marksheeks
asked on
Wireless VLAN issue
I have a remote site with a guest wireless network in which various Cisco AP's (1100,1200) are all being used in AP and repeater mode for a seperate vlan (say vlan2) which is trunked back to the core switch and then a DSL modem is hanging off of an access port on vlan 2 giving out DHCP addresses in the 10.253.x.x range. It is open authentication with no encryption. All of the AP's are on a (say vlan 1) management network and controlled by IP's in the 10.1.x.x) range. Here's the problem: The AP's are giving clients 10.1.x.x ip addresses and so routing them through the corporate network. Very scary for me. Each AP has the native vlan of 1 and I can reach them all remotely (via WAN.) I have checked the trunks, access ports, SSID/VLAN match etc adn found no cause. Configuration misunderstanding perhaps? We are doing the same thing the same way at our main campus and it works perfectly. Any ideas? Thanks so much to all !!!
Quori
Can you provide a couple AP configs please?
Few questions?
Are APs hanging off Core switch?
Are AP set to DHCP reply agent?
if they are attached to core switch they should accessing vlan 2, VLAN-2 get ip adds from mdem. and AP will simply pass the ip add to client.
Are APs hanging off Core switch?
Are AP set to DHCP reply agent?
if they are attached to core switch they should accessing vlan 2, VLAN-2 get ip adds from mdem. and AP will simply pass the ip add to client.
ASKER
Yes, they are attacked to core. In this small site actually there is only 1 real Cisco switch. I will atttach a config shortly and here is a small network layout jpeg. Thanks guys.
IL-EE.jpg
IL-EE.jpg
ASKER
Here's a config. No IP DHCP helper address configured. Just noticing that the native port on the AP is vlan 2. Hmm The links are trunking 1 and 2 usign dot1q.
Building configuration...
Current configuration : 2705 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP
!
ip subnet-zero
ip domain name x
!
dot11 vlan-name guest vlan 2
!
dot11 ssid guest
vlan 2
authentication open
guest-mode
infrastructure-ssid optional
!
dot11 network-map
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers tkip
!
ssid guest
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
!
interface Dot11Radio0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
!
interface FastEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.1.1.x 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.1.x
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
bridge 1 route ip
!
line con 0
line vty 0 4
!
end
Building configuration...
Current configuration : 2705 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP
!
ip subnet-zero
ip domain name x
!
dot11 vlan-name guest vlan 2
!
dot11 ssid guest
vlan 2
authentication open
guest-mode
infrastructure-ssid optional
!
dot11 network-map
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers tkip
!
ssid guest
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
!
interface Dot11Radio0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
!
interface FastEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.1.1.x 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.1.x
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
bridge 1 route ip
!
line con 0
line vty 0 4
!
end
ASKER
ok so the links between the switch and WAN router are obviously trunks.
The link to the DSL modem is an access port.
The link to the DSL modem is an access port.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yup, dsl modem is on vlan2. Trunking from AP to switch of course. I thought you used a smart-relay when you were handing out dhcp from the router/l3 switch? In this case, shouldn't the AP just pass those vlan 253 dhcp packets into the 3560 switch which will then forward them out all vlan253 ports (in this case the only one is toward the DSL modem which is also the DHCP server)? Thanks so much for clarifying. I appreciate it.
ASKER
sorry not vlan 253, vlan 2 :)
ASKER
I should add that I'm not doing any L3 functions on this 3560 switch. There are 2 dhcp servers. The first is the vlan1 windows server and the second is the vlan2 DSL modem. Relevent config below. No dhcp relay-agent configured or subinterfaces. Of ocurse all of the management IP's for the AP's are on the subnet for vlan1. Thanks for all your help.
VLAN definition:
vlan 2
name guestwireless
interface FastEthernet0/7
description TO WAP-01
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/42
description "guestwireless" Internet access via DSL line
switchport access vlan 2
switchport mode access
spanning-tree portfast
interface FastEthernet0/43
description UPLINK TO BUILDING2
switchport trunk encapsulation dot1q
switchport mode trunk
VLAN definition:
vlan 2
name guestwireless
interface FastEthernet0/7
description TO WAP-01
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface FastEthernet0/42
description "guestwireless" Internet access via DSL line
switchport access vlan 2
switchport mode access
spanning-tree portfast
interface FastEthernet0/43
description UPLINK TO BUILDING2
switchport trunk encapsulation dot1q
switchport mode trunk
ASKER
Wait a minute. I think the 3 AP's connected via the hub in building 2 are actually in vlan1 because the hub does not understand vlans. In this case I would have to replace ti wth a switch or move the native vlan on that link (from the main switch) into vlan2 and then change both the AP's management IP and gateway to 10.253.x.x . But then how would I manage them? Does that wash or am I crazy here?
ASKER
Not resolved yet. Thanks for the effort though.