×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Access Wireless Internet via VLAN100 with RVS4000, SG300-10MP and AP541N

Document

Fri, 07/08/2016 - 20:50
Apr 26th, 2016
User Badges:

Cisco Support Community

Article ID: 3130

Objective

The main objective of this article is to demonstrate wireless connectivity via Access Point (AP541N) over VLAN 100 via a switch and a router as the gateway devices. A similar scenario could also be achieved with older access points like WAP200 or the WAP4410N. These actions need to be carried out in order to gain access to the device. Topics covered in this article are as follows:

• Router Configuration (RVS4000)

– VLAN Creation

– Trunk Configuration on a Port in VLAN 1

– Tag a Port in VLAN 100

– Verification of Port Statistics on all 4 Ports

• Switch Configuration (SG300-10MP)

–Static IPv4 Address Configuration

– Jumbo Frames Configuration

– Creation of Guest VLAN 100

– Access and General Ports Creation

– Name the Access Lists

– How to set priority and actions for Access Lists

– Bind the Access Lists

• Access Point Configuration (AP541)

– Wireless Radio Settings Configuration

– Virtual Access Points (VAPs) Configuration

– View the Traffic Status

• Network Configuration Test

– Test Port 2 of switch SG300-10T

– Test Port 1 of Switch SG300-10T

– Back to Port 2 of Switch SG300-10T

– Check whether traffic follows via VLAN 100

– Effects of Address Based ACE Permissions

– Dynamic IP Address Allocation

Applicable Devices

• RVS4000

• AP541N (or) WAP200 (or) WAP4410N

• SG300-10MP

Software version

• v2.0.3.2 (RVS4000)

• v2.0.4 (AP541N)

• v2.0.6.0 (WAP200)

• v2.0.6.1 (WAP4410N)

• v1.3.0.59 (SG300-10MP)

Address Infrastructure

• RVS4000: 192.168.1.1/24 static
• SG300-10 MP: 192.168.1.10/24 static
• AP541: 192.168.1.3/24 static
• IP address issued: SSID 192.168.2.xxx dynamic
• Switch: 192.168.1.xxx dynamic 

Overview of Port and VLAN setup

Things to be considered

• Disable AP Guest access to the Switch for security purposes, but still allow internet.

• This can be easily tested by the configuration of this access list, but access will be lost once the access is binded.

• In order to reconnect, either swap patch cable to another port or connect via LAN. This allows for the re-access as another IP address is obtained.

• Wireless clients obtain a 192.168.2.xxx network address as opposed to 192.168.1.xxx via LAN.

• In the default factory settings, default or native VLAN is always untagged on all routers, switches and wireless devices.

• Security has not been configured on the AP SSIDs

Access Internet via Wireless Connection with VLAN100 on AP541 and RVS4000

Router Configuration (RVS4000)

VLAN Creation

Step 1. Use the router configuration utility to choose L2 Switch > Create VLAN. The Create VLAN page opens:

Step 2. In the VLAN ID field, enter the ID number of the VLAN that you would like to create. VLAN 100 is used in this example.

Step 3. Click Add VLAN.

Step 4. Click Save to save the settings.

Trunk Configuration on a Port in VLAN 1

The trunk port is configured so that multiple VLANs can pass through the switch simultaneously.

Step 5. Use the router configuration utility to choose L2 Switch > VLAN Membership. The VLAN Membership page opens:

Step 6. In the VLAN ID drop-down list, choose 1.

Step 7. In the Description field, enter a description for the VLAN. By default, the description default is present.

Step 8. In the Function/Port table, click Trunk under port 4 to pass all VLANs to and from the switch.

Note: Only Port 4 is trunked in this VLAN.

Step 9. Click Save to save the settings.

Tag a Port in VLAN 100

When a port is tagged, it receives all tagged frames even though it has no Port VLAN ID.

Step 10. Choose the VLAN In number that you have created in Step 2. In this example VLAN 100 is chosen.

Step 11. In the Description field, enter the name to describe other than the default name. 

Step 12. In the Function/Port table click Exclude on ports 1, 2, and 3.

Step 13. In the Function/Port table click Tagged in port 4.

Step 14. Click Save to save the settings.

Verification of Port Statistics on all 4 Ports

Step 15. Use the Router Configuration Utility to choose L2 Switch > Statistics. The Statistics page opens:

Note that packets are transmitted and received on all ports other than ports 2 and 3 because they are not connected to any devices or not been assigned to any VLANs. Port 1 receives VLAN1 (default) traffic whereas port 4 (the trunk port) receives VLAN 100 (Guest) traffic.

Switch Configuration (SG300-10MP)

Static IPv4 Address Configuration

Step 16. Use the Switch Configuration Utility to choose Administration > Management Interface > IPv4 Interface. The IPv4 Interface page opens:

Step 17. In the IP Address type field, click the Static radio button to set a specific IP address.

Step 18. In the IP Address field, enter any IP address that can be assigned for the switch. In this example, 192.168.1.10 is used.

Step 19. In Administrative Default Gateway field, click User Defined and enter any IP address with the same subnet as entered in step 18. Here 192.168.1.1 is used.

Step 20. Click Apply to save the settings.

Jumbo Frames Configuration

Jumbo Frames support packets of up to 10 Kb in size. If Jumbo Frames is not enabled (default), the system can only support a packet size of up to 1632 bytes. For jumbo frames to take effect, the switch will need to be rebooted after the feature is enabled.

Step 21. Use the switch configuration utility to choose Port Management > Port Setting. The Port Setting page opens:

Step 22. In the Jumbo Frames field, check Enable.

Step 23. Click Apply to save the settings.

Creation of Guest VLAN (VLAN 100)

Step 24. Use the Switch Configuration Utility to choose VLAN Management > Create VLAN. The Create VLAN page opens:

Step 25. Click Add to create a guest VLAN.

Step 26. In the VLAN ID field, enter the guest VLAN ID that was created for the router.

Step 27. In the VLAN Name field, enter any name to identify the VLAN. In this example, Guest is the description name.

Step 28. Click Apply to save the settings.

Note: VLAN 1 and 100 are now displayed in the Create VLAN Table.

Step 29. Use the Switch Configuration Utility to choose VLAN Management > Port VLAN Membership. The Port VLAN Membership page opens:

Note: Tag any 4 ports so that the ports receive frames in case there is no port VLAN ID. In this example, ports 1, 2, 8, and 10 are tagged. Port 1-10 are untagged by default.

Step 30. Click GE1 in the Port VLAN Membership Table.

Step 31. Click Join VLAN. A new window appears.

 

Step 32. In the Select VLAN field, choose the VLAN ID created in Step 25 and click the > icon.

Step 33. Click Tagged in the Tagged field and click Apply.

Step 34. In the same window, choose GE2 in the Interface field.

Step 35. In the Select VLAN field, choose the VLAN ID which is created in step 25 and click the > icon.

Step 36. Click Tagged in the Tagged field and click Apply.

Step 37. In the same window, choose GE8 in the Interface field.

Step 38. In the Select VLAN field, choose the VLAN ID which is created in step 25 and click the > icon.

Step 39. Click Tagged in the Tagged field and click Apply.

Step 40. In the same window, choose GE10 in the Interface field.

Step 41. In the Select VLAN field, choose the VLAN ID which is created in step 25 and click the > icon.

Step 42. Click Tagged in the Tagged field and click Apply.

The Port VLAN Membership Table displays the changes that are made on the ports.

Access and General Port Creation

In this section, ports must be configured as Access ports or General ports. Four ports are configured to be Access ports and one port is configured to be a General port. In this example, ports 4, 5, 6, and 7 are marked as Access ports and Port 8 is marked as a General port. Access ports means that the interface will be an untagged member of a single VLAN. A port configured in this mode is known as an access port. General ports means that the interface can support all functions as defined in the IEEE 802.1q specification. The interface can be a tagged or untagged member of one or more VLANs.

Step 43. Use the Switch Configuration Utility to choose VLAN Management > Interface Settings. The Interface Settings page opens:

Step 44. In the Interface Settings Table, choose GE4 by clicking the radio button and click Edit. A new window appears.

Step 45. In the Interface VLAN Mode field, click Access.

Step 46. Click Apply to save the settings.

Step 47. On the same page choose GE5 in the Interface field.

Step 48. In the Interface VLAN Mode, click Access.

Step 49. Click Apply to save the settings.

Step 50. On the same page choose GE6 in the Interface field.

Step 51. In the Interface VLAN Mode, click Access.

Step 52. Click Apply to save the settings.

Step 53. On the same page choose GE7 in the Interface field.

Step 54. In the Interface VLAN Mode, click Access.

Step 55. Click Apply to save the settings.

Step 56. On the same page choose GE8 in the Interface field.

Step 57. In the Interface VLAN Mode, click General.

Step 58. Click Apply to save the settings.

Step 59. To check the interface status, use the switch configuration utility to choose VLAN Management > Port VLAN Membership. The interface mode has been changed with respect to the VLANs.

Name the Access Lists

Step 60. Use the Switch Configuration Utility to choose Access Control > IPV4-Based ACL. The IPV4-Based ACL page opens:

Step 61. Click Add.

Step 62. In the ACL Name field, enter acl-icmp and click Apply. This involves all ICMP packets or you can also enter a different description to specify the acl name.

Step 63. On the same page in the ACL Name field, enter acl-tcp and click Apply. This involves all TCP packets. You can also enter a different description to specify the acl name.

Step 64. In the ACL Name field, enter acl-udp and click Apply. This involves all UDP packets. You can also enter a different description to specify the acl name.

Step 65. In the ACL Name field, enter acl-any and click Apply. This involves any packets other than the above. Here, you can also enter a different description to specify the acl name.

Step 66. In the ACL Name, enter restrict-vlan100 and click Apply. This represents all packets where the vlan 100 will restrict. You can also enter a different description to specify the acl name.

How to set Priority and Actions for Access Lists

Step 67. Use the Switch Configuration Utility to choose Access Control > IPV4-Based ACE. The IPV4-Based ACE page opens:

Step 68. In the ACL Name equals to field, choose restrict-vlan100.

Step 69. Click Add. A new window appears.

Step 70. In the Priority field, enter 100. ACEs with higher priority are processed first. Make sure all deny statements comes first and permit statements are last.

Step 71. In the Action field, click Deny. This will deny all packets from guest VLAN 100 on the internet.

Step 72. In the Source IP Address field, click User Defined.

Step 73. In the Source IP Address Value field, enter the network IP address of the SSID broadcast from access point. In this example, for all the SSID broadcast it will be from network 192.168.2.0. Enter the network ID which restricts the users from Internet access.

Step 74. In the Source IP Wildcard Mask field, enter 0.0.0.255.

Step 75. In the Destination IP Address field, click User Defined.

Step 76. In the Destination IP Address Value field, enter the IP address of the router. In this example, it is 192.168.1.10.

Step 77. In the Destination IP Address Mask field, enter 0.0.0.0.

Step 78. Click Apply to save the settings.

On the same page, enter these details.

Step 79. In the Priority field, enter 101 to permit all the traffic other than that which is specified in Step 69.

Note: The Action field by default is Permit. Do not forget this PERMIT statement, otherwise all traffic will be blocked. The source address is your IP (dynamic) address from the Access Point and the destination IP address is the switch address (static). Please ensure that the Switch has a static address otherwise it may not work for the switch obtains a different IP address dynamically wash time it connects to network.

Step 80. Click Apply to save the settings.

Bind the Access Lists

When an ACL is bound to an interface, the ACE rules of the ACL are applied to packets which arrive at that interface. Packets that do not match any of the ACEs in the ACL are matched to a default rule, whose action is to drop unmatched packets.

Note: Once an ACL is bound to an interface, it cannot be edited, modified, or deleted until it is removed from all the ports to which it is bound or in use.

Step 81. Use the switch configuration utility to choose Access Control > ACL Binding. The ACL Binding page opens:

Step 82. Check interface GE1 in the ACL Binding Table.

Step 83. Click Edit. The Edit ACL Binding window appears.

Step 84. Check Select IPv4-Based ACL.

Step 85. Choose restrict-vlan100 from the Select IPv4-Based ACL drop-down list.

Step 86. Click Apply to save the changes.

The above picture displays the changes made to interface GE1.

Note: If you wish to amend the changes later you must to unbind the ACL before you can alter them and rebind the ACL afterwards.

Access Point Configuration (AP541)

Basic LAN Configuration

Step 87. Use the Access Point Configuration Utility to choose Setup > LAN Settings. The LAN Settings page opens:

Step 88. Choose Static IP from the Connection Type drop-down list.

Step 89. In the Static IP Address field, enter 192.168.1.3.

Step 90. In the Subnet Mask field, enter 255.255.255.0.

Step 91. In the Default Gateway field, enter 192.168.1.1.

Step 92. Click Apply to save the changes.

Wireless Radio Settings Configuration

Step 93. Use the Access Point Configuration Utility to choose Wireless > Wireless Radio Settings. The Wireless Radio Settings page opens:

Step 94. Choose 6 from the Channel drop-down list. This is the channel that has the least interference in 802.11b/g/n mode.

Step 95. Click Apply to save the changes.

Virtual Access Points (VAPs) Configuration

Step 96. Use the Access Point Configuration Utility to choose Wireless > Wireless Network Setup (VAPs).. The Wireless Network Setup page opens:

Step 97. Click Configure Virtual Access Points (SSIDs) to display the collapsed drop-down menu.

Under VAP-0 perform these steps:

Step 98. In the VLAN ID field, enter 1.

Step 99. Check Enabled beside VAP-0.

Step 100. In the SSID field, enter sbsc-vlan1.

Step 101. In the Security field, choose WPA Personal.

Step 102. Click Apply to save the changes.

Step 103. Click Add Another to add a new VAP entry.

Under VAP-1 perform these steps:

Step 104. In the VLAN ID field, enter 100.

Step 105. Check Enabled beside VAP-1.

Step 106. In the SSID field, enter sbsc-100.

Step 107. In the Broadcast SSID field, check Enable. When this is enabled, the VAP broadcasts the SSID of the Access Point. The network name is displayed in the list of available networks on a client machine.

Note: The client must have the exact network name configured in the supplicant before it is able to connect.

Step 108. Click Apply to save the changes.

View the Traffic Status

Step 109. Use the Access Point Configuration Utility to choose Status > Traffic Status. The Traffic Status page opens:

Step 110. Click Refresh to refresh the window and to view the current traffic statistics on the Access Point.

Network Configuration Test

Test Port 2 of switch SG300-10T

Note: Make sure that the port is trunked (1UP, 100T) and no ACL is applied. The expected solution is that internet should work. As no ACL is in place, you should be able to access the switch on port 1.

Step 111. Remove the CAT5e Ethernet cable and access via wireless connection.

Step 112. Open the command prompt in windows and type ping 8.8.8.8 -t. The ping works correctly and you can access the internet from port 2.

Step 113. Again type ipconfig to see the current IP address of the device.

Step 114. Type ping 192.168.1.10 -t. The ping works correctly and you can access the switch.

Both Internet are in work process and switch address are in response.

Test Port 1 of Switch SG300-10T

Note: Make sure that the port is trunked (1UP, 100T) and but this time Port 1 is bound to the restrictive access list on the switch.  The expected solution is that the internet should work but in port 1 timing-out needs to be seen due to the ACL.

Step 115. Type ping 8.8.8.8 -t. If the ping works correctly, you can access the internet from port 1.

Step 116. Type ipconfig to make sure you have access from the same device as the previous one.

 

Step 117. Type ping 192.168.1.10 -t just like step 113 but the connection is timing-out due to the restrictive access list which is applied on the switch on step 83 & 84.

Back to Port 2 of Switch SG300-10T

Note: All the connections will respond again on the switch. Repeat steps 111, 112 and 113.

Step 118. Open the command prompt in Windows and type ping 8.8.8.8 -t. If the ping works correctly, you can access the internet from port 2 again.

Step 119. Type ping 192.168.1.10 -t. The ping works fine and you can access the switch.

Note:  Initially the request is timed out as it loses some packets when the port is changed all of a sudden. But gradually the connections comes back.

Traffic flow via VLAN 100

In this scenario, move the connection from port 1 to port 9 from the switch. This is a good test to see that VLAN100 is used is to ping from both 192.168.1.x and 192.168.2.x range.

Note: Here, GE1 is tagged with VLAN 100 but not GE9. The expected result is that the connection needs to timeout as it is not communicated via VLAN 100.

      

Note: If the communication is not disrupted, check the trunk configuration of the switch.

Step 120. Try to type 192.168.1.10 in web browser.  The connection will be timed out because the Access List prevents you from opening the GUI interface. Try to connect to another port or swap to the LAN connection.

Effects of Address Based ACE Permissions

Step 121. Type 192.168.1.10 -t in the command prompt while connected to the switch.  The ping is successful because the 192.168.1.x range is allowed.

Step 122. Type 192.168.1.10 -t in the command prompt while connected to the AP541. The ping is unsuccessful because the 192.168.2.x range is denied.

Dynamic IP Address Allocation

Step 123. In the PC, type ipconfig. The above image shows that 192.168.2.100 (the Access Point) is accessed via a wireless connection and the switch IP address 192.168.1.100 is accessed via wired connection.

Hence, in the article it is proved that a wireless internet connection can be accessed via VLAN 100 by access point but not by the switch.

Loading.

Actions

This Document