Solved: Connect a wifi router to my management vlan

ADAman · ‎08-03-2012

Is it enough to set the default gateway for the DHCP clients in the wifi router to the gateway for the management VLAN? and to configure the port connected to the wifi router as a access port for the management vlan? The SVI for the management VLAN is also defined in the switch.

And finally, should I connect the wifi-router using its switchport or its "Internet" port?

sansarav720e · ‎08-05-2012

Dear Atle ,

As our cisco ES4200 perform PATing for internal connected wireless client , i have given example internet access here .

Please clarify here what do you mean by management access over here , Management access or control normaly meant for connecting to ES4200 through GUI . In our scenario u can connect to ES4200 through internet port IP address http:10.10.10.10

On other side or LAN side of ES 4200 any wirless client connecting to this ES4200 will be PATed to IP 10.10.10.10 because your ES4200 is Wirless NAT router which perform NATing by default .

It upto what level access you have given for 10.10.10.0/24 subnet in your L3 switch . you can permit to internet or only for your LAN Access

HTH

Thks

Santhosh Sarav

HTH Regards Santhosh Saravanan

View solution in original post

kamran_Roostaee · ‎08-03-2012

I guess you want to setup a wifi for connecting management hosts, so if your wifi router does not support VLAN, then you cannot connect it to the switch trunk port and you need to connect it to the switchh access port assifn to management VLAN. in this situation every host that connect to wifi will be in mangement VLAN and if you set DHCP default gateway of hosts to management VLAN gateway, and intervlan routing is enabled,then hosts can connect to out of management VLAN.

sansarav720e · ‎08-03-2012

Dear Atle ,

Could you please let me know wht is the model of wireless router , why you configure default gateway of management VLAN for your DHCP client . I guess u want to acess your wireless router via your management VLAN .

Kindly let me know on this .

Thanks

Santhosh Sarav

HTH Regards Santhosh Saravanan

ADAman · ‎08-05-2012

It is a Cisco E4200.

Yes, I just want the wireless clients to be able to access the management vlan only. No other vlan necessarry.

However, will DNS work? The DNs server is on a Windows VM on a different subnet and VLAN.

This is a Layer-3 Cisco switch. If I have setup a SVI for this other subnet (and the management subnet), will the DNSlookup packets find its way to the DNS server, or did I forget something?

kamran_Roostaee · ‎08-05-2012

you can define DNS server in DHCP and hosts will learn DNS server IP address through that, DNS packets use ip protocol for connecting to DNS server,so if hosts learn DNS server IP and they can send packet to ohter VLANs (you should enable inter VLAN routing on L3 switch), then you will connect to DNS

sansarav720e · ‎08-05-2012

Dear Atle ,

Cisco E4200 is a wireless NAT router which perform by default Nating for internal LAN network or to connected wireless client , Over here you need to connect port from your Layer 3 switch to your internet port of Cisco E4200 wifi router (WAN port) .

For example

if you have created SVI on your layer 3 switch

int vlan 10

ip address 10.10.10.1 255.255.255.0

int fast eth 0/1

description ****connected to Wireless router****

switchport mode access

Switchport access vlan 10

---------------------------------------------------

On your E4200 wireless router

assign static IP address for your internet interface , (under management control , you can limit the subnet from where u want to access)

IP address 10.10.10.10

Subnet Mask : 255.255.255.0

Gw : 10.10.10.1 ( SVI interface of L3 switch)

DNS server = your own defined DNS server on your LAN ( eg 20.20.20.20 which is another SVI VLAN in your layer 3 switch)

on LAN SUBNET you can assign any network range 192.168.1.0 , under DHCP u can define your SCOPE details for eg 192.168.1.20 - 192.168.1.254 , check on your DHCP scope u can assign your DNS server if you can , again u can say 20.20.20.20 .

Whenever your wireless client want to access to internet they will get PATing to 10.10.10.10 , which is nothing but your internet port of ES4200 .

Your ES4200 will pass all traffic to your L3 SVI interface , which is gateway for that router . Again on your network u should have permitted internet for 10.10.10./0 range ...

Over here we are doing double PATing

192.168.1.10 - 254 -----> 10.10.10.10

again from

10.10.10.10 ----> public IP on your firewall or router

All wireless traffic will be carried only from this single Source IP Address 10.10.10.10

HTH Regards Santhosh Saravanan

ADAman · ‎08-05-2012

hi. Thanks for your answer. I have just 1 question more:

1. What should be the default gateway for the wireless clients? .1 or .10? I assumme .10?

sansarav720e · ‎08-05-2012

Dear Atle ,

Though u are creating DHCP scope on cisco E4200 , LAN interface of ES4200 is assigned with another network range in our example we have used 192.168.1.0/24 . The LAN interface IP address 192.168.1.1 and this is gateway address for wireless client .

This complete 192.168.1.0/24 will be PATed to IP address of 10.10.10.10, your L3 switch will see traffic only from one IP address that is 10.10.10.10.

Only for ES 4200 the gateway address 10.10.10.1not for wirless client .

To avoid your wireless client accessing your internal network u can define access list on your ES4200 denying access to all Subnet of internal network , only allowing internet access .

HTH

Thks

Santhosh Sarav

HTH Regards Santhosh Saravanan

ADAman · ‎08-05-2012

Hi Santhoshkumar,

You have in all your replies assumed I also want internet access. I do not need this. Just management access. Is anything going to change in what you have said for the setup?

sansarav720e · ‎08-05-2012

Dear Atle ,

As our cisco ES4200 perform PATing for internal connected wireless client , i have given example internet access here .

Please clarify here what do you mean by management access over here , Management access or control normaly meant for connecting to ES4200 through GUI . In our scenario u can connect to ES4200 through internet port IP address http:10.10.10.10

On other side or LAN side of ES 4200 any wirless client connecting to this ES4200 will be PATed to IP 10.10.10.10 because your ES4200 is Wirless NAT router which perform NATing by default .

It upto what level access you have given for 10.10.10.0/24 subnet in your L3 switch . you can permit to internet or only for your LAN Access

HTH

Thks

Santhosh Sarav

HTH Regards Santhosh Saravanan

ADAman · ‎08-12-2012

I connected the wifi-router to the internet port as you suggested and it works fine. thanks.

ADAman · ‎08-05-2012

Hi!

I just mean access to the internal subnet 10.10.10.1. But one of the main reasons I raised this question was which port I connect the wifi-router. I have the E4200 at home, and there I connected the switchport of a internet router to a switchport of the E4200. It still worked, ie. the E4200 got an IP from the internet router and routes internet traffic from its LAN 192.168.1.x to the broadband router, 10.0.0.1. So in our example, could I also connect to the E4200 using on eof its switchports?

"

It upto what level access you have given for 10.10.10.0/24 subnet in your L3 switch . You can permit to internet or only for your LAN Access"

-I don't have internet. Just the local management network. So I assume I don't have to change anything for the LAN access.

sansarav720e · ‎08-06-2012

Dear Atle ,

I Created Network diagram based on your above said comments , Kindly correct if my diagram is wrong . What i understand from your comment you want to connect your ES4200 home router directly to your Internet router ??

HTH Regards Santhosh Saravanan