Link to home
Start Free TrialLog in
Avatar of David Haycox
David HaycoxFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco 2504 wireless controller with multiple VLANs

I am setting up a Cisco 2504 wireless controller with 13x 1702i APs, using Catalyst 3750G PoE switches.

The requirement is to have the APs broadcast 3 SSIDs on different VLANs, as follows:

SSID: Management, VLAN: 21, subnet: 192.168.21.0/24
SSID: Guest, VLAN: 31, subnet: 10.10.31.0/24
SSID: Warehouse, VLAN: 61, subnet: 192.168.61.0/24

How should I configure the VLANs on the wireless controller and the switches for this to function correctly?

Thanks in advance for any assistance.
ASKER CERTIFIED SOLUTION
Avatar of rauenpc
rauenpc
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of David Haycox

ASKER

@rauenpc: thanks for the fast response.  There's no requirement for flex-connect mode as I see it, because the equipment is all at one site.

@Craig: I have set up the interfaces and WLANs as you suggest.

Both: so far - without making any changes to the default configuration - this appears to be working okay.  What switch configuration is required?  Is it just the following for each port with an AP?

switchport mode access

Or do I need to specify VLAN IDs?

Also, what about setting the switch port connected to the WLC to trunk mode?

Thanks!
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks.  There are two switches involved for two connected buildings - so I think we will connect to each switch using one port for everything (as there are only two, and this avoids daisy-chaining them).

Good question about the Guest SSID, I was just looking at that myself.  I can't be 100% on  this until Monday, but I'm pretty sure there's just the one Internet connection and router (192.168.21.254).  So how do we get Internet access to the guest network?
Craig can chime in, but if you have two separate switches, and they don't have a way of passing the same vlans between them, you will not be able to have two active, non-etherchannel ports connected from the 2504 to two separate switches. I suppose I could also be misinterpreting your previous post.
Ok, so will the WLC be connected to both switches (one WLC port to each switch)?

Can you draw it so I can see what you mean?  Sorry for sounding dumb here :-)
@rauenpc - We're both on the same page here :-)
No need for a drawing, I didn't explain it clearly - apologies.  Yes, just as you say Craig:

WLC port 1 goes to switch 1.  Some APs are connected to this switch.
WLC port 2 goes to switch 2.  The remaining APs are connected to this switch.

If necessary we could have:

WLC port 1 goes to switch 1.  Switch 1 goes to switch 2.  APs connect to either switch.
Ok so if you want to use 2 ports from the WLC you have to consider:

1] Are the switches stacked?
2] Do you want to use a backup WLC port or do you want to bundle the WLC ports?

As rauenpc implied, you can't connect the WLC to two different switches if they can't see eachother at L2.  That L2 link could either be stack or uplink.

If you want to use the WLC with a primary and backup port, where the primary port connects to switch 1 and the backup port connects to switch 2, that's fine as long as the switches are linked together with a trunk or stacked.

How are your switches connected together?
The switches are just on a desk for testing at present, but they will be connected via an uplink most likely (I'm not overly familiar with the end location - that's the next stage).

I can confirm that WLC-Switch1-Switch2-AP works ok, so we'll stick with that - or perhaps change to one of your other options depending.

What confuses me is why it all works with the switches on default configuration (just portfast enabled for all ports).  Shouldn't I have to specify VLANs on the ports?  Admittedly I don't as yet have anything to connect to that is wired on the non-default VLANs; that's the next step, then it's just getting Internet to the guest VLAN.
You don't have to do anything to get the WLC to work with the APs on the same VLAN as it doesn't need VLAN tagging.

When you want to connect to the Guest and Warehouse SSIDs though that's when you'll see it doesn't work as you want.

If you're connecting the WLC to switch 1 and you only have one internet connection you can connect the WLC using multiple ports in an EtherChannel by enabling LAG at the WLC then configuring the following at the switch:

interface range GigabitEthernet0/1 - 4
 channel-group 1 mode on
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 21

Open in new window


The APs will tunnel all traffic (in a CAPWAP tunnel) on all VLANs back to the controller via the management VLAN.  The client traffic then goes onto the right VLAN before the WLC spits it out onto the switch.
Excellent thanks, I'll give that a try.  What physically plugs into the etherchannel ports?

Also, what settings do I configure in the DHCP scope / interface to allow the Internet to work for the guest VLAN though?  In other words, which default gateway to set?

I'm happy to ask another question for this if you prefer.  Thanks again!
In the config example the WLC connects to the switch with all 4 of its LAN ports.  They're bundled together to provide redundancy and extra bandwidth.  You only get 1Gbps in total but more APs can push up-to 1Gbps spread over the 4 ports.

The Guest VLAN needs the same as the other VLANs to get internet connectivity.  The default gateway would be whatever the router is on VLAN 31.  You'll also need DNS servers configuring, but that's it really.
Gotcha, that makes sense with the 4 ports - thanks.

For the Internet for the Guest VLAN, the only router is on 192.168.21.244 - which is in the wrong subnet.  Can the WLC not do routing itself?  If not, then I suppose we would need to set up a second IP on the router and use that?
The WLC is a layer-2 device - it doesn't do routing at all.

What device does the routing for the guest subnet?
Nothing at present, the guest network is new. If we set up a router on e.g. 10.10.31.254, how do we configure the switch port for vlan 31?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Right, we're getting there now - there's just one thing left I think.

If I connect a wired device as in the example immediately above - to a port that has VLAN 31 specified - that device cannot connect to the WLC or other devices on the same VLAN.  Connecting wirelessly does work.

Do I need to specify the VLAN IDs on the switch port that is connected to the WLC?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Have you configured a VLAN ID on the WLC management interface?
Yes, but just a few minutes ago (VLAN 21).  The APs work okay once their ports have been set to access vlan 21 (I'm still testing though), but not through the other switch, so I'm about to set the ports that link the switches to trunk mode.
Right, so here's the switch config I used.  For trunk ports (WLC and other switches):

interface GigabitEthernet2/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 spanning-tree portfast

Open in new window


For access ports for APs:

interface GigabitEthernet2/0/1
 switchport mode access
 switchport access vlan 21
 spanning-tree portfast

Open in new window


For access ports for the warehouse VLAN:

interface GigabitEthernet2/0/13
 switchport mode access
 switchport access vlan 61
 spanning-tree portfast

Open in new window


Thanks so much for the advice!