David Haycox
asked on
Cisco 2504 wireless controller with multiple VLANs
I am setting up a Cisco 2504 wireless controller with 13x 1702i APs, using Catalyst 3750G PoE switches.
The requirement is to have the APs broadcast 3 SSIDs on different VLANs, as follows:
SSID: Management, VLAN: 21, subnet: 192.168.21.0/24
SSID: Guest, VLAN: 31, subnet: 10.10.31.0/24
SSID: Warehouse, VLAN: 61, subnet: 192.168.61.0/24
How should I configure the VLANs on the wireless controller and the switches for this to function correctly?
Thanks in advance for any assistance.
The requirement is to have the APs broadcast 3 SSIDs on different VLANs, as follows:
SSID: Management, VLAN: 21, subnet: 192.168.21.0/24
SSID: Guest, VLAN: 31, subnet: 10.10.31.0/24
SSID: Warehouse, VLAN: 61, subnet: 192.168.61.0/24
How should I configure the VLANs on the wireless controller and the switches for this to function correctly?
Thanks in advance for any assistance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. There are two switches involved for two connected buildings - so I think we will connect to each switch using one port for everything (as there are only two, and this avoids daisy-chaining them).
Good question about the Guest SSID, I was just looking at that myself. I can't be 100% on this until Monday, but I'm pretty sure there's just the one Internet connection and router (192.168.21.254). So how do we get Internet access to the guest network?
Good question about the Guest SSID, I was just looking at that myself. I can't be 100% on this until Monday, but I'm pretty sure there's just the one Internet connection and router (192.168.21.254). So how do we get Internet access to the guest network?
Craig can chime in, but if you have two separate switches, and they don't have a way of passing the same vlans between them, you will not be able to have two active, non-etherchannel ports connected from the 2504 to two separate switches. I suppose I could also be misinterpreting your previous post.
Ok, so will the WLC be connected to both switches (one WLC port to each switch)?
Can you draw it so I can see what you mean? Sorry for sounding dumb here :-)
Can you draw it so I can see what you mean? Sorry for sounding dumb here :-)
@rauenpc - We're both on the same page here :-)
ASKER
No need for a drawing, I didn't explain it clearly - apologies. Yes, just as you say Craig:
WLC port 1 goes to switch 1. Some APs are connected to this switch.
WLC port 2 goes to switch 2. The remaining APs are connected to this switch.
If necessary we could have:
WLC port 1 goes to switch 1. Switch 1 goes to switch 2. APs connect to either switch.
WLC port 1 goes to switch 1. Some APs are connected to this switch.
WLC port 2 goes to switch 2. The remaining APs are connected to this switch.
If necessary we could have:
WLC port 1 goes to switch 1. Switch 1 goes to switch 2. APs connect to either switch.
Ok so if you want to use 2 ports from the WLC you have to consider:
1] Are the switches stacked?
2] Do you want to use a backup WLC port or do you want to bundle the WLC ports?
As rauenpc implied, you can't connect the WLC to two different switches if they can't see eachother at L2. That L2 link could either be stack or uplink.
If you want to use the WLC with a primary and backup port, where the primary port connects to switch 1 and the backup port connects to switch 2, that's fine as long as the switches are linked together with a trunk or stacked.
How are your switches connected together?
1] Are the switches stacked?
2] Do you want to use a backup WLC port or do you want to bundle the WLC ports?
As rauenpc implied, you can't connect the WLC to two different switches if they can't see eachother at L2. That L2 link could either be stack or uplink.
If you want to use the WLC with a primary and backup port, where the primary port connects to switch 1 and the backup port connects to switch 2, that's fine as long as the switches are linked together with a trunk or stacked.
How are your switches connected together?
ASKER
The switches are just on a desk for testing at present, but they will be connected via an uplink most likely (I'm not overly familiar with the end location - that's the next stage).
I can confirm that WLC-Switch1-Switch2-AP works ok, so we'll stick with that - or perhaps change to one of your other options depending.
What confuses me is why it all works with the switches on default configuration (just portfast enabled for all ports). Shouldn't I have to specify VLANs on the ports? Admittedly I don't as yet have anything to connect to that is wired on the non-default VLANs; that's the next step, then it's just getting Internet to the guest VLAN.
I can confirm that WLC-Switch1-Switch2-AP works ok, so we'll stick with that - or perhaps change to one of your other options depending.
What confuses me is why it all works with the switches on default configuration (just portfast enabled for all ports). Shouldn't I have to specify VLANs on the ports? Admittedly I don't as yet have anything to connect to that is wired on the non-default VLANs; that's the next step, then it's just getting Internet to the guest VLAN.
You don't have to do anything to get the WLC to work with the APs on the same VLAN as it doesn't need VLAN tagging.
When you want to connect to the Guest and Warehouse SSIDs though that's when you'll see it doesn't work as you want.
If you're connecting the WLC to switch 1 and you only have one internet connection you can connect the WLC using multiple ports in an EtherChannel by enabling LAG at the WLC then configuring the following at the switch:
The APs will tunnel all traffic (in a CAPWAP tunnel) on all VLANs back to the controller via the management VLAN. The client traffic then goes onto the right VLAN before the WLC spits it out onto the switch.
When you want to connect to the Guest and Warehouse SSIDs though that's when you'll see it doesn't work as you want.
If you're connecting the WLC to switch 1 and you only have one internet connection you can connect the WLC using multiple ports in an EtherChannel by enabling LAG at the WLC then configuring the following at the switch:
interface range GigabitEthernet0/1 - 4
channel-group 1 mode on
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 21
The APs will tunnel all traffic (in a CAPWAP tunnel) on all VLANs back to the controller via the management VLAN. The client traffic then goes onto the right VLAN before the WLC spits it out onto the switch.
ASKER
Excellent thanks, I'll give that a try. What physically plugs into the etherchannel ports?
Also, what settings do I configure in the DHCP scope / interface to allow the Internet to work for the guest VLAN though? In other words, which default gateway to set?
I'm happy to ask another question for this if you prefer. Thanks again!
Also, what settings do I configure in the DHCP scope / interface to allow the Internet to work for the guest VLAN though? In other words, which default gateway to set?
I'm happy to ask another question for this if you prefer. Thanks again!
In the config example the WLC connects to the switch with all 4 of its LAN ports. They're bundled together to provide redundancy and extra bandwidth. You only get 1Gbps in total but more APs can push up-to 1Gbps spread over the 4 ports.
The Guest VLAN needs the same as the other VLANs to get internet connectivity. The default gateway would be whatever the router is on VLAN 31. You'll also need DNS servers configuring, but that's it really.
The Guest VLAN needs the same as the other VLANs to get internet connectivity. The default gateway would be whatever the router is on VLAN 31. You'll also need DNS servers configuring, but that's it really.
ASKER
Gotcha, that makes sense with the 4 ports - thanks.
For the Internet for the Guest VLAN, the only router is on 192.168.21.244 - which is in the wrong subnet. Can the WLC not do routing itself? If not, then I suppose we would need to set up a second IP on the router and use that?
For the Internet for the Guest VLAN, the only router is on 192.168.21.244 - which is in the wrong subnet. Can the WLC not do routing itself? If not, then I suppose we would need to set up a second IP on the router and use that?
The WLC is a layer-2 device - it doesn't do routing at all.
What device does the routing for the guest subnet?
What device does the routing for the guest subnet?
ASKER
Nothing at present, the guest network is new. If we set up a router on e.g. 10.10.31.254, how do we configure the switch port for vlan 31?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Right, we're getting there now - there's just one thing left I think.
If I connect a wired device as in the example immediately above - to a port that has VLAN 31 specified - that device cannot connect to the WLC or other devices on the same VLAN. Connecting wirelessly does work.
Do I need to specify the VLAN IDs on the switch port that is connected to the WLC?
If I connect a wired device as in the example immediately above - to a port that has VLAN 31 specified - that device cannot connect to the WLC or other devices on the same VLAN. Connecting wirelessly does work.
Do I need to specify the VLAN IDs on the switch port that is connected to the WLC?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you configured a VLAN ID on the WLC management interface?
ASKER
Yes, but just a few minutes ago (VLAN 21). The APs work okay once their ports have been set to access vlan 21 (I'm still testing though), but not through the other switch, so I'm about to set the ports that link the switches to trunk mode.
ASKER
Right, so here's the switch config I used. For trunk ports (WLC and other switches):
For access ports for APs:
For access ports for the warehouse VLAN:
Thanks so much for the advice!
interface GigabitEthernet2/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
For access ports for APs:
interface GigabitEthernet2/0/1
switchport mode access
switchport access vlan 21
spanning-tree portfast
For access ports for the warehouse VLAN:
interface GigabitEthernet2/0/13
switchport mode access
switchport access vlan 61
spanning-tree portfast
Thanks so much for the advice!
ASKER
@Craig: I have set up the interfaces and WLANs as you suggest.
Both: so far - without making any changes to the default configuration - this appears to be working okay. What switch configuration is required? Is it just the following for each port with an AP?
switchport mode access
Or do I need to specify VLAN IDs?
Also, what about setting the switch port connected to the WLC to trunk mode?
Thanks!