Setting up Guest WiFi using all Cisco Equipment with VLAN

I know this should be a simple problem to solve but I am missing something and I can't figure out what!

Hardware:
Firewall
Cisco RV325
     192.168.200.1 also 192.168.225.1 for Guest WiFi
Switch
Cisco SF200-24P
     192.168.200.2
WAP
Cisco WAP561
     192.168.200.30

The router is setup as the DHCP server. On the router, I set 2 VLAN's. The first one is 1 which is the Default. It is Untagged.
The second one is 225 named Guest and is setup as Tagged.
The main scope for DHCP is 192.168.200.0. The Guest scope is setup as 192.168.225.0.

On the switch, I have 2 VLAN's setup. The first is 1 and is Default. The second is 225 named Guest and set as Static. I do not have any port mappings since I only have 1 access point.

On the AP, I also have 2 VLAN's. These are set using SSID's.
SSID Name CompanyMain VLAN 1 Tagged. AP Management VLAN 1
SSID Name Company-Guest VLAN 225 Tagged

Wireless works perfectly for the CompanyMain and I get address 192.168.200.#
Wireless authenticates and connects to Company-Guest, but will not get an IP address therefore cannot get online.

What am I missing?
LuukerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mikebernhardtCommented:
A picture would help, but how is the router connected to the WAP? Is it a trunked connection? If not, how does the guest vlan get to the router?
0
LuukerAuthor Commented:
The WAP is connected to the switch for POE. Then the switch is connected to the router like normal.
I have not changed any trunk information. (For the record, I do not think I would know how).

So to answer your question, the WAP travels through the switch before getting to the router/dhcp.
0
mikebernhardtCommented:
What vlan is connected to the switch then? My questions is, how does the guest vlan get to the router? You do NOT want it to be passing through your company vlan, so the WAP has to be configured to trunk to the switch, and then the switch has to either have 2 physical connections to the router (1 to each physical interface) or trunked (to 1 interface with subinterfaces on the router).

Think about the path from the guest vlan to the router. Here's a test: If you put a statically configured wifi client up, does it work (if you require authentication you may need to turn that off for the test)?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

LuukerAuthor Commented:
The WAP only has 1 NIC. I was under the assumption both VLAN's could travel using same network. So you're saying I need another wire for the switch to router and it needs setup for just VLAN 225? So the switch is blocking the traffic to the router.
0
mikebernhardtCommented:
No you need to set up a trunk between the switch and the WAP to carry both vlans back to the switch. On both sides you configure
interface [whatever it is]
 switchport mode trunk
 switchport trunk allowed vlan 1,225
1
LuukerAuthor Commented:
OK, now for some reason not only is the Guest still not working, but now the CompanyMain isn't working now at all.
The WAP is plugged into port 7 on the switch as seen by the power use:
 2015-09-17_1740.png
Here is the WAP VLAN info:
 2015-09-17_1724.png
The Switch:
2015-09-17_1809.png2015-09-17_1810.png
The Router:
2015-09-17_1731.png
The switch is plugged into the router on port 1 of both devices. Also on the VLAN port status, when I tagged plug 1 and 7, another VLAN popped up on both 4095P.

Do the pictures help?
0
mikebernhardtCommented:
It looks like on the WAP you have vlan 1 tagged, but elsewhere it was untagged, so that would have broken it once you were trunking. It's actually more secure to use a tagged vlan for your LAN, so it's fine to tag it but make sure it's the same everywhere. But then you need to have a native (untagged) vlan so it probably created 4095 to do that.

My suggestion would be for now, to untag vlan 1 everywhere and see how it works.

Once you have this all working, I'd suggest that you move your company users and WAP management to a new vlan and leave vlan 1 unused. DO leave it as the default vlan. That way someone has to be placed into a working vlan.
0
mikebernhardtCommented:
Another thing you need to do is make sure you have the same native vlan on both sides. On the switch it appears to be 4095 now. You need to set that on the WAP also.
0
LuukerAuthor Commented:
So I am finally able to pull an IP when connected to the Guest wireless on 192.168.225.0 network but I am not able to access internet. I am also not able to ping the router.

I will post current setup pics a little later.
0
mikebernhardtCommented:
Well, that's progress. It's likely a routing or NAT issue now.
0
LuukerAuthor Commented:
I never did get it figured out. I abandoned the project and added a second access point for guest use.
0
Robert WiggsDirector of ITCommented:
I would untag VLAN 1 and tag VLAN 225. VLAN 1 is a default VLAN and by default goes over all ports.

When you TAG VLAN 225 this will go over only trunk ports or other VLAN 225 ports. Once it hits the router it can decipher which VLAN it is and strip the VLAN Tagging correctly.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.