~ 2950 Switch
    ~ __________
    ~ Interface Fasteth0/23 (to access point)
    ~ switchport trunk native vlan 4
    ~ switchport mode trunk
    ~ interface vlan2
    ~ ip address 192.168.10.2/24
    ~ Interface Fasteth0/24 (to Cisco 871 Router)
    ~ switchport trunk native vlan 4
    ~ switchport mode trunk
    ~ |
    ~
    ~ |
    ~
    ~ |
    ~
    ~ Cisco 871 Router
    ~
    ~ interface Fasteth0
    ~
    ~ switchport trunk native vlan4
    ~ switchport mode trunk
    ~
    ~ interface vlan2 (corporate users)
    ~ ip address 192.168.10.1/24
    ~ interface vlan 3 (wireless guest access vlan)
    ~ ip address 172.16.29.1/24
    ~ interface vlan4 (Trunk vlan)
    ~ ip address 172.16.99.1/24)
    ~
    ~
    ~ Cisco 1231 AP (Connected to switch Fasteth0/23 port)
    ~ interface Dot11Radio0.2
    ~ bridge-group 2
    ~ interface Dot11Radio0.3
    ~ bridge-group 3
    ~ interface Dot11Radio0.4
    ~ encaps dotQ 4 native
    ~ bridge-group 1
    ~ interface Fasteth0.2
    ~ bridge-group 2
    ~ interface Fasteth0.3
    ~ bridge-group 3
    ~ interface Fasteth0.4
    ~ encaps dotQ 4 native
    ~ bridge-group 1
    ~ interface BVI1
    ~ ip address 172.16.99.12/24
     
    Aaron Leonard, Mar 13, 2006
    #4
  5. madmax

    madmax Guest

    Hello again Aaron,

    Finally I understand. Thank you very much for clearing things up for
    me. As you know already in the IT world you need to read as much as
    possible and ask a lot of questions. I always want to do things the
    right way. I do understand now and I thank you again. Everything
    works great now.

    Joe
     
    madmax, Mar 14, 2006
    #5
  6. madmax

    madmax Guest

    Hello again Aaron,

    Finally I understand. Thank you very much for clearing things up for
    me. As you know already in the IT world you need to read as much as
    possible and ask a lot of questions. I always want to do things the
    right way. I do understand now and I thank you again. Everything
    works great now.

    Joe
     
    madmax, Mar 14, 2006
    #6
  7. madmax

    madmax Guest

    Hello again Aaron,

    Finally I understand. Thank you very much for clearing things up for
    me. As you know already in the IT world you need to read as much as
    possible and ask a lot of questions. I always want to do things the
    right way. I do understand now and I thank you again.

    Joe
     
    madmax, Mar 14, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.