Solved

Best way to setup isolated wireless guest network using all Cisco equipment

Posted on 2016-10-18
18
33 Views
Last Modified: 2016-11-09
I have a client that wants to get 2 wireless networks configured, 1 for the business users, and another for guests. The network is pretty simple but for some reason it isn't working and I am having an issue getting it setup.

The network is setup as such:
1 Cisco RV325 router using 192.168.111.1 on VLAN1
1 Cisco SG200-52P switch using 192.168.111.2
4 Cisco WAP561 PoE access points
     AP1 192.168.111.30
     AP2 192.168.111.31
     AP3 192.168.111.32
     AP4 192.168.111.33
All are setup with 2 wireless radios.
     SSID Business is on VLAN1
     SSID Guest is on VLAN10. During setup I said to isolate this traffic from the Business network.

So I can see both wireless signals and connect to business just fine. If I try to connect to Guest, it never really connects completely. If I turn off isolation, and set Guess to VLAN1 it works fine but that isn't the goal we are looking for.

This seems pretty simple and straight forward but I am missing something somewhere.
0
Comment
Question by:Luuker
  • 9
  • 7
  • 2
18 Comments
 
LVL 9

Assisted Solution

by:Muhammad Mulla
Muhammad Mulla earned 250 total points (awarded by participants)
ID: 41849784
You haven't mentioned how IP addresses are assigned, but from a glance, I would say that you haven't setup any method of assigning IP addresses to VLAN10. You will need another DHCP scope and possibly IP helper addresses on your switch.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41850063
Muhammad mentioned the first thing I was going to ask about... what subnet is VLAN 10 using, and where is its DHCP server? That's the number one thing that seems to stand out about your issue. And would be consistent with your problem.
0
 

Author Comment

by:Luuker
ID: 41850581
OK, now I feel stupid! I completely forgot about the alternate subnet. Not sure what I was thinking.

So I added 172.16.0.1 to the router as gateway IP and DHCP server for VLAN10. I also added VLAN10 to the switch ports where the AP's are plugged into and tagged them.

I am heading over to that office in a few hours. I will test and see if it is working now.
0
 

Author Comment

by:Luuker
ID: 41851019
I am at the office now. It isn't working, same as before, not getting IP address.

I logged into the switch and tagged the port connecting the switch to the router with VLAN10 like I did the 4 AP ports. Now I am puling a 172 IP address but am still not able to get on web. I cannot ping anything. I cannot ping the 172.16.0.1 address, which is the DHCP server and gateway address for VLAN10. My laptop icon for the wireless adapter thinks it's online even.

What did I miss?
0
 
LVL 20

Accepted Solution

by:
masnrock earned 250 total points (awarded by participants)
ID: 41851041
So the switch ports that the WAPs and RV325 are set up as trunk ports for the 2 VLANs? If so, then it should be working.

Where does the traffic stop if you do a traceroute? And what DNS settings are getting passed to systems on the guest VLAN?
0
 

Author Comment

by:Luuker
ID: 41851056
Here is the setup of the VLAN ports. This is all on the switch. Ports 15-18 are the AP's and 24 is connected to the router.

2016-10-19_1640.png
2016-10-19_1640_001.png
2016-10-19_1641.png
2016-10-19_1642.png
0
 

Author Comment

by:Luuker
ID: 41851059
When I do a tracert, it does not even make a single hop successfully. Just like ping, no replies at all 100% loss.
0
 
LVL 20

Assisted Solution

by:masnrock
masnrock earned 250 total points (awarded by participants)
ID: 41851061
Try making all 5 of those ports Trunk ports, with VLAN 10 still being tagged.
0
 

Author Comment

by:Luuker
ID: 41851074
Here are the current settings. Still not working. No change at all.

2016-10-19_1654.png
2016-10-19_1654_001.png
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 20

Assisted Solution

by:masnrock
masnrock earned 250 total points (awarded by participants)
ID: 41851083
I remembered you made mention of wireless isolation being something that's set up as well. What happens if you turn that off, and leave everything else the same?

Also, could you please update the firmware on the RV325 if it's not up to date already?
0
 

Author Comment

by:Luuker
ID: 41851098
I checked the firmware on all devices. Router, switch, and AP's are all on the most current firmware.

I went in and turned off isolation for each AP. Still same result.
0
 

Author Comment

by:Luuker
ID: 41851106
The isolation is for various devices connected to the AP. So wireless devices cannot see one another even if they are on the same VLAN. I was saying isolate in my original description, but I was referring to separating using the VLANs. Actual isolation shouldn't effect anyone trying to connect to the web. bad wording on my part sorry.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41851150
Ah. No problem.

One of the least logical things that comes to mind would be port security. Still trying to think of anything else that makes sense.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41853928
Would it be possible to see a screenshot of the IP information from a machine that connects to the guest wireless? And also, would it be possible to see the settings for VLAN 10 itself on the RV325?
0
 

Author Comment

by:Luuker
ID: 41854443
Yesterday I changed the IP network for the guest wireless. The router wouldn't let me use a subnet other than 24 bit so I went ahead and setup VLAN10 with 192.168.200.0.

Here are the VLAN settings in the RV325

2016-10-21_1436.png
Here is the DHCP setup for VLAN10

2016-10-21_1437.png
Here is an IPCONFIG from a laptop trying to connect

2016-10-21_1434.png
And lastly, I went ahead and looked at the firewall rules to make sure the firewall wasn't blocking the traffic

2016-10-21_1441.png
Once connected, and the IP settings are verified, I am not able to ping the router(gateway) IP. I stopped the TRACERT after 3 failed hops

2016-10-21_1450.png
I went ahead and ran an NSLOOKUP as well. Oddly enough, I get a timed out error, but then I get the correct information anyway. I ran www.cisco.com and www.microsoft.com

2016-10-21_1452.png
Hopefully something here might spark a thought. I am out of ideas myself.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41854517
Is there a place where you can view the routes?
0
 

Author Comment

by:Luuker
ID: 41854533
Not sure what routes you are referring to.
0
 
LVL 9

Expert Comment

by:Muhammad Mulla
ID: 41880246
Good suggestions that were identified and could have been the cause, but no resolution of the issue.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

With the purchase of CloudCommand by Comcast customers are left in a bind as subscriptions expire and render the AP's disabled. The following will explain how to flash your Ubiquiti AP's with CloudCommand firmware back to Ubiquiti firmware. HOWTO…
Multi-source agreements are important because they set standards that all manufacturers should follow to ensure that devices are compatible with multiple vendors. The multi-source agreement (MSA) is an agreement that establishes how multiple vendors…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now