asked on Cisco 887VA-W - Separate VLANs for wired and wireless connections
I am trying to separate my wired and wireless connections onto thier own VLANs. The primary reason for this is that I only want wired connections accessing servers and VPNs.
This is what I want it to look like...
![LAN design]()
I have two VLANs...
ID 1 - 192.168.1.0/24 - wired
ID 2 - 192.168.2.0/24 - wireless
DHCP for both VLANs is running from the router.
Wired connection are working correctly.
The problem is that, although I have configured the SSID, radio and bridge-group for VLAN 2, non-wired connections are receiving IPs from the VLAN 1 subnet.
It appears there is some cross over between VLANs over the bridge.
I have attempted to change the native VLAN on interface Wlan-GigabitEthernet0 of the router but it stops the AP's BVI1 interface from getting an IP.
It has been suggested that I move the VLAN2 DHCP scope from the router to the AP.
Can someone suggest what the recommended and best practice would be to achieve my wired and wireless separation please?
RTR config (redacted)...
ip dhcp excluded-address 192.168.2.1 192.168.2.9
ip dhcp excluded-address 192.168.1.1 192.168.1.64
ip dhcp excluded-address 192.168.1.127 192.168.1.254
ip dhcp excluded-address 192.168.2.127 192.168.2.254
!
ip dhcp pool LAN_pool
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.9
default-router 192.168.1.9
!
ip dhcp pool WiFi_pool
network 192.168.2.0 255.255.255.0
dns-server 192.168.2.9
default-router 192.168.2.9
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
description ** VDSL PSTN **
encapsulation dot1Q 101
ip virtual-reassembly in
no ip route-cache
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface Wlan-GigabitEthernet0
switchport mode trunk
no ip address
!
interface wlan-ap0
ip unnumbered Vlan2
!
interface Vlan1
description ** LAN Gateway **
ip address 192.168.1.9 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
!
interface Vlan2
description ** WiFi Gateway **
ip address 192.168.2.9 255.255.255.0
ip access-group 160 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
!
interface Dialer1
description ** VDSL WAN Dialer **
mtu 1492
ip address negotiated
ip access-group 150 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip inspect FWOUT out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map xxxx
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
!
access-list 160 remark ** VLAN2 WiFi Inbound ACL **
access-list 160 deny ip any 192.168.1.0 0.0.0.255
access-list 160 deny ip any (VPN Peer LAN)
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 deny ip any any
AP config (redacted)...
dot11 ssid SSID_NAME
vlan 2
max-associations 32
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 xxxxxxx
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
ssid SSID_NAME
!
antenna gain 0
station-role root
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
bridge 1 route ip
!
cns dhcp
RTR interfaces...
#sho ip int brief
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
Dialer1 x.x.x.x YES IPCP up up
Ethernet0 unassigned YES NVRAM up up
Ethernet0.101 unassigned YES unset up up
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Vlan1 192.168.1.9 YES NVRAM up up
Vlan2 192.168.2.9 YES NVRAM up up
Wlan-GigabitEthernet0 unassigned YES unset up up
wlan-ap0 192.168.2.9 YES TFTP up up
AP interfaces...
#sho ip int brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.79 YES DHCP up up
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio0.2 unassigned YES unset up up
GigabitEthernet0 unassigned YES NVRAM up up
GigabitEthernet0.2 unassigned YES unset up up
This is what I want it to look like...
I have two VLANs...
ID 1 - 192.168.1.0/24 - wired
ID 2 - 192.168.2.0/24 - wireless
DHCP for both VLANs is running from the router.
Wired connection are working correctly.
The problem is that, although I have configured the SSID, radio and bridge-group for VLAN 2, non-wired connections are receiving IPs from the VLAN 1 subnet.
It appears there is some cross over between VLANs over the bridge.
I have attempted to change the native VLAN on interface Wlan-GigabitEthernet0 of the router but it stops the AP's BVI1 interface from getting an IP.
It has been suggested that I move the VLAN2 DHCP scope from the router to the AP.
Can someone suggest what the recommended and best practice would be to achieve my wired and wireless separation please?
RTR config (redacted)...
ip dhcp excluded-address 192.168.2.1 192.168.2.9
ip dhcp excluded-address 192.168.1.1 192.168.1.64
ip dhcp excluded-address 192.168.1.127 192.168.1.254
ip dhcp excluded-address 192.168.2.127 192.168.2.254
!
ip dhcp pool LAN_pool
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.9
default-router 192.168.1.9
!
ip dhcp pool WiFi_pool
network 192.168.2.0 255.255.255.0
dns-server 192.168.2.9
default-router 192.168.2.9
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
no ip route-cache
!
interface Ethernet0.101
description ** VDSL PSTN **
encapsulation dot1Q 101
ip virtual-reassembly in
no ip route-cache
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface Wlan-GigabitEthernet0
switchport mode trunk
no ip address
!
interface wlan-ap0
ip unnumbered Vlan2
!
interface Vlan1
description ** LAN Gateway **
ip address 192.168.1.9 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
!
interface Vlan2
description ** WiFi Gateway **
ip address 192.168.2.9 255.255.255.0
ip access-group 160 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
!
interface Dialer1
description ** VDSL WAN Dialer **
mtu 1492
ip address negotiated
ip access-group 150 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip inspect FWOUT out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map xxxx
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
!
access-list 160 remark ** VLAN2 WiFi Inbound ACL **
access-list 160 deny ip any 192.168.1.0 0.0.0.255
access-list 160 deny ip any (VPN Peer LAN)
access-list 160 permit ip 192.168.2.0 0.0.0.255 any
access-list 160 deny ip any any
AP config (redacted)...
dot11 ssid SSID_NAME
vlan 2
max-associations 32
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 xxxxxxx
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
ssid SSID_NAME
!
antenna gain 0
station-role root
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
bridge 1 route ip
!
cns dhcp
RTR interfaces...
#sho ip int brief
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
Dialer1 x.x.x.x YES IPCP up up
Ethernet0 unassigned YES NVRAM up up
Ethernet0.101 unassigned YES unset up up
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Vlan1 192.168.1.9 YES NVRAM up up
Vlan2 192.168.2.9 YES NVRAM up up
Wlan-GigabitEthernet0 unassigned YES unset up up
wlan-ap0 192.168.2.9 YES TFTP up up
AP interfaces...
#sho ip int brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.79 YES DHCP up up
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio0.2 unassigned YES unset up up
GigabitEthernet0 unassigned YES NVRAM up up
GigabitEthernet0.2 unassigned YES unset up up
CiscoNetwork ArchitectureNetworkingWireless NetworkingWireless Hardware
Last Comment
Craig Beck
ASKER
I have previously tried this and it stopped the BVI interface stops picking up an IP address. The BVI IP address is currently on VLAN1...
#sho ip int brie
BVI1 192.168.1.79 YES DHCP up up
#sho run int BVI1
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
#sho ip int brie
BVI1 192.168.1.79 YES DHCP up up
#sho run int BVI1
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
Ok, create VLAN1 at the AP and set that to native, and leave VLAN 2 there, attached to your SSID. I'm sure it's a tagging issue.
ASKER
Sorry, I don't understand...
VLAN 1 exists on the AP already, as does VLAN 2...
BFST-DIIG-01-AP-01#sho vlan
Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces: Dot11Radio0
GigabitEthernet0
Virtual LAN ID: 2 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces: Dot11Radio0.2
GigabitEthernet0.2
Are you suggesting the following...?
conf t
interface GigabitEthernet0.2
encapsulation dot1Q 1 native
VLAN 1 exists on the AP already, as does VLAN 2...
BFST-DIIG-01-AP-01#sho vlan
Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces: Dot11Radio0
GigabitEthernet0
Virtual LAN ID: 2 (IEEE 802.1Q Encapsulation)
vLAN Trunk Interfaces: Dot11Radio0.2
GigabitEthernet0.2
Are you suggesting the following...?
conf t
interface GigabitEthernet0.2
encapsulation dot1Q 1 native
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi,
I have made the suggested changes. And the config now looks like this...
AP:
dot11 ssid SSID_NAME
vlan 2
max-associations 32
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 xxxxxxxxxx
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
ssid SSID_NAME
!
antenna gain 0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
bridge 1 route ip
RTR:
interface Wlan-GigabitEthernet0
switchport mode trunk
no ip address
!
interface wlan-ap0
ip unnumbered Vlan2
!
interface Vlan1
description ** LAN Gateway **
ip address 192.168.1.9 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
!
interface Vlan2
description ** WiFi Gateway **
ip address 192.168.2.9 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
I removed the native VLAN 2 config from the router interface Wlan-GigabitEthernet0 as the BVI interface on the AP was not picking up an IP. It is picking up an IP now...
#sho ip int brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.90 YES DHCP up up
However, WiFi users are still not getting an IP from DHCP...
I have made the suggested changes. And the config now looks like this...
AP:
dot11 ssid SSID_NAME
vlan 2
max-associations 32
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 xxxxxxxxxx
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
ssid SSID_NAME
!
antenna gain 0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
!
bridge 1 route ip
RTR:
interface Wlan-GigabitEthernet0
switchport mode trunk
no ip address
!
interface wlan-ap0
ip unnumbered Vlan2
!
interface Vlan1
description ** LAN Gateway **
ip address 192.168.1.9 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
!
interface Vlan2
description ** WiFi Gateway **
ip address 192.168.2.9 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
no autostate
I removed the native VLAN 2 config from the router interface Wlan-GigabitEthernet0 as the BVI interface on the AP was not picking up an IP. It is picking up an IP now...
#sho ip int brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.90 YES DHCP up up
However, WiFi users are still not getting an IP from DHCP...
How about if you just stick everything from the AP on VLAN 2...
interface Wlan-GigabitEthernet0
switchport mode access
switchport access vlan 2
no ip address
!
interface wlan-ap0
ip unnumbered Vlan2
ASKER
Hi Craig,
Your previous suggestion and the resulting configuration above seemed logical and correct so prior to making the last change you suggested I decided to monitor the DHCP traffic using 'debug ip packet'.
From here I could see that the DHCP requests were getting blocked by the ACL applied to VLAN2.
I have now adjusted the ACL to include the line...
access-list 160 permit udp any eq bootpc any eq bootps
WiFi users are now picking up DHCP from the correct pool and are able to reach only the internet as planned.
Many thanks for your help!
Your previous suggestion and the resulting configuration above seemed logical and correct so prior to making the last change you suggested I decided to monitor the DHCP traffic using 'debug ip packet'.
From here I could see that the DHCP requests were getting blocked by the ACL applied to VLAN2.
I have now adjusted the ACL to include the line...
access-list 160 permit udp any eq bootpc any eq bootps
WiFi users are now picking up DHCP from the correct pool and are able to reach only the internet as planned.
Many thanks for your help!
ASKER
Problem resolved thanks to your help Craig!
Cheers, Chris. Pleasure :-)
Open in new window