Solved

Wireless VLAN issue

Posted on 2009-05-12
11
1,201 Views
Last Modified: 2013-12-21
I have a  remote site with a guest wireless network in which various Cisco AP's (1100,1200) are all being used in AP and repeater mode for a seperate vlan (say vlan2) which is trunked back to the core switch and then a DSL modem is hanging off of an access port on vlan 2 giving out DHCP addresses in the 10.253.x.x range. It is open authentication with no encryption. All of the AP's are on a (say vlan 1) management network and controlled by IP's in the 10.1.x.x) range. Here's the problem: The AP's are giving clients 10.1.x.x ip addresses and so routing them through the corporate network. Very scary for me. Each AP has the native vlan of 1 and I can reach them all remotely (via WAN.) I have checked the trunks, access ports, SSID/VLAN match etc adn found no cause. Configuration misunderstanding perhaps? We are doing the same thing the same way at our main campus and it works perfectly. Any ideas? Thanks so much to all !!!
0
Comment
Question by:marksheeks
  • 8
  • 2
11 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 24369516
Can you provide a couple AP configs please?
0
 
LVL 8

Expert Comment

by:bsohn417
ID: 24369565
Few questions?
Are APs hanging off Core switch?
Are AP set to DHCP reply agent?

if they are attached to core switch they should accessing vlan 2, VLAN-2 get ip adds from mdem. and AP will simply pass the ip add to client.






0
 

Author Comment

by:marksheeks
ID: 24369776
Yes, they are attacked to core. In this small site actually there is only 1 real Cisco switch. I will atttach a config shortly and here is a small network layout jpeg. Thanks guys.
IL-EE.jpg
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:marksheeks
ID: 24369935
Here's a config. No IP DHCP helper address configured. Just noticing that the native port on the AP is vlan 2. Hmm The links are trunking 1 and 2 usign dot1q.
Building configuration...
Current configuration : 2705 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP
!
ip subnet-zero
ip domain name x
!
dot11 vlan-name guest vlan 2
!
dot11 ssid guest
   vlan 2
   authentication open
   guest-mode
   infrastructure-ssid optional
!
dot11 network-map
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid guest
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root access-point
!
interface Dot11Radio0.1
 encapsulation dot1Q 1
 no ip route-cache
 bridge-group 254
 bridge-group 254 block-unknown-source
 no bridge-group 254 source-learning
 no bridge-group 254 unicast-flooding
 bridge-group 254 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1
 no ip route-cache
 bridge-group 254
 no bridge-group 254 source-learning
 bridge-group 254 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.1.1.x 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.1.1.x
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
bridge 1 route ip
!
line con 0
line vty 0 4
!
end
0
 

Author Comment

by:marksheeks
ID: 24377098
ok so the links between the switch and WAN router are obviously trunks.
The link to the DSL modem is an access port.
0
 
LVL 8

Accepted Solution

by:
bsohn417 earned 500 total points
ID: 24377970
your access port should be accessing vlan2 which is the source of dhcp and APs should be set to ip dhcp smart-relay.  whatever address is assigned to BVI should be excluded from the DHCP pool.  
0
 

Author Comment

by:marksheeks
ID: 24389706
yup, dsl modem is on vlan2. Trunking from AP to switch of course. I thought you used a smart-relay when you were handing out dhcp from the router/l3 switch? In this case, shouldn't the AP just pass those vlan 253 dhcp packets into the 3560 switch which will then forward them out all vlan253 ports (in this case the only one is toward the DSL modem which is also the DHCP server)? Thanks so much for clarifying. I appreciate it.
0
 

Author Comment

by:marksheeks
ID: 24389712
sorry not vlan 253, vlan 2  :)
0
 

Author Comment

by:marksheeks
ID: 24389836
I should add that I'm not doing any L3 functions on this 3560 switch. There are 2 dhcp servers. The first is the vlan1 windows server and the second is the vlan2 DSL modem. Relevent config below. No dhcp relay-agent configured or subinterfaces. Of ocurse all of the management IP's for the AP's are on the subnet for vlan1. Thanks for all your help.

VLAN definition:
vlan 2
 name guestwireless

interface FastEthernet0/7
 description TO WAP-01
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast

interface FastEthernet0/42
 description "guestwireless" Internet access via DSL line
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/43
 description UPLINK TO BUILDING2
 switchport trunk encapsulation dot1q
 switchport mode trunk

0
 

Author Comment

by:marksheeks
ID: 24389975
Wait a minute. I think the 3 AP's connected via the hub in building 2 are actually in vlan1 because the hub does not understand vlans.  In this case I would have to replace ti wth a switch or move the native vlan on that link (from the main switch) into vlan2 and then change both the AP's management IP and gateway to 10.253.x.x . But then how would I manage them? Does that wash or am I crazy here?
0
 

Author Closing Comment

by:marksheeks
ID: 31580693
Not resolved yet. Thanks for the effort though.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
replacing 2811 to ISR 4331 2 46
parental control on huwei HG658b 1 29
VPN Server config in Modem 5 68
CISCO wireless controller & AP 2 37
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question