VLAN Configuration for Internal and Guest Wireless

Unanswered Question
Dec 16th, 2013
User Badges:

Hello,

We are using the following hardware…

SG300-52MP switch -- latest firmware

ASA 5512-X firewall -- 9.1

Aironet AP1131AG WAP

We have the following networks…

10.252.4.0/24 = Internal = ASA-01 interface = VLAN1

10.252.6.0/24 = Guest = ASA-02 interface = VLAN6

10.252.6.0/24 = VOIP = ASA-03 interface = VLAN3

The Aironet supports two SSIDs, Secure (RADIUS) and Guest (WPA2), which are supposed to provide access to the appropriate interface on the ASA.

Relevant parts of the WAP configuration are…

dot11 ssid GUEST

   vlan 6

dot11 ssid SECURE

   vlan 1

interface Dot11Radio0

no ip address

ssid GUEST

ssid SECURE

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

interface Dot11Radio0.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 255

interface Dot11Radio1

no ip address

no ip route-cache

ssid GUEST

ssid SECURE

interface Dot11Radio1.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

interface Dot11Radio1.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 255

interface FastEthernet0

no ip address

no ip route-cache

interface FastEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

interface FastEthernet0.6

encapsulation dot1Q 6

no ip route-cache

bridge-group 255

interface BVI1

ip address 10.252.4.4 255.255.255.0

no ip route-cache

ip default-gateway 10.252.4.1



We can manage the WAP through it’s Internal IP address (10.252.4.4).

And the “Guest” wireless network is working -- connecting to that SSID provides the client with the correct IP addressing (10.242.6.X from VLAN6/ASA-02).  [Note:  the VOIP DHCP and network access also works correctly.]

The “Secure” wireless network is not working however -- the client never receives an Internal DHCP address from ASA-01, and even if you hard-code the client’s IP, no IP4 traffic ever passes.

[Note:  connecting a device to a SG300 port with the “Default” configuration provides the client with an Internal DHCP configuration, and it works as intended.] 


While this may be a problem with the WAP configuration, I would like to confirm that it is not an issue with the switch not passing traffic correctly.

I have a feeling that I have configured the VLANs on the ports incorrectly.

Relevant parts of the SG300 configuration are...

v1.3.0.62 / R750_NIK_1_3_647_260

vlan database

vlan 3,6

ip dhcp snooping

ip dhcp relay address 10.252.4.1

ip dhcp relay enable

bonjour interface range vlan 1

!

interface vlan 1

ip address 10.252.4.2 255.255.255.0

no ip address dhcp

!

interface vlan 3

name VOIP

!

interface vlan 6

name Guest

!

interface gigabitethernet45 -- Access mode, Untagged VLAN6

description ASA-Guest

ip dhcp snooping trust

switchport mode access

switchport access vlan 6

!

interface gigabitethernet46 -- Access mode, Untagged VLAN3

description ASA-VOIP

ip dhcp snooping trust

switchport mode access

switchport access vlan 3

!

interface gigabitethernet47 -- Trunk mode, Untagged VLAN1 and Tagged VLAN6

description WAP1

switchport trunk allowed vlan add 6

!

interface gigabitethernet48 -- Trunk mode

description ASA-Internal

ip dhcp snooping trust

ip dhcp relay enable

!

Can someone who understands this switch better than I do please confirm the VLAN configuration?  THANK YOU!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion