Solved

Wireless VLAN issue

Posted on 2009-05-12
11
1,195 Views
Last Modified: 2013-12-21
I have a  remote site with a guest wireless network in which various Cisco AP's (1100,1200) are all being used in AP and repeater mode for a seperate vlan (say vlan2) which is trunked back to the core switch and then a DSL modem is hanging off of an access port on vlan 2 giving out DHCP addresses in the 10.253.x.x range. It is open authentication with no encryption. All of the AP's are on a (say vlan 1) management network and controlled by IP's in the 10.1.x.x) range. Here's the problem: The AP's are giving clients 10.1.x.x ip addresses and so routing them through the corporate network. Very scary for me. Each AP has the native vlan of 1 and I can reach them all remotely (via WAN.) I have checked the trunks, access ports, SSID/VLAN match etc adn found no cause. Configuration misunderstanding perhaps? We are doing the same thing the same way at our main campus and it works perfectly. Any ideas? Thanks so much to all !!!
0
Comment
Question by:marksheeks
  • 8
  • 2
11 Comments
 
LVL 13

Expert Comment

by:Quori
Comment Utility
Can you provide a couple AP configs please?
0
 
LVL 8

Expert Comment

by:bsohn417
Comment Utility
Few questions?
Are APs hanging off Core switch?
Are AP set to DHCP reply agent?

if they are attached to core switch they should accessing vlan 2, VLAN-2 get ip adds from mdem. and AP will simply pass the ip add to client.






0
 

Author Comment

by:marksheeks
Comment Utility
Yes, they are attacked to core. In this small site actually there is only 1 real Cisco switch. I will atttach a config shortly and here is a small network layout jpeg. Thanks guys.
IL-EE.jpg
0
 

Author Comment

by:marksheeks
Comment Utility
Here's a config. No IP DHCP helper address configured. Just noticing that the native port on the AP is vlan 2. Hmm The links are trunking 1 and 2 usign dot1q.
Building configuration...
Current configuration : 2705 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP
!
ip subnet-zero
ip domain name x
!
dot11 vlan-name guest vlan 2
!
dot11 ssid guest
   vlan 2
   authentication open
   guest-mode
   infrastructure-ssid optional
!
dot11 network-map
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid guest
 !
 speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root access-point
!
interface Dot11Radio0.1
 encapsulation dot1Q 1
 no ip route-cache
 bridge-group 254
 bridge-group 254 block-unknown-source
 no bridge-group 254 source-learning
 no bridge-group 254 unicast-flooding
 bridge-group 254 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1
 no ip route-cache
 bridge-group 254
 no bridge-group 254 source-learning
 bridge-group 254 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.1.1.x 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.1.1.x
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip tacacs source-interface BVI1
ip radius source-interface BVI1
!
bridge 1 route ip
!
line con 0
line vty 0 4
!
end
0
 

Author Comment

by:marksheeks
Comment Utility
ok so the links between the switch and WAN router are obviously trunks.
The link to the DSL modem is an access port.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 8

Accepted Solution

by:
bsohn417 earned 500 total points
Comment Utility
your access port should be accessing vlan2 which is the source of dhcp and APs should be set to ip dhcp smart-relay.  whatever address is assigned to BVI should be excluded from the DHCP pool.  
0
 

Author Comment

by:marksheeks
Comment Utility
yup, dsl modem is on vlan2. Trunking from AP to switch of course. I thought you used a smart-relay when you were handing out dhcp from the router/l3 switch? In this case, shouldn't the AP just pass those vlan 253 dhcp packets into the 3560 switch which will then forward them out all vlan253 ports (in this case the only one is toward the DSL modem which is also the DHCP server)? Thanks so much for clarifying. I appreciate it.
0
 

Author Comment

by:marksheeks
Comment Utility
sorry not vlan 253, vlan 2  :)
0
 

Author Comment

by:marksheeks
Comment Utility
I should add that I'm not doing any L3 functions on this 3560 switch. There are 2 dhcp servers. The first is the vlan1 windows server and the second is the vlan2 DSL modem. Relevent config below. No dhcp relay-agent configured or subinterfaces. Of ocurse all of the management IP's for the AP's are on the subnet for vlan1. Thanks for all your help.

VLAN definition:
vlan 2
 name guestwireless

interface FastEthernet0/7
 description TO WAP-01
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast

interface FastEthernet0/42
 description "guestwireless" Internet access via DSL line
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/43
 description UPLINK TO BUILDING2
 switchport trunk encapsulation dot1q
 switchport mode trunk

0
 

Author Comment

by:marksheeks
Comment Utility
Wait a minute. I think the 3 AP's connected via the hub in building 2 are actually in vlan1 because the hub does not understand vlans.  In this case I would have to replace ti wth a switch or move the native vlan on that link (from the main switch) into vlan2 and then change both the AP's management IP and gateway to 10.253.x.x . But then how would I manage them? Does that wash or am I crazy here?
0
 

Author Closing Comment

by:marksheeks
Comment Utility
Not resolved yet. Thanks for the effort though.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now