• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 761
  • Last Modified:

Trouble using a second VLAN for Cisco 321 WAP guest WiFi

I am using the VLAN setting for a WiFi network that I am running for guest access. My goal is to use this to segment guest traffic out of the main network.
I have setup VLAN 2 as the guest wifi VLAN. The trouble is some of my switches have the VLAN2 and corresponding IP assigned (10.1.1.2 (vlan1) = 10.1.2.2 (vlan2), but VLAN 2 doesnt show up in the sh vlan command.

I think this is causing the problem, but i cant seem to fix it. Below are the highlights and attached is a quick network diagram.

ASA firewall = 10.1.1.1

Note:
** DHCP on vlan 1 = Windows AD server (10.1.1.5)

**** Core switch
ip routing
ip dhcp excluded-address 10.1.2.1 10.1.2.10
ip dhcp excluded-address 10.1.2.210 10.1.2.254
!
ip dhcp pool wifiguest
   network 10.1.2.0 255.255.255.0
   default-router 10.1.2.2
   dns-server 4.2.2.2
!
interface Vlan1
 ip address 10.1.1.2 255.255.255.0
!
interface Vlan2
 ip address 10.1.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1'


**** Member switch
interface GigabitEthernet0/47
 description ** WAP WiFi **
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 ip address 10.1.1.211 255.255.255.0
!
interface Vlan26
 ip address 10.1.2.211 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
Network-vlan2-wap.pdf
0
adamsanders
Asked:
adamsanders
  • 7
  • 6
1 Solution
 
Hassan BesherCommented:
well, like what you said if you don't have vlan 2 on switches the connects to APs you're in trouble, so there are two ways for assigning VLANs to the switches,

1- to configure it manually using vlan 2 command on each switch

2- use vtp protocol to configure 1 switch as vtp server and the others are clients e.g:
if you're not using VTP on your switches before

Core(config)#vtp domain ABC.com
Core(config)#vtp mode server
member(config)#vtp mode client
if there is already vtp config you wanna add vtp domain also on clients,and good practice is to enable #vtp password ........

just make sure all links between Core and members and between members are Trunk, to be sure type #sh int trunk on each switch for verification

then start assign vlans at vtp server,but beware this will erase you previous vlans and just configure the vlans you TYPE only in vtp server switch

#sh vtp status will inform you every thing!
0
 
adamsandersAuthor Commented:
I simplified the network diagram, but this network has some more complex elements, namely Voip Vlan. I am not sure I want to implement VTP without examining the logs in detail.

We have added the  "1- to configure it manually using vlan 2 command on each switch" - see the CLI snippets above.
Do you know what would keep it from listing the VLAN2 in "sh int vlan"?

I am off to show INT TRUNK now. We are using 802.1q  on our trunks currently.
0
 
Hassan BesherCommented:
when you type on member sw:
vlan 2
exit
 sh vlan br

is it existed or not ?
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
adamsandersAuthor Commented:
This is in the sh run:
interface Vlan2
 ip address 10.1.2.211 255.255.255.0

Sh vlan does not show the VLAN2

Then as you outlined:
#vlan 2
#exit
#sh vlan br

2   VLAN002                         active

!
!
!
Why doesn't the config load the VLAN2?
0
 
Hassan BesherCommented:
get out the full output for # sh run on switches
0
 
adamsandersAuthor Commented:
Ok. I will have to clean that up a little bit. Would you want to see peer switches or just the ones in the path wap <-> switch <->core switch ?
And I have added the vlan (even tho they are in the config) to see if this will work. I see the VLAN2 on all devices now.
0
 
Hassan BesherCommented:
just in the path,  after you go vlan 2 on the switches you still got the connectivity problem?
0
 
adamsandersAuthor Commented:
Yes, the client computers on WiFi are not getting a DHCP assigned IP address. Also, if we use a static, the client cant route anywhere..
0
 
Hassan BesherCommented:
ok like i told you i need to see your config, but if put static ip on client can you ping your default GW 10.1.2.211 or not ?
0
 
adamsandersAuthor Commented:
While I was sterilizing my CLI configs, I found a discrepancy in trunking. That fixed the DHCP - IP flow to the core switch (but doesnt explain the VLAN Config missing).
I still cannot get out thru the firewall.

I get an IP on VLAN2 (10.1.2.0) & I can ping / access the VLAN1 ip (10.1.1.2) on the Core Switch, but I cant telnet into the firewall (10.1.1.1). I don't have ping enabled on the firewall internal interface.

I have attached CLI configs for reference.
SWITCH-Core.txt
Sw1.txt
0
 
Hassan BesherCommented:
make sure that your firewall has a route for the return traffic e.g:

ip route 10.1.2.0 255.255.255.0 10.1.1.2
0
 
adamsandersAuthor Commented:
I have been out of the office, but I will test the routes in the next few days. Thanks,
0
 
adamsandersAuthor Commented:
Thanks Hassan, the additional routes worked for return traffic!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now