Solved

Trouble using a second VLAN for Cisco 321 WAP guest WiFi

Posted on 2014-04-21
13
729 Views
Last Modified: 2014-05-16
I am using the VLAN setting for a WiFi network that I am running for guest access. My goal is to use this to segment guest traffic out of the main network.
I have setup VLAN 2 as the guest wifi VLAN. The trouble is some of my switches have the VLAN2 and corresponding IP assigned (10.1.1.2 (vlan1) = 10.1.2.2 (vlan2), but VLAN 2 doesnt show up in the sh vlan command.

I think this is causing the problem, but i cant seem to fix it. Below are the highlights and attached is a quick network diagram.

ASA firewall = 10.1.1.1

Note:
** DHCP on vlan 1 = Windows AD server (10.1.1.5)

**** Core switch
ip routing
ip dhcp excluded-address 10.1.2.1 10.1.2.10
ip dhcp excluded-address 10.1.2.210 10.1.2.254
!
ip dhcp pool wifiguest
   network 10.1.2.0 255.255.255.0
   default-router 10.1.2.2
   dns-server 4.2.2.2
!
interface Vlan1
 ip address 10.1.1.2 255.255.255.0
!
interface Vlan2
 ip address 10.1.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1'


**** Member switch
interface GigabitEthernet0/47
 description ** WAP WiFi **
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 ip address 10.1.1.211 255.255.255.0
!
interface Vlan26
 ip address 10.1.2.211 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
Network-vlan2-wap.pdf
0
Comment
Question by:adamsanders
  • 7
  • 6
13 Comments
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40014263
well, like what you said if you don't have vlan 2 on switches the connects to APs you're in trouble, so there are two ways for assigning VLANs to the switches,

1- to configure it manually using vlan 2 command on each switch

2- use vtp protocol to configure 1 switch as vtp server and the others are clients e.g:
if you're not using VTP on your switches before

Core(config)#vtp domain ABC.com
Core(config)#vtp mode server
member(config)#vtp mode client
if there is already vtp config you wanna add vtp domain also on clients,and good practice is to enable #vtp password ........

just make sure all links between Core and members and between members are Trunk, to be sure type #sh int trunk on each switch for verification

then start assign vlans at vtp server,but beware this will erase you previous vlans and just configure the vlans you TYPE only in vtp server switch

#sh vtp status will inform you every thing!
0
 
LVL 2

Author Comment

by:adamsanders
ID: 40015425
I simplified the network diagram, but this network has some more complex elements, namely Voip Vlan. I am not sure I want to implement VTP without examining the logs in detail.

We have added the  "1- to configure it manually using vlan 2 command on each switch" - see the CLI snippets above.
Do you know what would keep it from listing the VLAN2 in "sh int vlan"?

I am off to show INT TRUNK now. We are using 802.1q  on our trunks currently.
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40015669
when you type on member sw:
vlan 2
exit
 sh vlan br

is it existed or not ?
0
 
LVL 2

Author Comment

by:adamsanders
ID: 40015771
This is in the sh run:
interface Vlan2
 ip address 10.1.2.211 255.255.255.0

Sh vlan does not show the VLAN2

Then as you outlined:
#vlan 2
#exit
#sh vlan br

2   VLAN002                         active

!
!
!
Why doesn't the config load the VLAN2?
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40015903
get out the full output for # sh run on switches
0
 
LVL 2

Author Comment

by:adamsanders
ID: 40015942
Ok. I will have to clean that up a little bit. Would you want to see peer switches or just the ones in the path wap <-> switch <->core switch ?
And I have added the vlan (even tho they are in the config) to see if this will work. I see the VLAN2 on all devices now.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40016126
just in the path,  after you go vlan 2 on the switches you still got the connectivity problem?
0
 
LVL 2

Author Comment

by:adamsanders
ID: 40016175
Yes, the client computers on WiFi are not getting a DHCP assigned IP address. Also, if we use a static, the client cant route anywhere..
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 40016242
ok like i told you i need to see your config, but if put static ip on client can you ping your default GW 10.1.2.211 or not ?
0
 
LVL 2

Author Comment

by:adamsanders
ID: 40016415
While I was sterilizing my CLI configs, I found a discrepancy in trunking. That fixed the DHCP - IP flow to the core switch (but doesnt explain the VLAN Config missing).
I still cannot get out thru the firewall.

I get an IP on VLAN2 (10.1.2.0) & I can ping / access the VLAN1 ip (10.1.1.2) on the Core Switch, but I cant telnet into the firewall (10.1.1.1). I don't have ping enabled on the firewall internal interface.

I have attached CLI configs for reference.
SWITCH-Core.txt
Sw1.txt
0
 
LVL 6

Accepted Solution

by:
Hassan Besher earned 500 total points
ID: 40016431
make sure that your firewall has a route for the return traffic e.g:

ip route 10.1.2.0 255.255.255.0 10.1.1.2
0
 
LVL 2

Author Comment

by:adamsanders
ID: 40024835
I have been out of the office, but I will test the routes in the next few days. Thanks,
0
 
LVL 2

Author Comment

by:adamsanders
ID: 40070159
Thanks Hassan, the additional routes worked for return traffic!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco SG300 VLAN problem 8 41
Location of Servers in Network Design 14 49
Cisco C3750X Switch 19 75
VOIP grade small switch 4 44
The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now