odewulf
asked on
cisco WLC 2504 second interface DHCP issue
I am having some issue getting an IP address on the public interface I created on the WLC 2504.
it works fine on the management ssid
here is the setup:
asa 5505 unlimited license (not the security plus) 10.12.20.1
Vlan 1 : 10.12.20.0
Vlan 3: 10.12.30.0 is the dmz on the asa
DHCP is done for both Vlans on the asa
WLC 2504
interfaces
management: untagged 10.12.20.4
GW: 10.12.20.1
DHCP: 10.12.20.1
Public: Tagged 3
10.12.30.4
GW: 10.12.30.1
DHCP 10.12.30.1
switch cisco SG 300
port 1 goes to the asa management port: access mode untagged vlan1
port 2 goes to the asa Public port: access mode untagged vlan 3
port 3 goes to the AP: access mode untagged vlan1
if I connect to private then I get an IP 10.12.20.x
if I connect to public then I can't get an IP at all
I am wondering if it is related to the asa and the fact that it is a basic DMZ with no forwarding in it
here is some more config
interface detailed public
it works fine on the management ssid
here is the setup:
asa 5505 unlimited license (not the security plus) 10.12.20.1
Vlan 1 : 10.12.20.0
Vlan 3: 10.12.30.0 is the dmz on the asa
DHCP is done for both Vlans on the asa
WLC 2504
interfaces
management: untagged 10.12.20.4
GW: 10.12.20.1
DHCP: 10.12.20.1
Public: Tagged 3
10.12.30.4
GW: 10.12.30.1
DHCP 10.12.30.1
switch cisco SG 300
port 1 goes to the asa management port: access mode untagged vlan1
port 2 goes to the asa Public port: access mode untagged vlan 3
port 3 goes to the AP: access mode untagged vlan1
if I connect to private then I get an IP 10.12.20.x
if I connect to public then I can't get an IP at all
I am wondering if it is related to the asa and the fact that it is a basic DMZ with no forwarding in it
here is some more config
interface detailed public
Interface Name................................... public
MAC Address...................................... d4:8c:b5:c2:af:84
IP Address....................................... 10.12.30.4
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.12.30.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 3
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 10.12.30.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled
show interface detailed management
Interface Name................................... management
MAC Address...................................... d4:8c:b5:c2:af:80
IP Address....................................... 10.12.20.4
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.12.20.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 10.12.20.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Disabled
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
interface Vlan1
nameif inside
security-level 100
ip address 10.12.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
no forward interface Vlan1
nameif Public
security-level 50
ip address 10.12.30.1 255.255.255.0
!
ftp mode passive
access-list VPNJackling_splitTunnelAcl standard permit 10.12.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.12.20.0 255.255.255.0 10.12.20.248 255.255.255.248
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Public 1500
ip local pool vpnpool 10.12.20.250-10.12.20.253
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Public) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.12.20.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.12.20.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 10.12.20.10-10.12.20.249 inside
dhcpd enable inside
!
dhcpd address 10.12.30.2-10.12.30.250 Public
dhcpd enable Public
vlan database
vlan 3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface vlan 1
ip address 10.12.20.3 255.255.255.0
exit
ip dhcp relay address 10.12.20.1
ip dhcp relay enable
ip dhcp information option
interface vlan 1
ip dhcp relay enable
exit
interface vlan 1
no ip address dhcp
exit
hostname Attic
management access-list allaccess
permit
exit
management access-class allaccess
username cisco password encrypted 517a73ede349fd3b60756b902669db92f2d3ef70 privilege 15
ip ssh server
no snmp-server server
snmp-server location Attic
ip http secure-server
ip telnet server
interface gigabitethernet1
switchport mode access
exit
interface gigabitethernet2
switchport mode access
switchport access vlan 3
switchport general pvid 3
exit
interface gigabitethernet3
switchport mode access
exit
interface vlan 3
name Public
exit
ASKER
sorry I forgot to mention that important point :-)
it does connect to port 4 and is in trunk mode
interface gigabitethernet4
switchport trunk allowed vlan add 3
it does connect to port 4 and is in trunk mode
interface gigabitethernet4
switchport trunk allowed vlan add 3
No problem :-)
Can you post the config from the switch which includes that config? It looks like there's a bit missing from the interface...
Can you post the config from the switch which includes that config? It looks like there's a bit missing from the interface...
ASKER
here it is
thank you
thank you
Attic#sh run
vlan database
vlan 3
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface vlan 1
ip address 10.12.20.3 255.255.255.0
exit
ip dhcp relay address 10.12.20.1
ip dhcp relay enable
ip dhcp information option
interface vlan 1
ip dhcp relay enable
exit
interface vlan 1
no ip address dhcp
exit
hostname Attic
management access-list allaccess
permit
exit
management access-class allaccess
username cisco password encrypted 517a73ede349fd3b60756b902669db92f2d3ef70 privilege 15
ip ssh server
no snmp-server server
snmp-server location Attic
ip http secure-server
ip telnet server
interface gigabitethernet1
switchport mode access
exit
interface gigabitethernet2
switchport mode access
switchport access vlan 3
switchport general pvid 3
exit
interface gigabitethernet3
switchport mode access
exit
interface gigabitethernet4
switchport trunk allowed vlan add 3
exit
interface vlan 3
name Public
exit
Attic#
ok, you need switchport mode trunk on GigabitEthernet4... it is in access mode by default.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
updated the switch configuration for the dmz port to access mode instead of trunk
It looks like your links are all configured as access ports on the switch, so you'll need to configure a trunk wherever your WLC connects or it will only ever pass traffic for one VLAN.