cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1038
Views
5
Helpful
27
Replies

Pulling my hair out over this VLAN Stuff

I have setup a WAP with 2 SSIDs, one untagged and the other on VLAN tag 8. I tested it with one 2960 switch and I can get to my corp lan on the untagged and can get to a public TimeWarner connection on Vlan 8 SSID.

Once I have added a couple more switches to the mix I cannot get the VLAN 8 to give me an address for the public connection. On VLAN 8 SSID, I get an address from my corp DHCP server but should not.

I think the tags are working because when I connect to the VLAN 8 SSID and get a corp address, I cannot get to the Internet.

When I connect to the SSID for the corp lan, I get a corp address and can get to the Internet.

I have attached my setup that work and don't work. No routing between VLANs is needed.

Please help

27 Replies 27

Peter Paluch
Cisco Employee
Cisco Employee

Hi Ron,

A couple of questions:

1.) Why is in both cases the connection to your corporate server made as trunk? Moreover, the trunk seems to be limited to VLAN 1 only, and because the VLAN 1 is the native VLAN by default, you are essentially degrading that trunk to access operation in VLAN 1. If the corporate DHCP server is in a single VLAN only (which it normally should), you should set up the port as static access port, probably with VLAN 1 membership.

2.) Does the VLAN 8 exist on all your switches?

Best regards,

Peter

Peter,

Yes, VLAN 8 does exist on all the switchs. So, If I remove the trunking on the ports that are normally just my corp lan and leave the interconnecting ports how I have it now, should it work.

I have updated my drawing to make my corp lan only port for DHCP to access mode. I can get the SSID for VLAN1 to work, but cannot get an address for VLAN8. What else in my configs do I need to change. Does VLAN8 need an IP address on each switch? All I did on the switches to define vlan8 was configure the port with VLAN8.

Ron,

I assume you have 3 Catalyst 2950/2960 switches. Can you issue the show vlan brief command on each switch and confirm that the VLAN 8 exists everywhere? I am asking again because you have not defined the VLAN 8 as it is normally explicitely done - you have just used it but you haven't created it. Especially the middle switch does not have any access ports in VLAN 8 - you have just referenced the VLAN in a trunk configuration. Therefore I wonder if the VLAN 8 indeed exists.

Best regards,

Peter

Peter, this is what I get on the middle switch. The other switches look similar with a VLAN 8 shown.

Hi,

What commands have you configured to route between VLAN 8 and VLAN 1?

You'll need to have an SVI in place somewhere on VLAN 8 with an IP Helper Address pointing at your DHCP server on VLAN 1 and your DHCP server should have a scope setup for VLAN 8 requests.

The DHCP server will not understand frames tagged with VLAN 8.

You need to configure the ip helper - on a vlan 8 SVI interface pointing to the DHCP server.

Ok, the DHCP server should only respond to items on VLAN 1. The NETGEAR should respond to items on VLAN 8. The WAP has 2 SSIDs, one is (untagged vlan1) the other is tagged VLAN 8. The untagged should go to internal network, the VLAN 8 should go to the NETGEAR for guest internet access.

Ahh OK - why do you have 2 seperate DHCP servers?

From the AP can you ping the netgear DHCP server? and vice versa?

The corp Dhcp give out address to all my workstations and such. The Netgear gives out its own addresses to people on VLAN 8 and routes them to a TimeWarner connection for guest internet access.

In my test diagram that worked, yes everything worked exactly like I wanted it to. Only when I put the other swithes in place did the VLAN 8 stop working.

are you running vtp? ALL switches must know about vlan 8, if not VTP - then you have to configure vlan 8 on all switches.

The switches will not pass traffic for unknown vlans.

We are not running VTP because we are so small. How is the best way to configure VLAN 8 manually on each.

#conf t

vlan 8

name <>

I would still configure VTP - that way you know all switches in the vtp domain will all have the correct vlan's.

Also make sure the vlan's are allowed on the trunk ports.

Ron,

If possible, please, post the complete configurations of all three switches. Also include the output of the following commands on each switch:

show cdp neigh

show int trunk

show vlan brief

show int status

That will be a long output but please no simplification. All that is necessary.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: