Ok, are you suggesting then that everything be on the same network? or that I move the default gateway off the ASA?
I am not suggesting everything on the same network. But suggesting to keep all the gateway interfaces on the same device, either ASA or the switch
Ok, I will give that a try.
Quick question, I created the trunk on the 3750 to the WLC, is there any additional config on the WLC that needs to be made to put it in trunk mode?
The controller is a dot1q trunk by default. The only option you have is to run LAG(ether channel) or not
Sent from Cisco Technical Support iPhone App
Steve are you sure ...
Its only .1q (IF) you fill in the VLAN ID under the dynamic interafce. Its not tagging if you leave it bank. Or am I off base on this one?
It's still a .1q trunk options being .1q or isl. you just won't have the tag in the management but you will on all the others.
Sent from Cisco Technical Support iPhone App
My goal is to get that process going Monday morning. I dont quite know how I am going to achieve this on our LAN. We own two buildings that are redundant, if I put the default gateway on one of the L3 switch stacks I need to go through our production controls team since I will be taking internet access down from our internal LAN.
Are you absolutely sure this is the problem? I am still skeptical and I dont want to involve multiple departments and send out communications for this when it may be something else.
I guess I could create a subnet from the WLC to the Switch, and then create a routing statement to the ASA. I can give this a try on Monday.
After more troubleshooting this morning i found out that the problem is communication from the WLC to the 3750 switch. From the WLC if I ping 10.100.21.1 I get this:
(Cisco Controller) >ping 10.100.21.1
Send count=3, Receive count=0 from 10.100.21.1
Should I be getting this? I know the management interface has an IP of 10.10.20.100 but on the switch I did this:
description Connection to Wireless LAN Controller (10.100.21.2)
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan add 10
switchport trunk allowed vlan add 21
So I would think that traffic can flow normally between the two devices.
I also tried patching in the port assigned to the dynamic TEST interface directly into the switch and adding that switchport into VLAN 21 but that didnt solve the problem either:
description Wireless LAN Controller - 10.100.21.2
switchport access vlan 21
ip address 10.100.21.1 255.255.255.0
IP Address: 10.100.21.2
DHCP Info: 10.10.20.100
If you are using default VLAN for management, you need to use to set the VLAN Identifier on the dynamic interface as 0.
If you put the VLAN Identifier on the management VLAN as 1 then this is wrong.
If you are using DEFAULT VLAN then use the VLAN Identifier as 0 regardless of the vlan number of the default vlan that is being used.
I think there is some kind of vlan mismatch.
Sorry but I did not give detailed look to the above. just skimmed it and trying to help.
So for example our internal VLAN is vlan 10. You are saying I should set the management interface to VLAN 10 and the dynamic interface to vlan 0?
I can understand the confusion, we have all been there. If I can offer my 2 cents...
Cisco recommends to tag all the traffic, you can find this in the 7MR1 guide. This is a chnage from years past, when Cisco's config guide stated native the managment interface.
Lets look at the dynamic interfaces ...
7MR guide - Page 3-13 States: Tag all traffic, including managment
Suppose you leave dynamic interface vlan ID blank. You are stating traffic is NOT tagged. So long as the vlan and the subnet you put on the Wlc match up with the swithc you will pass traffic
Suppose you put a vlan ID in like 10. You are telling the WLC to TAG all traffic for this dynamic interface. In return, you would need to TRUNK the swithc port and allow vlan 10
Suppose you lag the WLC and you add vlan numbers for all your WLANS (dynamic interfaces) 10,20,30,40 etc. And you take the wlc management interface and you leave the vlan id blank. You are telling the WLC to tag all the WLANs but not the management. In this case you would trunk at the switch and use the native statement for the management traffic.
So long as the vlan subnet and the native management dynamic interface are on the same subnet, you will pass traffic.
In fact, if you break out all the ports and use NON LAG on the wlc. Say port 1 = vlan 10, port 2 = vlan 20, etc .. If you dont put in vlan id's you would put swith port mode access on the switch side.
I hope this helps ..
Thank you for the thorough explaination. That makes things way more clear than before. We run a small IT shop here and any wireless I learned was from college which was 4-5 years ago, which like you said things have changed. I keep hitting small walls (example: Now I have LAN communication up to our firewall but it wont let me reach the internet) but luckily the forums are here, I just try not to flood them with my questions.
Going back into example 1 (which my solve my internet problem) if I leave the dynamic interface untagged how do I make a default gateway on the L3 switch for traffic to route to? Or in that scenario would I have the default gateway on the ASA?
I think the problem im running into is I am taggin WLAN traffic as VLAN 21 and even though I can ping the ASA inside interface the ASA doesnt know about VLAN 21 so it wont route the packets out to the internet.
Thanks again for your help and patience.