Getting Wireless Users onto LAN

Answered Question
Apr 17th, 2012

Hello All,

We currently purchased 2 AP's and a 2106 WLC and I am having some trouble getting the wireless users to communicate to the network on the other side of the WLC. Here is a very simple diagram on how this is all connected.

3750X L3 Switch --> 2106 WLC --> AP

LAN Network - 10.10.0.0/16           Wireless Users Network - 10.100.21.0/24

So with a laptop, I can get a DHCP reservation from the WLC to the 10.100.21.0/24 network. From there though, I cannot ping anything in the 10.10.0.0/16 network. I know that I am talking across two different networks so by default they shouldnt be able to communicate, but I feel like I am missing a setting on the WLC that will allow the two networks to communicate.

Management Interface:

IP Address: 10.10.20.100

Netmask: 255.255.0.0

Gateway: 10.10.0.1

DHCP Info: 10.10.20.100

Here is the config for my test interface (which may be the problem):

IP Address: 10.100.21.2

Netmask: 255.255.255.0

Gateway: 10.100.21.1

DHCP Info: 10.10.20.100

Thanks in advance for taking a look.

I have this problem too.
0 votes
Correct Answer by Amjad Abdullah about 1 year 11 months ago

Kyle:
If you are using default VLAN for management, you need to use to set the VLAN Identifier on the dynamic interface as 0.

If you put the VLAN  Identifier on the management VLAN as 1 then this is wrong.

If you are using DEFAULT VLAN then use the VLAN Identifier as 0 regardless of the vlan number of the default vlan that is being used.

I think there is some kind of vlan mismatch.

Sorry but I did not give detailed look to the above. just skimmed it and trying to help.

Amjad

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Stephen Rodriguez Tue, 04/17/2012 - 05:15

Ok let's start with the basics. The port the WLC is connected to, is it configures as a dot1q trunk with both vlan allowed?

Steve

Sent from Cisco Technical Support iPhone App

ksmith1413 Tue, 04/17/2012 - 05:28

Hey Steve,

Yes it is configured as such. When I try and ping my default gateway (10.100.21.1) from the client I get destination host unreeachable.

Also, I can ping the default gateway (10.100.21.1) from any host on our LAN so InterVLAN Routing seems to be working.

Stephen Rodriguez Tue, 04/17/2012 - 05:51

So as a dot1q trunk if the switch gets its own tag it will drop the traffic. So if you tag the VLAN on the switch port you want to set the management to 0.

IMHO you are better off tagging the WLC then setting the switch port to a non-existent VLAN. That way if something hits I tagged it can't go anywhere.

Steve

Sent from Cisco Technical Support iPhone App

ksmith1413 Mon, 04/23/2012 - 04:50

Stephen,

Do you have any additional troubleshooting ideas for me? I am still spinning my wheels

I have the trunk configured between the WLC and the 3750 switch. The trunk is allowing the two vlans, one being our LAN out to the internet and the other being the wireless user network. I can get an IP on a laptop but when attemping to ping anything I cannot, almost as if it cant find its own default gateway. I have the default gateway set on the 3750 switch, so I assume it should be able to contact it and see thats its default gateway.

From our LAN I can ping the default gateway of the wireless network so i know inter-VLAN routing is taking place.

Thanks,

ksmith1413 Tue, 04/24/2012 - 09:30

Is there any other information I can provide to help anyone looking to assist with this issue?

George Stefanick Tue, 04/24/2012 - 09:45

Kyle,

Are you sure you have routes on your router to allow both of these networks to talk ?

ksmith1413 Tue, 04/24/2012 - 10:02

Hello George,

Thanks for the reply. I believe I have routes that allow both these networks to talk, currently we are redesigning our network so bear with me as the setup is a little goofy.

The way our devices are connected in terms of the wireless configuration:

Internet <-> ASA <-> 3750 switch <-> WLC <-> AP <-> Laptop

                                      |

                                  My PC    

So, currently our default gateway for our LAN (10.10.0.1) is the inside interface of the ASA (like i said, working on changing this). On the ASA I also have a static route configured so any traffic destined for 10.100.21.0/24 send to 10.10.20.2 which is our 3750 Switch.

On the 3750 switch I set a default gateway for our wireless network of 10.100.21.1. I also configured the trunk from the post above so there is a trunk between the 3750 and the WLC allowing the LAN VLAN and Wireless VLAN to send data across it.

On our WLC I have this configured:

Management Interface:

IP Address: 10.10.20.100

Netmask: 255.255.0.0

Gateway: 10.10.0.1

DHCP Info: 10.10.20.100

Here is the config for my test interface (which may be the problem):

IP Address: 10.100.21.2

Netmask: 255.255.255.0

Gateway: 10.100.21.1

DHCP Info: 10.10.20.100

From my LAN I can ping 10.100.21.1

Our host on the wireless can get an IP, but when it attempts to ping anything (even its gateway) i get no replies.

Going back to your question of if we have routes for both networks to talk, I believe we do, unless I am missing something.

Thanks again for your reply and taking the time to look at this.

Masashi Tanaka Tue, 04/24/2012 - 18:53

Please confirm the vlan mapping of your ssid.

I guess that you need assign a WLAN to your interface.



for example;

   your wlan id: 1

   dynamic interface-name: test

WLC command;

   config wlan disable 1

   config wlan interface 1 test

   config wlan enable 1

ksmith1413 Wed, 04/25/2012 - 05:29

Hello Masashi,

It looks like everything is configured correctly based on your example. Here is what I see on the gui:

nikhilcherian Wed, 04/25/2012 - 05:54

Dear Kyle,

In you configuration you have configured the management interface gateway on the ASA inside interface and the dynamic interface gateway on the switch, which again have to routed through the ASA. I really dont think tat configuration will work out as the multiple WLC interface will have single mac address and the ASA will confused where to send the data

Regards

NikhiL

ksmith1413 Wed, 04/25/2012 - 06:39

Hello NikhiL,

That makes sense, although I dont see how this is currently a problem with only 1 AP connected. I guess I havent gotten far enough into my troubleshooting to experience the problem you are mentioning. I am taking baby steps so I figured I would first get 1 AP going and see if I can get internet connectivity and then add AP's after that.

Would the problem you are explaining be the same with only 1 AP?

nikhilcherian Wed, 04/25/2012 - 07:51

Kyle,

I am not sure of what you mentioned about a single AP. I was talkin abt the multiple interfaces that you have created.

Did u face the issue with only 1 AP connected

Thanks

NikhiL

ksmith1413 Wed, 04/25/2012 - 08:04

NikhiL,

Ok, I see what you are saying. So what type of solution are we looking at, putting both the gateways on the same piece of networking equipment? Since they are in different VLANs I would assume this wouldnt be an issue but I will give whatever you have to suggest a shot.

I am still a tad confused, because if you have virtual servers they all use the same hardware MAC of the NIC but use different logical MAC's based on what they are set as, which I assume is the same scenario we are faicing here.

Sorry that it is not clicking for me, just trying to better understand.

Thanks,

Kyle

nikhilcherian Wed, 04/25/2012 - 08:30

Kyle,

It is almost same, but here the difference in is that all the interfaces are in the WLC, hence the WLC can make the discretion

Regards

NikhiL

ksmith1413 Wed, 04/25/2012 - 09:18

NikhiL,

Ok, are you suggesting then that everything be on the same network? or that I move the default gateway off the ASA?

nikhilcherian Wed, 04/25/2012 - 09:33

Kyle,

I am not suggesting everything on the same network. But suggesting to keep all the gateway interfaces on the same device, either ASA or the switch

Regards

NikhiL

ksmith1413 Fri, 04/27/2012 - 11:42

Ok, I will give that a try.

Quick question, I created the trunk on the 3750 to the WLC, is there any additional config on the WLC that needs to be made to put it in trunk mode?

Stephen Rodriguez Fri, 04/27/2012 - 12:07

The controller is a dot1q trunk by default. The only option you have is to run LAG(ether channel) or not

Steve

Sent from Cisco Technical Support iPhone App

George Stefanick Fri, 04/27/2012 - 12:10

Steve are you sure ...

Its only .1q (IF) you fill in the VLAN ID under the dynamic interafce. Its not tagging if you leave it bank. Or am I off base on this one?

Stephen Rodriguez Fri, 04/27/2012 - 12:49

It's still a .1q trunk options being .1q or isl. you just won't have the tag in the management but you will on all the others.

Steve

Sent from Cisco Technical Support iPhone App

ksmith1413 Sun, 04/29/2012 - 06:11

My goal is to get that process going Monday morning. I dont quite know how I am going to achieve this on our LAN. We own two buildings that are redundant, if I put the default gateway on one of the L3 switch stacks I need to go through our production controls team since I will be taking internet access down from our internal LAN.

Are you absolutely sure this is the problem? I am still skeptical and I dont want to involve multiple departments and send out communications for this when it may be something else.

*edit*

I guess I could create a subnet from the WLC to the Switch, and then create a routing statement to the ASA. I can give this a try on Monday.

ksmith1413 Mon, 04/30/2012 - 05:23

After more troubleshooting this morning i found out that the problem is communication from the WLC to the 3750 switch. From the WLC if I ping 10.100.21.1 I get this:

(Cisco Controller) >ping 10.100.21.1

Send count=3, Receive count=0 from 10.100.21.1

Should I be getting this? I know the management interface has an IP of 10.10.20.100 but on the switch I did this:

description Connection to Wireless LAN Controller (10.100.21.2)

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan add 10

switchport trunk allowed vlan add 21

So I would think that traffic can flow normally between the two devices.

I also tried patching in the port assigned to the dynamic TEST interface directly into the switch and adding that switchport into VLAN 21 but that didnt solve the problem either:

3750 config:

interface GigabitEthernet2/0/20

description Wireless LAN Controller - 10.100.21.2

switchport access vlan 21

interface Vlan21

ip address 10.100.21.1 255.255.255.0

WLC config:

IP Address: 10.100.21.2

Netmask: 255.255.255.0

Gateway: 10.100.21.1

VLAN: 21

Port: 2

DHCP Info: 10.10.20.100

Any ideas?

Correct Answer
Amjad Abdullah Mon, 04/30/2012 - 05:43

Kyle:
If you are using default VLAN for management, you need to use to set the VLAN Identifier on the dynamic interface as 0.

If you put the VLAN  Identifier on the management VLAN as 1 then this is wrong.

If you are using DEFAULT VLAN then use the VLAN Identifier as 0 regardless of the vlan number of the default vlan that is being used.

I think there is some kind of vlan mismatch.

Sorry but I did not give detailed look to the above. just skimmed it and trying to help.

Amjad

ksmith1413 Mon, 04/30/2012 - 06:22

So for example our internal VLAN is vlan 10. You are saying I should set the management interface to VLAN 10 and the dynamic interface to vlan 0?

George Stefanick Mon, 04/30/2012 - 21:09

Kyle,

I can understand the confusion, we have all been there. If I can offer my 2 cents...

Cisco recommends to tag all the traffic, you can find this in the 7MR1 guide. This is a chnage from years past, when Cisco's config guide stated native the managment interface.

Lets look at the dynamic interfaces ...

First

7MR guide - Page 3-13 States: Tag all traffic, including managment

Example 1

Suppose you leave dynamic interface vlan ID blank. You are stating traffic is NOT tagged.  So long as the vlan and the subnet you put on the Wlc match up with the swithc you will pass traffic

Example 2

Suppose you put a vlan ID in like 10. You are telling the WLC to TAG all traffic for this dynamic interface. In return, you would need to TRUNK the swithc port and allow vlan 10

Example 3

Suppose you lag the WLC and you add vlan numbers for all your WLANS (dynamic interfaces) 10,20,30,40 etc. And you take the wlc management interface and you leave the vlan id blank.  You are telling the WLC to tag all the WLANs but not the management. In this case you would trunk at the switch and use the native statement for the management traffic.

So long as the vlan subnet and the native management dynamic interface are on the same subnet, you will pass traffic.

In fact, if you break out all the ports and use NON LAG on the wlc. Say port 1 = vlan 10, port 2 = vlan 20, etc .. If you dont put in vlan id's you would put swith port mode access on the switch side.

I hope this helps ..

ksmith1413 Tue, 05/01/2012 - 04:56

George,

Thank you for the thorough explaination. That makes things way more clear than before. We run a small IT shop here and any wireless I learned was from college which was 4-5 years ago, which like you said things have changed. I keep hitting small walls (example: Now I have LAN communication up to our firewall but it wont let me reach the internet) but luckily the forums are here, I just try not to flood them with my questions.

*edit*

Going back into example 1 (which my solve my internet problem) if I leave the dynamic interface untagged how do I make a default gateway on the L3 switch for traffic to route to? Or in that scenario would I have the default gateway on the ASA?

I think the problem im running into is I am taggin WLAN traffic as VLAN 21 and even though I can ping the ASA inside interface the ASA doesnt know about VLAN 21 so it wont route the packets out to the internet.

Thanks again for your help and patience.

Actions

Login or Register to take actions

This Discussion

Posted April 17, 2012 at 4:56 AM
Stats:
Replies:27 Avg. Rating:5
Views:1162 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard