[c-nsp] Aironet 1230 and multiple VLANs
Ruben Montes
Ruben.Montes at eu.didata.com
Wed Jun 8 10:07:11 EDT 2005
Hello,
an AP is a L2 device, so, only one ip address is allowed. The sub-interfaces generated are the way to pass different L2 information of different VLANs through the AP, so they're L2 entities.
The management IP of the AP should be configured in the bvi interface instead.
Best regards,
Ruben Montes
-----Mensaje original-----
De: cisco-nsp-bounces at puck.nether.net en nombre de cisco-nsp-request at puck.nether.net
Enviado el: mié 08/06/2005 16:00
Para: cisco-nsp at puck.nether.net
CC:
Asunto: cisco-nsp Digest, Vol 31, Issue 28
Send cisco-nsp mailing list submissions to
cisco-nsp at puck.nether.net
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/cisco-nsp
or, via email, send a message with subject or body 'help' to
cisco-nsp-request at puck.nether.net
You can reach the person managing the list at
cisco-nsp-owner at puck.nether.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cisco-nsp digest..."
Today's Topics:
1. Aironet 1230 and multiple VLANs (Peter Hicks)
2. RE: Freeware tacacs and PIX enable authentication
(Oliver Boehmer (oboehmer))
3. Re: Aironet 1230 and multiple VLANs (Reuben Farrelly)
4. BGP Question (Mark Tohill)
5. RE: BGP Question (Tantsura, Jeff)
6. Re: BGP Question (Mark Tinka)
7. RE: BGP Question (David Barak)
8. Voice header compression Problem with IETF encapsulation
(Yasser Aly)
9. Re: BGP Question (Justin M. Streiner)
10. Pix counters (Voll, Scott)
11. PIX Training (Rieman, Jeffrey)
----------------------------------------------------------------------
Message: 1
Date: Wed, 8 Jun 2005 09:38:11 +0100
From: Peter Hicks <peter.hicks at poggs.co.uk>
Subject: [c-nsp] Aironet 1230 and multiple VLANs
To: cisco-nsp at puck.nether.net
Message-ID: <20050608083811.GA25459 at tufnell.lon1.poggs.net>
Content-Type: text/plain; charset=us-ascii
Hello
When running multiple VLANs to an Aironet AP, where do I set the IP address?
I've used Fa0.8 (management VLAN) but I have periodic errors in the log:
Jun 8 08:29:57.966: %IP_SNMP-3-SOCKET: can't open UDP socket
Jun 8 08:29:57.966: Unable to open socket on port 161
Is the FastEthernet sub-interface the right one to set an address on?
Should I be setting an address on the BVI interface instead?
Configuration is as follows:
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0.8
encapsulation dot1Q 8 native
ip address 10.180.0.65 255.255.255.0
no ip route-cache
bridge-group 8
no bridge-group 8 source-learning
bridge-group 8 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 8 mode ciphers tkip
!
encryption vlan 10 key 1 size 128bit 7 $WEP_KEY transmit-key
encryption vlan 10 mode wep mandatory
!
...
!
interface Dot11Radio0.8
encapsulation dot1Q 8 native
no ip route-cache
bridge-group 8
bridge-group 8 subscriber-loop-control
bridge-group 8 block-unknown-source
no bridge-group 8 source-learning
no bridge-group 8 unicast-flooding
bridge-group 8 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
Peter.
------------------------------
Message: 2
Date: Wed, 8 Jun 2005 10:38:55 +0200
From: "Oliver Boehmer \(oboehmer\)" <oboehmer at cisco.com>
Subject: RE: [c-nsp] Freeware tacacs and PIX enable authentication
To: "Lora Ganeva" <lganeva at mobiltel.bg>, <cisco-nsp at puck.nether.net>
Message-ID:
<70B7A1CCBFA5C649BD562B6D9F7ED784C90343 at xmb-ams-333.emea.cisco.com>
Content-Type: text/plain; charset="us-ascii"
Lora Ganeva <> wrote on Wednesday, June 08, 2005 10:08 AM:
> I have a serious problem with making my PIX firewall authenticate its
> enable password with a freeware tac-plus server.
>
> I have made some tests and all I can see is that the enable
> authentication is rejected from the TACACS+.
>
> The following is my tacacs configuration:
>
>
>
> user = enable_15 {
>
> default service = permit
>
> login = cleartext cisco
>
> }
not 100% sure, but have you tried
user = $enab15$ {
default service = permit
login = cleartext cisco
}
At least this is what IOS sends as username for enable authentication..
oli
------------------------------
Message: 3
Date: Wed, 08 Jun 2005 20:52:55 +1200
From: Reuben Farrelly <reuben-cisco-nsp at reub.net>
Subject: Re: [c-nsp] Aironet 1230 and multiple VLANs
To: Peter Hicks <peter.hicks at poggs.co.uk>
Cc: cisco-nsp at puck.nether.net
Message-ID: <42A6B1E7.1030006 at reub.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi Peter,
Peter Hicks wrote, On 8/06/2005 8:38 p.m.:
> Hello
>
> When running multiple VLANs to an Aironet AP, where do I set the IP address?
On the BVI interface.
> I've used Fa0.8 (management VLAN) but I have periodic errors in the log:
>
> Jun 8 08:29:57.966: %IP_SNMP-3-SOCKET: can't open UDP socket
> Jun 8 08:29:57.966: Unable to open socket on port 161
>
> Is the FastEthernet sub-interface the right one to set an address on?
> Should I be setting an address on the BVI interface instead?
Yes. Remove all IP addresses not on the BVI interface, my understanding is
that they are not supported and arguably not neccesary either since you should
be having the sub Dot interface and FastEthernet interface in the same bridge
group(s). As the thing doesn't route (it only bridges), it doesn't need an IP
address for anything other than management via the BVI1.
Don't bridge your management VLAN through to a Dot sub interface - unless you
want to be able to manage the devices via the radio. Generally this is a bad
idea for security reasons.
Seems that you could almost get away with IP addresses on the FastEthernet
subs earlier, but latest versions of IOS for these devices grok on it and
you'll get that message you are seeing.
Two other gotchas for these devices:
1. Your BVI1 must have the management IP address and must be on your
native/untagged VLAN. The device expects that to be VLAN1. If however, your
management VLAN on the network is vlan 8, then set the native VLAN on the
switch port feeding this device to be vlan 8, so that VLAN8/management traffic
is untagged and therefore on the same layer 2 network as BVI1.
2. You can only have 1 BVI1, or rather, only one is supported. I think it
allows you to set more than one up, but you're not supposed to do this.
They are two slightly annoying gotchas which trick young players, especially
if like me the first time I configured one, you had an expectation that
because it's IOS it must be easy to configure and that if it lets you do
things then they must be supported or at least semi-useful........
Reuben
------------------------------
Message: 4
Date: Wed, 8 Jun 2005 10:09:27 +0100
From: "Mark Tohill" <Mark at u.tv>
Subject: [c-nsp] BGP Question
To: <cisco-nsp at puck.nether.net>
Message-ID:
<658F94741F4A8A4F94171E37E417488B0A3114 at UTVEXCHANGE.utv.local>
Content-Type: text/plain; charset="us-ascii"
Hi ,
Another BGP question.
If we peer with an upstream provider 'piggybacking' on their AS due to
legacy issues, can we announce a new portion of address space via the
network statement on our iBGP peers. Will this get announced the the
Net, or does also need done at eBGP peers i.e our upstreams edge
routers?
I suppose what I'm asking here is does information from iBGP routers get
propogated to eBGP routers and onward.
The more I think I understand BGP, the more I don't.
Thanks,
Mark.
------------------------------
Message: 5
Date: Wed, 8 Jun 2005 11:36:03 +0200
From: "Tantsura, Jeff" <jtantsura at ugceurope.com>
Subject: RE: [c-nsp] BGP Question
To: "'Mark Tohill'" <Mark at u.tv>, cisco-nsp at puck.nether.net
Message-ID: <1FDCE9F824991441A7CE1CFBB0CED37402EFD195 at nlcbbms02>
Content-Type: text/plain
Mark,
It's quite normal to originate routes somewhere in your network and then
advertise these via IBGP to borders. Aggregation is usually configured on
borders.
--
Jeff Tantsura CCIE# 11416
Senior IP Network Engineer
-----Original Message-----
From: Mark Tohill [mailto:Mark at u.tv]
Sent: 08 June 2005 11:09
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] BGP Question
Hi ,
Another BGP question.
If we peer with an upstream provider 'piggybacking' on their AS due to
legacy issues, can we announce a new portion of address space via the
network statement on our iBGP peers. Will this get announced the the
Net, or does also need done at eBGP peers i.e our upstreams edge
routers?
I suppose what I'm asking here is does information from iBGP routers get
propogated to eBGP routers and onward.
The more I think I understand BGP, the more I don't.
Thanks,
Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------
Message: 6
Date: Wed, 8 Jun 2005 11:37:06 +0200
From: Mark Tinka <mtinka at africaonline.co.sz>
Subject: Re: [c-nsp] BGP Question
To: cisco-nsp at puck.nether.net
Cc: Mark Tohill <Mark at u.tv>
Message-ID: <200506081137.07761.mtinka at africaonline.co.sz>
Content-Type: text/plain; charset="iso-8859-1"
On Wednesday 08 June 2005 11:09, Mark Tohill wrote:
> Hi ,
Hello.
> I suppose what I'm asking here is does information
> from iBGP routers get propogated to eBGP routers and
> onward.
In short, yes. An example:
I have 2 routers talking iBGP between my PoP and some
exchange, and the router at the exchange talks eBGP to
other routers connected at that exchange:
PoP Router<--iBGP-->Exchange Router<--eBGP-->Peers
Routes being originated from my PoP router get announced
to my exchange router via iBGP, which in turn
re-advertises said routes to the other peers via eBGP
(filtering issues taken into consideration, of course).
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20050608/1b45e2f0/attachment-0001.bin
------------------------------
Message: 7
Date: Wed, 8 Jun 2005 04:13:24 -0700 (PDT)
From: David Barak <thegameiam at yahoo.com>
Subject: RE: [c-nsp] BGP Question
To: cisco-nsp at puck.nether.net
Message-ID: <20050608111325.27618.qmail at web31803.mail.mud.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
--- "Tantsura, Jeff" <jtantsura at ugceurope.com> wrote:
> Mark,
>
> It's quite normal to originate routes somewhere in
> your network and then
> advertise these via IBGP to borders. Aggregation is
> usually configured on
> borders.
That's a hard way to do it from a scaling perspective.
The easier way is to originate your aggregate
networks in the core, and then have prefix filters
which deny your more specific announcements at the
edge. It's much easier to add an edge device or a new
route that way.
David Barak
Need Geek Rock? Try The Franchise:
http://www.listentothefranchise.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------
Message: 8
Date: Wed, 8 Jun 2005 06:38:25 -0700 (PDT)
From: Yasser Aly <yaseraly00 at yahoo.com>
Subject: [c-nsp] Voice header compression Problem with IETF
encapsulation
To: cisco-nsp at puck.nether.net, cisco-voip at puck.nether.net
Message-ID: <20050608133825.46490.qmail at web51902.mail.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
Hello,
I am trying to apply rtp header compression on a frame-relay interface.
I am using the configuration below but error popping shows that header compression is not supported with IETF encapsulation. I have to use IETF as the other end of this connection is over ATM interface so Frame-Relay to ATM internetworking is in the middle. What can be done to solve this problem?
Configuration Below:
==============
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no fair-queue
frame-relay traffic-shaping
frame-relay lmi-type ansi
error message while adding the ip rtp header compression or fr ip rtp header compression:
Router(config)#interface Serial0/0
Router(config-if)#ip rtp header-compression
%Interface is set for IETF encapsulation! IP header compression is supported only over CISCO encapsulation!
Router(config-if)#
Router(config-if)#frame-relay ip rtp header-compression
%Interface is set for IETF encapsulation! IP header compression is supported only over CISCO encapsulation!
------------------------------
Message: 9
Date: Wed, 8 Jun 2005 09:43:16 -0400 (EDT)
From: "Justin M. Streiner" <streiner at cluebyfour.org>
Subject: Re: [c-nsp] BGP Question
To: cisco-nsp at puck.nether.net
Message-ID: <Pine.LNX.4.63.0506080939370.17160 at whammy.cluebyfour.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
On Wed, 8 Jun 2005, Mark Tohill wrote:
> If we peer with an upstream provider 'piggybacking' on their AS due to
> legacy issues, can we announce a new portion of address space via the
> network statement on our iBGP peers. Will this get announced the the
> Net, or does also need done at eBGP peers i.e our upstreams edge
> routers?
Assuming you get the new IP space from that upstream provider, or
possibly provider-independent space from your local RIR (ARIN, RIPE,
APNIC, etc), it should be OK. Different providers will have different
policies, but typically semi-private ASNs like AS7046 for UUNET are only
to be used by customers who only have connectivity with that AS.
> I suppose what I'm asking here is does information from iBGP routers get
> propogated to eBGP routers and onward.
If you're doing a semi-private AS arrangement with your upstream, they
will probably be speaking EBGP since the AS you're in will likely be
different than the provider's backbone AS.
jms
------------------------------
Message: 10
Date: Wed, 8 Jun 2005 06:50:51 -0700
From: "Voll, Scott" <Scott.Voll at wesd.org>
Subject: [c-nsp] Pix counters
To: <cisco-nsp at puck.nether.net>
Message-ID: <D713462ED535184D830F6F6301753E7E01511F01 at VISHNU.wesd.org>
Content-Type: text/plain; charset="us-ascii"
Is there any way to clear the interface counters on a Pix running FOS
6.3.4?
Thanks
Scott
------------------------------
Message: 11
Date: Wed, 8 Jun 2005 09:59:44 -0400
From: "Rieman, Jeffrey" <j-rieman at onu.edu>
Subject: [c-nsp] PIX Training
To: <cisco-nsp at puck.nether.net>
Message-ID:
<80031118BC777C4B87B736243BD2D0DC02ED733F at onuex2k.ad.onu.edu>
Content-Type: text/plain; charset="us-ascii"
Can anyone recommend a hands on cisco pix training program in the
Cincinnati area?
Thanks!
---
Jeff Rieman
Network Manager
Ohio Northern University
(419) 772-2497
j-rieman at onu.edu
"The ultimate measure of a man is not where
he stands in moments of comfort and convenience,
but where he stands at times of challenge and controversy."
-Dr. Martin Luther King Jr.
------------------------------
_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
End of cisco-nsp Digest, Vol 31, Issue 28
*****************************************
More information about the cisco-nsp
mailing list