Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3067
  • Last Modified:

cisco WLC 2504 second interface DHCP issue

I am having some issue getting an IP address on the public interface I created on the WLC 2504.
it works fine on the management ssid

here is the setup:

asa 5505 unlimited license (not the security plus) 10.12.20.1
Vlan 1 : 10.12.20.0
Vlan 3: 10.12.30.0 is the dmz on the asa

DHCP is done for both Vlans on the asa

WLC 2504

interfaces
management: untagged 10.12.20.4
GW: 10.12.20.1
DHCP: 10.12.20.1


Public: Tagged 3
10.12.30.4
GW: 10.12.30.1
DHCP 10.12.30.1

switch cisco SG 300

port 1 goes to the asa management port: access mode untagged vlan1
port 2 goes to the asa Public port: access mode untagged vlan 3
port 3 goes to the AP: access mode untagged vlan1

if I connect to private then I get an IP 10.12.20.x
if I connect to public then I can't get an IP at all

I am wondering if it is related to the asa and the fact that it is a basic DMZ with no forwarding in it

here is some more config
interface detailed public

Interface Name................................... public
MAC Address...................................... d4:8c:b5:c2:af:84
IP Address....................................... 10.12.30.4
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.12.30.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 3         
Quarantine-vlan.................................. 0
Active Physical Port............................. 1         
Primary Physical Port............................ 1         
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 10.12.30.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled

show interface detailed management 

Interface Name................................... management
MAC Address...................................... d4:8c:b5:c2:af:80
IP Address....................................... 10.12.20.4
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.12.20.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. untagged  
Quarantine-vlan.................................. 0
Active Physical Port............................. 1         
Primary Physical Port............................ 1         
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 10.12.20.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Disabled

Open in new window


interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.12.20.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan3
 no forward interface Vlan1
 nameif Public
 security-level 50
 ip address 10.12.30.1 255.255.255.0 
!
ftp mode passive
access-list VPNJackling_splitTunnelAcl standard permit 10.12.20.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.12.20.0 255.255.255.0 10.12.20.248 255.255.255.248 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Public 1500
ip local pool vpnpool 10.12.20.250-10.12.20.253
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Public) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.12.20.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha     
 group 2
 lifetime 86400
telnet 10.12.20.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 10.12.20.10-10.12.20.249 inside
dhcpd enable inside
!
dhcpd address 10.12.30.2-10.12.30.250 Public
dhcpd enable Public

Open in new window


vlan database
vlan 3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface vlan 1
ip address 10.12.20.3 255.255.255.0
exit
ip dhcp relay address 10.12.20.1
ip dhcp relay enable
ip dhcp information option
interface vlan 1
ip dhcp relay enable
exit
interface vlan 1
no ip address dhcp
exit                                                  
hostname Attic
management access-list allaccess
permit
exit
management access-class allaccess
username cisco password encrypted 517a73ede349fd3b60756b902669db92f2d3ef70 privilege 15
ip ssh server
no snmp-server server
snmp-server location Attic
ip http secure-server
ip telnet server
interface gigabitethernet1
switchport mode access
exit
interface gigabitethernet2
switchport mode access
switchport access vlan 3
switchport general pvid 3
exit                                                  
interface gigabitethernet3
switchport mode access
exit
interface vlan 3
name Public
exit

Open in new window

0
odewulf
Asked:
odewulf
  • 4
  • 3
1 Solution
 
Craig BeckCommented:
Forgive me if I've missed or misunderstood, but I can't see where the WLC connects to the switch.

It looks like your links are all configured as access ports on the switch, so you'll need to configure a trunk wherever your WLC connects or it will only ever pass traffic for one VLAN.
0
 
odewulfAuthor Commented:
sorry I forgot to mention that important point :-)

it does connect to port 4 and is in trunk mode

interface gigabitethernet4
switchport trunk allowed vlan add 3
0
 
Craig BeckCommented:
No problem :-)

Can you post the config from the switch which includes that config?  It looks like there's a bit missing from the interface...
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

 
odewulfAuthor Commented:
here it is

thank you

Attic#sh run
vlan database
vlan 3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface vlan 1
ip address 10.12.20.3 255.255.255.0
exit
ip dhcp relay address 10.12.20.1
ip dhcp relay enable
ip dhcp information option
interface vlan 1
ip dhcp relay enable
exit
interface vlan 1
no ip address dhcp
exit                                                  
hostname Attic
management access-list allaccess
permit
exit
management access-class allaccess
username cisco password encrypted 517a73ede349fd3b60756b902669db92f2d3ef70 privilege 15
ip ssh server
no snmp-server server
snmp-server location Attic
ip http secure-server
ip telnet server
interface gigabitethernet1
switchport mode access
exit
interface gigabitethernet2
switchport mode access
switchport access vlan 3
switchport general pvid 3
exit                                                  
interface gigabitethernet3
switchport mode access
exit
interface gigabitethernet4
switchport trunk allowed vlan add 3
exit
interface vlan 3
name Public
exit
Attic#

Open in new window

0
 
Craig BeckCommented:
ok, you need switchport mode trunk on GigabitEthernet4... it is in access mode by default.
0
 
odewulfAuthor Commented:
hi Craig,

I figured this issue. it was not related to the WLC but the ports to the Asa. if I disconnected the cable on port 1 then I will get an IP for the guest wifi and if I replug it then I will lose it. I reset the switch and started from scratch. I believed that the second port for the dmz was in trunk mode instead of access mode.

here is the final switch config

Basement#sh run 
vlan database
vlan 3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface vlan 1
ip address 10.12.20.3 255.255.255.0
exit
ip dhcp relay address 10.12.20.1
ip dhcp relay enable
ip dhcp information option
interface vlan 1
ip dhcp relay enable
exit
interface vlan 1
no ip address dhcp
exit                                                  
hostname Basement
management access-list allaccess
permit
exit
management access-class allaccess
username cisco password encrypted 517a73ede349fd3b60756b902669db92f2d3ef70 privilege 15
ip ssh server
no snmp-server server
snmp-server location Basement
ip http secure-server
ip telnet server
interface gigabitethernet1
switchport mode access
exit
interface gigabitethernet2
switchport mode access
switchport access vlan 3
exit
interface gigabitethernet3
switchport trunk allowed vlan add 3
exit
interface gigabitethernet4                            
switchport mode access
exit
interface gigabitethernet5
switchport mode access
exit
interface gigabitethernet6
switchport mode access
exit
interface gigabitethernet7
switchport mode access
exit
interface gigabitethernet8
switchport mode access
exit
interface gigabitethernet10
switchport trunk allowed vlan add 3
exit
interface vlan 3
name Public
exit

Open in new window

0
 
odewulfAuthor Commented:
updated the switch configuration for the dmz port to access mode instead of trunk
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now