• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 109
  • Last Modified:

Best way to setup isolated wireless guest network using all Cisco equipment

I have a client that wants to get 2 wireless networks configured, 1 for the business users, and another for guests. The network is pretty simple but for some reason it isn't working and I am having an issue getting it setup.

The network is setup as such:
1 Cisco RV325 router using 192.168.111.1 on VLAN1
1 Cisco SG200-52P switch using 192.168.111.2
4 Cisco WAP561 PoE access points
     AP1 192.168.111.30
     AP2 192.168.111.31
     AP3 192.168.111.32
     AP4 192.168.111.33
All are setup with 2 wireless radios.
     SSID Business is on VLAN1
     SSID Guest is on VLAN10. During setup I said to isolate this traffic from the Business network.

So I can see both wireless signals and connect to business just fine. If I try to connect to Guest, it never really connects completely. If I turn off isolation, and set Guess to VLAN1 it works fine but that isn't the goal we are looking for.

This seems pretty simple and straight forward but I am missing something somewhere.
0
Luuker
Asked:
Luuker
  • 9
  • 7
  • 2
4 Solutions
 
Muhammad MullaCommented:
You haven't mentioned how IP addresses are assigned, but from a glance, I would say that you haven't setup any method of assigning IP addresses to VLAN10. You will need another DHCP scope and possibly IP helper addresses on your switch.
0
 
masnrockCommented:
Muhammad mentioned the first thing I was going to ask about... what subnet is VLAN 10 using, and where is its DHCP server? That's the number one thing that seems to stand out about your issue. And would be consistent with your problem.
0
 
LuukerAuthor Commented:
OK, now I feel stupid! I completely forgot about the alternate subnet. Not sure what I was thinking.

So I added 172.16.0.1 to the router as gateway IP and DHCP server for VLAN10. I also added VLAN10 to the switch ports where the AP's are plugged into and tagged them.

I am heading over to that office in a few hours. I will test and see if it is working now.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LuukerAuthor Commented:
I am at the office now. It isn't working, same as before, not getting IP address.

I logged into the switch and tagged the port connecting the switch to the router with VLAN10 like I did the 4 AP ports. Now I am puling a 172 IP address but am still not able to get on web. I cannot ping anything. I cannot ping the 172.16.0.1 address, which is the DHCP server and gateway address for VLAN10. My laptop icon for the wireless adapter thinks it's online even.

What did I miss?
0
 
masnrockCommented:
So the switch ports that the WAPs and RV325 are set up as trunk ports for the 2 VLANs? If so, then it should be working.

Where does the traffic stop if you do a traceroute? And what DNS settings are getting passed to systems on the guest VLAN?
0
 
LuukerAuthor Commented:
Here is the setup of the VLAN ports. This is all on the switch. Ports 15-18 are the AP's and 24 is connected to the router.

2016-10-19_1640.png
2016-10-19_1640_001.png
2016-10-19_1641.png
2016-10-19_1642.png
0
 
LuukerAuthor Commented:
When I do a tracert, it does not even make a single hop successfully. Just like ping, no replies at all 100% loss.
0
 
masnrockCommented:
Try making all 5 of those ports Trunk ports, with VLAN 10 still being tagged.
0
 
LuukerAuthor Commented:
Here are the current settings. Still not working. No change at all.

2016-10-19_1654.png
2016-10-19_1654_001.png
0
 
masnrockCommented:
I remembered you made mention of wireless isolation being something that's set up as well. What happens if you turn that off, and leave everything else the same?

Also, could you please update the firmware on the RV325 if it's not up to date already?
0
 
LuukerAuthor Commented:
I checked the firmware on all devices. Router, switch, and AP's are all on the most current firmware.

I went in and turned off isolation for each AP. Still same result.
0
 
LuukerAuthor Commented:
The isolation is for various devices connected to the AP. So wireless devices cannot see one another even if they are on the same VLAN. I was saying isolate in my original description, but I was referring to separating using the VLANs. Actual isolation shouldn't effect anyone trying to connect to the web. bad wording on my part sorry.
0
 
masnrockCommented:
Ah. No problem.

One of the least logical things that comes to mind would be port security. Still trying to think of anything else that makes sense.
0
 
masnrockCommented:
Would it be possible to see a screenshot of the IP information from a machine that connects to the guest wireless? And also, would it be possible to see the settings for VLAN 10 itself on the RV325?
0
 
LuukerAuthor Commented:
Yesterday I changed the IP network for the guest wireless. The router wouldn't let me use a subnet other than 24 bit so I went ahead and setup VLAN10 with 192.168.200.0.

Here are the VLAN settings in the RV325

2016-10-21_1436.png
Here is the DHCP setup for VLAN10

2016-10-21_1437.png
Here is an IPCONFIG from a laptop trying to connect

2016-10-21_1434.png
And lastly, I went ahead and looked at the firewall rules to make sure the firewall wasn't blocking the traffic

2016-10-21_1441.png
Once connected, and the IP settings are verified, I am not able to ping the router(gateway) IP. I stopped the TRACERT after 3 failed hops

2016-10-21_1450.png
I went ahead and ran an NSLOOKUP as well. Oddly enough, I get a timed out error, but then I get the correct information anyway. I ran www.cisco.com and www.microsoft.com

2016-10-21_1452.png
Hopefully something here might spark a thought. I am out of ideas myself.
0
 
masnrockCommented:
Is there a place where you can view the routes?
0
 
LuukerAuthor Commented:
Not sure what routes you are referring to.
0
 
Muhammad MullaCommented:
Good suggestions that were identified and could have been the cause, but no resolution of the issue.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 9
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now