06-05-2012 05:38 AM
Guys an important question please b pateint and read the brief.....
i have this situation when i want to deploy 3 IAP-93 (Instant), and there is a dot1x policy on the ports, so we connected them to a trunk and gave them IPs from the native VLAN, and they want two with the same SSID, and the other with a different one and disabled join mode feature, and i configured them manually with the IPs and stuff,, so if i put the two they will broadcast, and the other will not, and if i turn off that two the other will work and broadcast.
So, i think there is a conflict that there are maybe two masters !! on the same VLAN.... please any thoughts ???
or a solution ...
06-05-2012 07:57 AM
Thanks a lot man....
but do you mean to dissallow the native VLAN?? or the Network(SSID) VLAN??
because they have the security policy on the ACS (Cisco) and they can give IPs for the IAPs from the management (Native VLAN).
they have it - the management VLAN (127)
the user network (VLAN 70) - on 2 IAPs.
another user network (VLAN 71) - on 1 IAP.
06-05-2012 08:02 AM
I think what Sassy is saying is that you need to separate the clusters by VLAN. You can't have IAPs on the same VLAN in two different clusters (AFAIK - please correct me if I am mistaken).
Put the two IAPs on VLAN 127 and the other IAP on VLAN 128 (for example). The users can be on the same VLAN or not, but the management function needs to be split.
06-05-2012 08:10 AM
the problem is that because of the security policy of these guys ,,, they cannot put them on different VLANs .... so, i guess there is no solution per the given criteria to be on the same VLAN?? or work around??
06-05-2012 08:23 AM
what i mean Shashi is ,, the networks are on different VLANs,, but the IAPs have a static IPs from the Native Management VLAN. and that's their policy,, they have a dot1x security on the ports(Access) or we have to use trunk ports from the switch,, because the IAP can not authenticate.
but when we run all IAPs a conflict occurs i think, the first one to broadcast will be normal,, and the other will freeze at the point that "master election" ,, so what i asked even if i disabled the (auto join mode). it still like conflict because maybe there is like two masters????
appreciate you answers,,
06-05-2012 08:31 AM
Ah I see - so it was what I understood the first time around :)
For example, IAP 1 is on VLAN 10 and IAP 2 is on VLAN 20. The ports on the switch that you have physically connected the IAPs to are trunk ports. Say IAP 1 is connected to gige 1/0 and IAP 2 is connected to gige 2/0.
For example, from cisco documentation:
"By default, a trunk port sends traffic to and receives traffic from all VLANs. All VLAN IDs are allowed on each trunk. However, you can remove VLANs from this inclusive list to prevent traffic from the specified VLANs from passing over the trunk. You can add any specific VLANs later that you may want the trunk to carry traffic for back to the list."
For your setup, you can do something like the following (this is from memory, so please check proper documentation for the right commands):
switchport mode trunk
switchport trunk native VLAN 10
switch trunk allowed vlan all except 20
This will prevent the IAPs from "hearing" each other and they will become masters in their own network.
Let me know if this helps.
06-07-2012 05:19 AM
ok.... Shashi ..
they don't have a VTP on the switches so nothing is passed by default,.....
so... as a conclusion i think in our situation they will conflict.
we have to move one of them to another VLAN.
appreciate your efforts guys...