Trouble using a second VLAN for Cisco 321 WAP guest WiFi
I am using the VLAN setting for a WiFi network that I am running for guest access. My goal is to use this to segment guest traffic out of the main network.
I have setup VLAN 2 as the guest wifi VLAN. The trouble is some of my switches have the VLAN2 and corresponding IP assigned (10.1.1.2 (vlan1) = 10.1.2.2 (vlan2), but VLAN 2 doesnt show up in the sh vlan command.
I think this is causing the problem, but i cant seem to fix it. Below are the highlights and attached is a quick network diagram.
ASA firewall = 10.1.1.1
Note:
** DHCP on vlan 1 = Windows AD server (10.1.1.5)
**** Core switch
ip routing
ip dhcp excluded-address 10.1.2.1 10.1.2.10
ip dhcp excluded-address 10.1.2.210 10.1.2.254
!
ip dhcp pool wifiguest
network 10.1.2.0 255.255.255.0
default-router 10.1.2.2
dns-server 4.2.2.2
!
interface Vlan1
ip address 10.1.1.2 255.255.255.0
!
interface Vlan2
ip address 10.1.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1'
**** Member switch
interface GigabitEthernet0/47
description ** WAP WiFi **
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
ip address 10.1.1.211 255.255.255.0
!
interface Vlan26
ip address 10.1.2.211 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
Network-vlan2-wap.pdf
I have setup VLAN 2 as the guest wifi VLAN. The trouble is some of my switches have the VLAN2 and corresponding IP assigned (10.1.1.2 (vlan1) = 10.1.2.2 (vlan2), but VLAN 2 doesnt show up in the sh vlan command.
I think this is causing the problem, but i cant seem to fix it. Below are the highlights and attached is a quick network diagram.
ASA firewall = 10.1.1.1
Note:
** DHCP on vlan 1 = Windows AD server (10.1.1.5)
**** Core switch
ip routing
ip dhcp excluded-address 10.1.2.1 10.1.2.10
ip dhcp excluded-address 10.1.2.210 10.1.2.254
!
ip dhcp pool wifiguest
network 10.1.2.0 255.255.255.0
default-router 10.1.2.2
dns-server 4.2.2.2
!
interface Vlan1
ip address 10.1.1.2 255.255.255.0
!
interface Vlan2
ip address 10.1.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1'
**** Member switch
interface GigabitEthernet0/47
description ** WAP WiFi **
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Vlan1
ip address 10.1.1.211 255.255.255.0
!
interface Vlan26
ip address 10.1.2.211 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
Network-vlan2-wap.pdf
ASKER
I simplified the network diagram, but this network has some more complex elements, namely Voip Vlan. I am not sure I want to implement VTP without examining the logs in detail.
We have added the "1- to configure it manually using vlan 2 command on each switch" - see the CLI snippets above.
Do you know what would keep it from listing the VLAN2 in "sh int vlan"?
I am off to show INT TRUNK now. We are using 802.1q on our trunks currently.
We have added the "1- to configure it manually using vlan 2 command on each switch" - see the CLI snippets above.
Do you know what would keep it from listing the VLAN2 in "sh int vlan"?
I am off to show INT TRUNK now. We are using 802.1q on our trunks currently.
when you type on member sw:
vlan 2
exit
sh vlan br
is it existed or not ?
vlan 2
exit
sh vlan br
is it existed or not ?
ASKER
This is in the sh run:
interface Vlan2
ip address 10.1.2.211 255.255.255.0
Sh vlan does not show the VLAN2
Then as you outlined:
#vlan 2
#exit
#sh vlan br
2 VLAN002 active
!
!
!
Why doesn't the config load the VLAN2?
interface Vlan2
ip address 10.1.2.211 255.255.255.0
Sh vlan does not show the VLAN2
Then as you outlined:
#vlan 2
#exit
#sh vlan br
2 VLAN002 active
!
!
!
Why doesn't the config load the VLAN2?
get out the full output for # sh run on switches
ASKER
Ok. I will have to clean that up a little bit. Would you want to see peer switches or just the ones in the path wap <-> switch <->core switch ?
And I have added the vlan (even tho they are in the config) to see if this will work. I see the VLAN2 on all devices now.
And I have added the vlan (even tho they are in the config) to see if this will work. I see the VLAN2 on all devices now.
just in the path, after you go vlan 2 on the switches you still got the connectivity problem?
ASKER
Yes, the client computers on WiFi are not getting a DHCP assigned IP address. Also, if we use a static, the client cant route anywhere..
ok like i told you i need to see your config, but if put static ip on client can you ping your default GW 10.1.2.211 or not ?
ASKER
While I was sterilizing my CLI configs, I found a discrepancy in trunking. That fixed the DHCP - IP flow to the core switch (but doesnt explain the VLAN Config missing).
I still cannot get out thru the firewall.
I get an IP on VLAN2 (10.1.2.0) & I can ping / access the VLAN1 ip (10.1.1.2) on the Core Switch, but I cant telnet into the firewall (10.1.1.1). I don't have ping enabled on the firewall internal interface.
I have attached CLI configs for reference.
SWITCH-Core.txt
Sw1.txt
I still cannot get out thru the firewall.
I get an IP on VLAN2 (10.1.2.0) & I can ping / access the VLAN1 ip (10.1.1.2) on the Core Switch, but I cant telnet into the firewall (10.1.1.1). I don't have ping enabled on the firewall internal interface.
I have attached CLI configs for reference.
SWITCH-Core.txt
Sw1.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have been out of the office, but I will test the routes in the next few days. Thanks,
ASKER
Thanks Hassan, the additional routes worked for return traffic!
1- to configure it manually using vlan 2 command on each switch
2- use vtp protocol to configure 1 switch as vtp server and the others are clients e.g:
if you're not using VTP on your switches before
Core(config)#vtp domain ABC.com
Core(config)#vtp mode server
member(config)#vtp mode client
if there is already vtp config you wanna add vtp domain also on clients,and good practice is to enable #vtp password ........
just make sure all links between Core and members and between members are Trunk, to be sure type #sh int trunk on each switch for verification
then start assign vlans at vtp server,but beware this will erase you previous vlans and just configure the vlans you TYPE only in vtp server switch
#sh vtp status will inform you every thing!