Solved

Cisco 887VA-W - Separate VLANs for wired and wireless connections

Posted on 2016-08-31
  • Cisco
  • Network Architecture
  • Networking
  • Wireless Networking
  • Wireless Hardware
  • +2
10
82 Views
Last Modified: 2016-09-01
I am trying to separate my wired and wireless connections onto thier own VLANs.  The primary reason for this is that I only want wired connections accessing servers and VPNs.

This is what I want it to look like...

LAN design
I have two VLANs...

ID 1 - 192.168.1.0/24 - wired

ID 2 - 192.168.2.0/24 - wireless

DHCP for both VLANs is running from the router.

Wired connection are working correctly.

The problem is that, although I have configured the SSID, radio and bridge-group for VLAN 2, non-wired connections are receiving IPs from the VLAN 1 subnet.

It appears there is some cross over between VLANs over the bridge.

I have attempted to change the native VLAN on interface Wlan-GigabitEthernet0 of the router but it stops the AP's BVI1 interface from getting an IP.

It has been suggested that I move the VLAN2 DHCP scope from the router to the AP.

Can someone suggest what the recommended and best practice would be to achieve my wired and wireless separation please?

RTR config (redacted)...

ip dhcp excluded-address 192.168.2.1 192.168.2.9
ip dhcp excluded-address 192.168.1.1 192.168.1.64
ip dhcp excluded-address 192.168.1.127 192.168.1.254
ip dhcp excluded-address 192.168.2.127 192.168.2.254
!
ip dhcp pool LAN_pool
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.9
default-router 192.168.1.9
!
ip dhcp pool WiFi_pool
network 192.168.2.0 255.255.255.0
dns-server 192.168.2.9
default-router 192.168.2.9
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
description ** VDSL PSTN **
encapsulation dot1Q 101
ip virtual-reassembly in
no ip route-cache
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface Wlan-GigabitEthernet0
switchport mode trunk
no ip address
!
interface wlan-ap0
ip unnumbered Vlan2
!
interface Vlan1
description ** LAN Gateway **
ip address 192.168.1.9 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
!
interface Vlan2
description ** WiFi Gateway **
ip address 192.168.2.9 255.255.255.0
ip access-group 160 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
!
interface Dialer1
description ** VDSL WAN Dialer **
mtu 1492
ip address negotiated
ip access-group 150 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip inspect FWOUT out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map xxxx
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
!
access-list 160 remark ** VLAN2 WiFi Inbound ACL **
access-list 160 deny ip any 192.168.1.0 0.0.0.255
access-list 160 deny ip any (VPN Peer LAN)
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 deny ip any any

AP config (redacted)...

dot11 ssid SSID_NAME
vlan 2
max-associations 32
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 xxxxxxx
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
ssid SSID_NAME
!
antenna gain 0
station-role root
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
bridge 1 route ip
!
cns dhcp

RTR interfaces...

#sho ip int brief
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
Dialer1 x.x.x.x YES IPCP up up
Ethernet0 unassigned YES NVRAM up up
Ethernet0.101 unassigned YES unset up up
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Vlan1 192.168.1.9 YES NVRAM up up
Vlan2 192.168.2.9 YES NVRAM up up
Wlan-GigabitEthernet0 unassigned YES unset up up
wlan-ap0 192.168.2.9 YES TFTP up up

AP interfaces...

#sho ip int brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.79 YES DHCP up up
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio0.2 unassigned YES unset up up
GigabitEthernet0 unassigned YES NVRAM up up
GigabitEthernet0.2 unassigned YES unset up up
0
Comment
Question by:Chris Ashton
  • 5
  • 5
10 Comments
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Try...

interface Wlan-GigabitEthernet0
switchport mode trunk
switchport trunk native vlan 2

Open in new window

0
 

Author Comment

by:Chris Ashton
Comment Utility
I have previously tried this and it stopped the BVI interface stops picking up an IP address. The BVI IP address is currently on VLAN1...

#sho ip int brie
BVI1 192.168.1.79 YES DHCP up up

#sho run int BVI1
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Ok, create VLAN1 at the AP and set that to native, and leave VLAN 2 there, attached to your SSID.  I'm sure it's a tagging issue.
0
 

Author Comment

by:Chris Ashton
Comment Utility
Sorry, I don't understand...

VLAN 1 exists on the AP already, as does VLAN 2...

BFST-DIIG-01-AP-01#sho vlan
Virtual LAN ID:  1 (IEEE 802.1Q Encapsulation)
   vLAN Trunk Interfaces:  Dot11Radio0
GigabitEthernet0

Virtual LAN ID:  2 (IEEE 802.1Q Encapsulation)
   vLAN Trunk Interfaces:  Dot11Radio0.2
GigabitEthernet0.2


Are you suggesting the following...?

conf t
interface GigabitEthernet0.2
encapsulation dot1Q 1 native
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
Comment Utility
So don't set VLAN 2 to native then.

What's happening is you're untagging all packets on VLAN 2, so they're hitting the router and being dropped into VLAN 1.  That's why you're getting an IP from VLAN 1 and not VLAN 2.  If you remove the native command from VLAN 2 all packets will be tagged and dropped into the router on VLAN 2.

So...

conf t
interface GigabitEthernet0.2
encapsulation dot1Q 1 native


...isn't the right way to go.  You just need the dot11Radio0.2 and GigabitEthernet0.2 interfaces to have...

encapsulation dot1Q 2

Config would be...

interface dot11Radio0.1
 encapsulation dot1Q 1 native
!
interface dot11Radio0.2
 encapsulation dot1Q 2
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
!
interface GigabitEthernet0.2
  encapsulation dot1Q 2

Open in new window

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Chris Ashton
Comment Utility
Hi,

I have made the suggested changes.  And the config now looks like this...

AP:

dot11 ssid SSID_NAME
   vlan 2
   max-associations 32
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 xxxxxxxxxx
!
bridge irb
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 2 mode ciphers aes-ccm tkip
 !
 ssid SSID_NAME
 !
 antenna gain 0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
 no ip address
 no ip route-cache
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface BVI1
 ip address dhcp client-id GigabitEthernet0
 no ip route-cache
!
bridge 1 route ip


RTR:

interface Wlan-GigabitEthernet0
 switchport mode trunk
 no ip address
!
interface wlan-ap0
 ip unnumbered Vlan2
!
interface Vlan1
 description ** LAN Gateway **
 ip address 192.168.1.9 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
 no autostate
!
interface Vlan2
 description ** WiFi Gateway **
 ip address 192.168.2.9 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
 no autostate


I removed the native VLAN 2 config from the router interface Wlan-GigabitEthernet0 as the BVI interface on the AP was not picking up an IP.  It is picking up an IP now...

#sho ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       192.168.1.90    YES DHCP   up                    up


However, WiFi users are still not getting an IP from DHCP...
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
How about if you just stick everything from the AP on VLAN 2...

interface Wlan-GigabitEthernet0
 switchport mode access
 switchport access vlan 2
 no ip address
!
interface wlan-ap0
 ip unnumbered Vlan2

Open in new window

0
 

Author Comment

by:Chris Ashton
Comment Utility
Hi Craig,

Your previous suggestion and the resulting configuration above seemed logical and correct so prior to making the last change you suggested I decided to monitor the DHCP traffic using 'debug ip packet'.

From here I could see that the DHCP requests were getting blocked by the ACL applied to VLAN2.

I have now adjusted the ACL to include the line...

access-list 160 permit udp any eq bootpc any eq bootps


WiFi users are now picking up DHCP from the correct pool and are able to reach only the internet as planned.

Many thanks for your help!
1
 

Author Closing Comment

by:Chris Ashton
Comment Utility
Problem resolved thanks to your help Craig!
1
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Cheers, Chris.  Pleasure :-)
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now