Solved

Cisco Wireless/pfsense DHCP problem

Posted on 2014-02-18
25
1,221 Views
Last Modified: 2014-02-26
I have 4 Cisco Aironet wireless APs controlled by a Cisco 2504 wireless controller.  The wireless users are connected to a pfsense firewall running on Hyper-V which acts as a firewall and DHCP server.  The wireless controller advertises two SSIDs one for staff (on VLAN 30 - radius and ldap auth) and one for guests (on VLAN 20 - local user auth).  The wireless controller is not acting as a DHCP server.

I just started at this company and today I had to recover the enable password on the core switch.  Done and rebooted.  Everything seemed to come back up fine.  Later in the morning a user complained that their iphone could not connect to the wireless.  Wheel keeps turning.

I brought up a laptop and was able to connect (and even authenticate via the controller) to the wireless but received an error stating that the DHCP server could not be found.

The pfsense firewall is up and running and seems to be in good shape.  The wireless controller has an IP address for the internal network as well as the VLANs 20 and 30.  I was able to ping the VLAN20 address but no the VLAN30 address.

The pfsense does not have an internal IP and I cannot access it via web gui.  It runs in shell only in Hyper-V.

I am at a bit of a loss to determine what is going on.  I was not able to find a dhcpd running on the pfsense nor could I find a rc script to start or stop it.  There is a config file at /var/dhcpd/etc/dhcpd.conf that is configured with the right settings.

Can someone help me out with this?  Max points will be awarded.
0
Comment
Question by:chronolith
  • 16
  • 9
25 Comments
 

Author Comment

by:chronolith
ID: 39868565
I am convinced that my switch config is wrong now.  I suspect that the person who set this up configured it but did not write the settings to startup.

If I assign the port that connects the wireless devices and the controller to some other vlan than default then I lose access to the controller's web interface.

I believe the port on the Hyper-V server that connects the pfsense is connected to a port that appears to be a member of all three VLANs.

Do I need to do something special to get that port connecting to the wireless devices to see and respond to VLAN traffic apart from just the default (1)?
0
 

Author Comment

by:chronolith
ID: 39868670
Experimenting with port trunking now.  Still could use some help.  It's a Cisco 2960G.
0
 

Author Comment

by:chronolith
ID: 39868733
No luck.  I set the trunking on the port and verified that it was a member of all 3 VLANs.  I also checked the PoE switch for the wireless devices and they are also set to tag the VLANs on the switch ports.
0
 

Author Comment

by:chronolith
ID: 39868838
Basically it seems to boil down to the fact that I don't know how to properly prepare this 2960 switch port for wireless VLAN traffic.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39869729
Can you post the switch config and some outputs from the WLC?

WLC outputs...

show interface summary
show interface detailed management


Can you also provide a quick network diagram of how this all fits together, with interface numbers?
0
 

Author Comment

by:chronolith
ID: 39870191
Switch running-config:

Using 2124 out of 65536 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable password NotReallyMyEnablePassword
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface GigabitEthernet0/29
!
interface GigabitEthernet0/30
!
interface GigabitEthernet0/31
!
interface GigabitEthernet0/32
!
interface GigabitEthernet0/33
!
interface GigabitEthernet0/34
!
interface GigabitEthernet0/35
!
interface GigabitEthernet0/36
!
interface GigabitEthernet0/37
!
interface GigabitEthernet0/38
!
interface GigabitEthernet0/39
!
interface GigabitEthernet0/40
!
interface GigabitEthernet0/41
!
interface GigabitEthernet0/42
!
interface GigabitEthernet0/43
!
interface GigabitEthernet0/44
!
interface GigabitEthernet0/45
!
interface GigabitEthernet0/46
!
interface GigabitEthernet0/47
!
interface GigabitEthernet0/48
!
interface Vlan1
 no ip address
 no ip route-cache
!
ip http server
!
control-plane
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
monitor session 1 source vlan 1 - 30
monitor session 1 destination interface Gi0/47
end

Open in new window

0
 

Author Comment

by:chronolith
ID: 39870241
(Cisco Controller) >show interface summary


 Number of Interfaces.......................... 4

Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
guest-wlan                       1    20       20.2.0.10       Dynamic No     No
internal-wlan                    1    30       20.3.0.10       Dynamic No     No
management                       1    untagged 10.17.1.47      Static  Yes    No
virtual                          N/A  N/A      1.1.1.1         Static  No     No

Open in new window


(Cisco Controller) >show interface detailed management

Interface Name................................... management
MAC Address...................................... 84:78:ac:b3:d1:00
IP Address....................................... 10.17.1.47
IP Netmask....................................... 255.255.252.0
IP Gateway....................................... 10.17.1.19
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. untagged
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. 10.17.0.8
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Disabled

Open in new window


End to end setup:

4 Aironet APs are connected to a Cisco Sg300 10 port PoE switch on ports 2-5.  Cisco Wireless controller is connected to the SG300 on port 1.  Port 8 of the SG300 connects to my 2960G core switch on port Gi0/5.

On the SG300 config I discovered that ports 1, 2 and 8 are tagged for VLAN 20 and 30 traffic for our two SSIDs (not ports 3-5 strangely).  I tried switching the tagging on those ports but nothing came of it.
0
 

Author Comment

by:chronolith
ID: 39870727
Update.  I was able to get the wireless back up and running by switching the WLAN config on the controller over to the management interface.  Obviously not ideal for security reasons but shows that there is something specific to do with the vlans messing things up.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39870934
Your switch looks like it has no config at all on it...

Let me look through it and update you later.
0
 

Author Comment

by:chronolith
ID: 39871175
I ran show running-config.  I had the same reaction though.  Does seem quite sparse.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39871362
It's practically the defaults apart from a SPAN session.

You can get traffic on the Management interface because everything on the switch is in VLAN1.  The management interface is untagged (VLAN ID 0) so it drops onto VLAN1.

You need some VLANs and IP addressing/routing.

What router do you have and where does that connect?
0
 

Author Comment

by:chronolith
ID: 39871518
The switch seems to be aware of the two VLANs, which was configured before I arrived:

Switch#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi0/4
                                                Gi0/5, Gi0/6, Gi0/7, Gi0/8
                                                Gi0/9, Gi0/10, Gi0/11, Gi0/12
                                                Gi0/13, Gi0/14, Gi0/15, Gi0/16
                                                Gi0/17, Gi0/18, Gi0/19, Gi0/20
                                                Gi0/21, Gi0/22, Gi0/23, Gi0/24
                                                Gi0/25, Gi0/26, Gi0/27, Gi0/28
                                                Gi0/29, Gi0/30, Gi0/31, Gi0/32
                                                Gi0/33, Gi0/34, Gi0/35, Gi0/36
                                                Gi0/37, Gi0/38, Gi0/39, Gi0/40
                                                Gi0/41, Gi0/42, Gi0/43, Gi0/44
                                                Gi0/45, Gi0/46, Gi0/47
20   VLAN0020                         active
30   VLAN0030                         active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
30   enet  100030     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Switch#show vlan id 20

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
20   VLAN0020                         active    Gi0/48

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
20   enet  100020     1500  -      -      -        -    -        0      0

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Switch#show vlan id 30

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
30   VLAN0030                         active    Gi0/48

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
30   enet  100030     1500  -      -      -        -    -        0      0

Remote SPAN VLAN
----------------
Disabled

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Switch#

Open in new window

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39877187
The switch knows the VLANs are there but no ports are using them.

In the config you have this...
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
That's what all your interfaces look like so that means they're all in access mode in VLAN 1.
0
 

Author Comment

by:chronolith
ID: 39877608
How do I configure a port for access to the other VLANs?  I have tried setting up trunking on that particular port and allowing vlans 1-4094 to access it but with no affect.  I apologize for my ignorance.
0
 

Author Comment

by:chronolith
ID: 39886220
Still hoping for help.  If there is a resource out there I can read up on please feel free to link it.

What mode does the switchport need to be in?  If I set the mode to trunk I am able to allow the VLANs but nothing actually happens when I do.  If I set switchport access I can "move" it to one of the VLANs but then it takes it out of the default VLAN.

Please help.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39886316
To connect the WLC to the switch or to link switches together...
interface GigabitEthernet0/1
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk

Open in new window


The management interface on the WLC is configured to use VLAN 0 (untagged).  By default that will go into VLAN1.  Is that how you want it?

The access points should be configured as a standard access port...
interface GigabitEthernet0/2
 switchport
 switchport mode access

Open in new window

0
 

Author Comment

by:chronolith
ID: 39886445
The 2960G does not seem to support dot1q encapsulation.  How important is it that I elect the encapsulation specifically?
0
 

Author Comment

by:chronolith
ID: 39886676
Further granularity:

to reiterate:

VLAN 1 = default
VLAN 20 = Guest wireless
VLAN 30 = Staff wireless

WAC connects to a Cisco SG300 at port 1.  4 Wireless APs connect on ports 2-5.  SG300 connects to Cisco 2960G on Port 8.  All 10 ports are configured for Trunk mode, Admin PVID = 1, Frame Type  = Admit All, Ingress filtering enabled.

The SG300 connects to the 2960G on port Gi0/5, which is configured in trunk mode:

Name: Gi0/5
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Open in new window

0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39887288
The 2960 only supports dot1q so if it doesn't accept the command it's fine.
0
 

Author Comment

by:chronolith
ID: 39889070
OK encapsulation is good.  Mode is good.  Is there a way to actually see what data is being passed (or blocked) on the port?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39889178
show interface trunk will show you what VLANs are allowed to pass.
0
 

Author Comment

by:chronolith
ID: 39889203
Result below.  Do I also need to configure anything special for the port connecting the DHCP server that is giving out addressed for the wireless users?  Right now it is the trunk port for the SG300 (wireless controller and WAC), and the trunk port connecting the other siwtches in the stack.

Switch>show interface trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi0/5       on           802.1q         trunking      1
Gi0/48      auto         802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/5       1-4094
Gi0/48      1-4094

Port        Vlans allowed and active in management domain
Gi0/5       1,20,30
Gi0/48      1,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/5       1,20,30
Gi0/48      1,20,30
Switch>

Open in new window

0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39889252
The DHCP server needs either:

- A dedicated NIC with an address on each VLAN.
- A VLAN-capable NIC with VLANs configured and a vNIC on each subnet.
- A single NIC connected to the switch and routing to allow the DHCP server to get to each subnet.

I'm guessing your DHCP server is on VLAN1 using a 10.x.y.z address?  If so, it needs the last option.

Is the pfSense doing routing between VLAN1 and VLANs 20 and 30?
0
 

Author Comment

by:chronolith
ID: 39889336
Yes it is acting as a DHCP server and a firewall for the wireless networks.  It is a virtual machine with three interfaces on it.  The first interface is the DMZ/firewall interface, the second and third are using a virtual adapter on the Hyper-V host.  The interfaces are one each for VLAN 20 and VLAN 30.  MAC addresses are dynamic.

The Hyper-V host has two physical NICs.

The pfSense virtual machine recognizes the three interfaces and has an address on each VLAN.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39889351
Cool - so the interface on the switch which connects the Hyper-V guest interface should be a trunk port.

You should allow DHCP through the firewall if the pfSense is blocking that between VLANs.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now