Pulling my hair out over this VLAN Stuff

Unanswered Question
Aug 28th, 2009
User Badges:

I have setup a WAP with 2 SSIDs, one untagged and the other on VLAN tag 8. I tested it with one 2960 switch and I can get to my corp lan on the untagged and can get to a public TimeWarner connection on Vlan 8 SSID.

Once I have added a couple more switches to the mix I cannot get the VLAN 8 to give me an address for the public connection. On VLAN 8 SSID, I get an address from my corp DHCP server but should not.

I think the tags are working because when I connect to the VLAN 8 SSID and get a corp address, I cannot get to the Internet.

When I connect to the SSID for the corp lan, I get a corp address and can get to the Internet.

I have attached my setup that work and don't work. No routing between VLANs is needed.

Please help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Peter Paluch Fri, 08/28/2009 - 05:33
User Badges:
  • Cisco Employee,

Hi Ron,

A couple of questions:

1.) Why is in both cases the connection to your corporate server made as trunk? Moreover, the trunk seems to be limited to VLAN 1 only, and because the VLAN 1 is the native VLAN by default, you are essentially degrading that trunk to access operation in VLAN 1. If the corporate DHCP server is in a single VLAN only (which it normally should), you should set up the port as static access port, probably with VLAN 1 membership.

2.) Does the VLAN 8 exist on all your switches?

Best regards,


ronald.lawrimore Fri, 08/28/2009 - 06:08
User Badges:


Yes, VLAN 8 does exist on all the switchs. So, If I remove the trunking on the ports that are normally just my corp lan and leave the interconnecting ports how I have it now, should it work.

ronald.lawrimore Fri, 08/28/2009 - 07:29
User Badges:

I have updated my drawing to make my corp lan only port for DHCP to access mode. I can get the SSID for VLAN1 to work, but cannot get an address for VLAN8. What else in my configs do I need to change. Does VLAN8 need an IP address on each switch? All I did on the switches to define vlan8 was configure the port with VLAN8.

Peter Paluch Fri, 08/28/2009 - 07:46
User Badges:
  • Cisco Employee,


I assume you have 3 Catalyst 2950/2960 switches. Can you issue the show vlan brief command on each switch and confirm that the VLAN 8 exists everywhere? I am asking again because you have not defined the VLAN 8 as it is normally explicitely done - you have just used it but you haven't created it. Especially the middle switch does not have any access ports in VLAN 8 - you have just referenced the VLAN in a trunk configuration. Therefore I wonder if the VLAN 8 indeed exists.

Best regards,


Terryn Barbarich Fri, 08/28/2009 - 07:59
User Badges:


What commands have you configured to route between VLAN 8 and VLAN 1?

You'll need to have an SVI in place somewhere on VLAN 8 with an IP Helper Address pointing at your DHCP server on VLAN 1 and your DHCP server should have a scope setup for VLAN 8 requests.

ronald.lawrimore Fri, 08/28/2009 - 07:57
User Badges:

Ok, the DHCP server should only respond to items on VLAN 1. The NETGEAR should respond to items on VLAN 8. The WAP has 2 SSIDs, one is (untagged vlan1) the other is tagged VLAN 8. The untagged should go to internal network, the VLAN 8 should go to the NETGEAR for guest internet access.

ronald.lawrimore Fri, 08/28/2009 - 08:04
User Badges:

The corp Dhcp give out address to all my workstations and such. The Netgear gives out its own addresses to people on VLAN 8 and routes them to a TimeWarner connection for guest internet access.

In my test diagram that worked, yes everything worked exactly like I wanted it to. Only when I put the other swithes in place did the VLAN 8 stop working.

ronald.lawrimore Fri, 08/28/2009 - 08:17
User Badges:

We are not running VTP because we are so small. How is the best way to configure VLAN 8 manually on each.

Peter Paluch Fri, 08/28/2009 - 08:21
User Badges:
  • Cisco Employee,


If possible, please, post the complete configurations of all three switches. Also include the output of the following commands on each switch:

show cdp neigh

show int trunk

show vlan brief

show int status

That will be a long output but please no simplification. All that is necessary.

Best regards,


ronald.lawrimore Fri, 08/28/2009 - 08:53
User Badges:

Ok, here are all the configs. I can change pretty much anything.


I have a WAP with 2 SSIDs.

SSID - PRIVATE - Gets internal DHCP

SSID - PUBLIC - Get ip from netgear



PRIVATE goes to our corp inter.

PUBLIC goes to a TW Cable Conn.

If I can find out what settings to put on each port I can get this done. VLAN info can be adjusted as needed.

ronald.lawrimore Fri, 08/28/2009 - 09:07
User Badges:

I am sorry the desciption is wrong. The Netgear is on F0/11 on the bottom switch.

ronald.lawrimore Fri, 08/28/2009 - 09:18
User Badges:

No I cannot.

If I had to use VLAN1 as my internal lan and VLAN 8 as my "guest lan". How would you setup the ports to use with the WAP with two SSIDs

ronald.lawrimore Fri, 08/28/2009 - 09:27
User Badges:

In my original config, see attachment. My laptop could connect to both SSIDs on the one WAP.

PRIVATE, I was on the corp internal network, got 192.168.100.x address

PUBLIC, I was on the TimeWarner(Netgear) network, got 192.168.8.x address

The netgear gives out dhcp of 192.168.8.x, and only for vlan 8

ronald.lawrimore Fri, 08/28/2009 - 09:35
User Badges:

Not without manually assigning my laptop a 192.168.8.x address and being on a port that allows VLAN 8 traffic to the port the Netgear box is on.

ronald.lawrimore Fri, 08/28/2009 - 09:40
User Badges:

1) Does the netgear have an IP address? Yes.

2) Does the netgear route or switch? Route to the Internet cable modem.

3) Do you have a layer 3 interface on your network in the vlan 8 that does have an IP address? Nothing on the network has a 192.168.0.x address besides the Netgear.

Well I dont know how the netgear wil be able to alocate an IP address out of the 192.168.8.x range, when it does not have an interface in the 192.168.8.x range.

The other issue is inter-vlan routing, you CANNOT route from 1 vlan to another WITHOUT a layer 3 interface in the vlans.

You need to re-look into what you want to do.

Peter Paluch Fri, 08/28/2009 - 13:49
User Badges:
  • Cisco Employee,


I went over the configurations you have provided us with, and I have a couple of questions:

1.) Almost all your ports on the switches are configured as trunks. Are you sure you need something like that? The ports are normally configured as access ports and only those ports which interconnect switches are configured as trunks.

2.) The upper switch you call "2960" is in fact a 3560 series switch, according to the "show cdp neigh" output from the middle switch. Thus there seems to be an inaccuracy in the description of your network.

3.) Further on, you are claiming that on the "2960" (the upper switch), the port Fa0/23 is connected to the Orinoco AP. However, according to the "show cdp nei" output on the "2960", there is yet another 3560 series switch connected to the Fa0/23 of the "2960" with the hostname "Switch". This is yet another inaccuracy. The configuration of that previously undescribed switch must again be thoroughly inspected.

4.) You have described the middle switch as 3750. However, according to the "show cdp neigh" output on the other switches, the middle switch is in fact a 3560. Another inaccuracy?

5.) You have described the bottom switch as another 3750. Yet according to the "show cdp neigh" on the middle switch, it is in fact 3550. Another inaccuracy?

6.) Your exhibit states that the bottom switch uses the Fa0/24 port to connect go the middle switch and its Gi0/2. In reality, according to the "show cdp nei", the bottom switch uses Gi0/1 to connect to the middle switch. The port Fa0/24 is connected somewhere but it does not show up in the CDP neighbor table.

Formally, the configuration seems to be OK but as you can yourself see here, there are so many discrepancies and confusing aspects of your description here that we can't proceed further until and unless it is absolutely clear that we are looking at the correct devices and have an accurate description of the topology.

Best regards,



This Discussion