Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Pulling my hair out over this VLAN Stuff

I have setup a WAP with 2 SSIDs, one untagged and the other on VLAN tag 8. I tested it with one 2960 switch and I can get to my corp lan on the untagged and can get to a public TimeWarner connection on Vlan 8 SSID.

Once I have added a couple more switches to the mix I cannot get the VLAN 8 to give me an address for the public connection. On VLAN 8 SSID, I get an address from my corp DHCP server but should not.

I think the tags are working because when I connect to the VLAN 8 SSID and get a corp address, I cannot get to the Internet.

When I connect to the SSID for the corp lan, I get a corp address and can get to the Internet.

I have attached my setup that work and don't work. No routing between VLANs is needed.

Please help

27 REPLIES
Cisco Employee

Re: Pulling my hair out over this VLAN Stuff

Hi Ron,

A couple of questions:

1.) Why is in both cases the connection to your corporate server made as trunk? Moreover, the trunk seems to be limited to VLAN 1 only, and because the VLAN 1 is the native VLAN by default, you are essentially degrading that trunk to access operation in VLAN 1. If the corporate DHCP server is in a single VLAN only (which it normally should), you should set up the port as static access port, probably with VLAN 1 membership.

2.) Does the VLAN 8 exist on all your switches?

Best regards,

Peter

Community Member

Re: Pulling my hair out over this VLAN Stuff

Peter,

Yes, VLAN 8 does exist on all the switchs. So, If I remove the trunking on the ports that are normally just my corp lan and leave the interconnecting ports how I have it now, should it work.

Community Member

Re: Pulling my hair out over this VLAN Stuff

I have updated my drawing to make my corp lan only port for DHCP to access mode. I can get the SSID for VLAN1 to work, but cannot get an address for VLAN8. What else in my configs do I need to change. Does VLAN8 need an IP address on each switch? All I did on the switches to define vlan8 was configure the port with VLAN8.

Cisco Employee

Re: Pulling my hair out over this VLAN Stuff

Ron,

I assume you have 3 Catalyst 2950/2960 switches. Can you issue the show vlan brief command on each switch and confirm that the VLAN 8 exists everywhere? I am asking again because you have not defined the VLAN 8 as it is normally explicitely done - you have just used it but you haven't created it. Especially the middle switch does not have any access ports in VLAN 8 - you have just referenced the VLAN in a trunk configuration. Therefore I wonder if the VLAN 8 indeed exists.

Best regards,

Peter

Community Member

Re: Pulling my hair out over this VLAN Stuff

Peter, this is what I get on the middle switch. The other switches look similar with a VLAN 8 shown.

Community Member

Re: Pulling my hair out over this VLAN Stuff

Hi,

What commands have you configured to route between VLAN 8 and VLAN 1?

You'll need to have an SVI in place somewhere on VLAN 8 with an IP Helper Address pointing at your DHCP server on VLAN 1 and your DHCP server should have a scope setup for VLAN 8 requests.

Re: Pulling my hair out over this VLAN Stuff

The DHCP server will not understand frames tagged with VLAN 8.

You need to configure the ip helper - on a vlan 8 SVI interface pointing to the DHCP server.

Community Member

Re: Pulling my hair out over this VLAN Stuff

Ok, the DHCP server should only respond to items on VLAN 1. The NETGEAR should respond to items on VLAN 8. The WAP has 2 SSIDs, one is (untagged vlan1) the other is tagged VLAN 8. The untagged should go to internal network, the VLAN 8 should go to the NETGEAR for guest internet access.

Re: Pulling my hair out over this VLAN Stuff

Ahh OK - why do you have 2 seperate DHCP servers?

From the AP can you ping the netgear DHCP server? and vice versa?

Community Member

Re: Pulling my hair out over this VLAN Stuff

The corp Dhcp give out address to all my workstations and such. The Netgear gives out its own addresses to people on VLAN 8 and routes them to a TimeWarner connection for guest internet access.

In my test diagram that worked, yes everything worked exactly like I wanted it to. Only when I put the other swithes in place did the VLAN 8 stop working.

Re: Pulling my hair out over this VLAN Stuff

are you running vtp? ALL switches must know about vlan 8, if not VTP - then you have to configure vlan 8 on all switches.

The switches will not pass traffic for unknown vlans.

Community Member

Re: Pulling my hair out over this VLAN Stuff

We are not running VTP because we are so small. How is the best way to configure VLAN 8 manually on each.

Re: Pulling my hair out over this VLAN Stuff

#conf t

vlan 8

name <>

I would still configure VTP - that way you know all switches in the vtp domain will all have the correct vlan's.

Also make sure the vlan's are allowed on the trunk ports.

Cisco Employee

Re: Pulling my hair out over this VLAN Stuff

Ron,

If possible, please, post the complete configurations of all three switches. Also include the output of the following commands on each switch:

show cdp neigh

show int trunk

show vlan brief

show int status

That will be a long output but please no simplification. All that is necessary.

Best regards,

Peter

Community Member

Re: Pulling my hair out over this VLAN Stuff

Ok, here are all the configs. I can change pretty much anything.

Recap.

I have a WAP with 2 SSIDs.

SSID - PRIVATE - Gets internal DHCP

SSID - PUBLIC - Get ip from netgear

PRIVATE = VLAN1

PUBLIC = VLAN8

PRIVATE goes to our corp inter.

PUBLIC goes to a TW Cable Conn.

If I can find out what settings to put on each port I can get this done. VLAN info can be adjusted as needed.

Re: Pulling my hair out over this VLAN Stuff

In the config for "bottom3750.txt" in port Fa0/17 is connected to "Netgear Port 1" is this the netgear dhcp server?

This port is a trunk port! perhaps it should be a switch port in vlan 8.

Community Member

Re: Pulling my hair out over this VLAN Stuff

I am sorry the desciption is wrong. The Netgear is on F0/11 on the bottom switch.

Re: Pulling my hair out over this VLAN Stuff

can you ping the netgear from the access point?

Community Member

Re: Pulling my hair out over this VLAN Stuff

No I cannot.

If I had to use VLAN1 as my internal lan and VLAN 8 as my "guest lan". How would you setup the ports to use with the WAP with two SSIDs

Re: Pulling my hair out over this VLAN Stuff

Hold on a sec, if you can't ping the netgear from the AP - how do you expect it to get an IP address, you are missing something.

Is the netgear pingable at all??

Community Member

Re: Pulling my hair out over this VLAN Stuff

In my original config, see attachment. My laptop could connect to both SSIDs on the one WAP.

PRIVATE, I was on the corp internal network, got 192.168.100.x address

PUBLIC, I was on the TimeWarner(Netgear) network, got 192.168.8.x address

The netgear gives out dhcp of 192.168.8.x, and only for vlan 8

Re: Pulling my hair out over this VLAN Stuff

Yes I saw that - but you are not answering the question, can you ping the netgear device from anywhere in the network or not?

Community Member

Re: Pulling my hair out over this VLAN Stuff

Not without manually assigning my laptop a 192.168.8.x address and being on a port that allows VLAN 8 traffic to the port the Netgear box is on.

Re: Pulling my hair out over this VLAN Stuff

Listen you are missing the point, let me phrase it another way.

1) Does the netgear have an IP address?

2) Does the netgear route or switch?

3) Do you have a layer 3 interface on your network in the vlan 8 that does have an IP address?

Community Member

Re: Pulling my hair out over this VLAN Stuff

1) Does the netgear have an IP address? Yes. 192.168.0.1

2) Does the netgear route or switch? Route to the Internet cable modem.

3) Do you have a layer 3 interface on your network in the vlan 8 that does have an IP address? Nothing on the network has a 192.168.0.x address besides the Netgear.

Re: Pulling my hair out over this VLAN Stuff

Well I dont know how the netgear wil be able to alocate an IP address out of the 192.168.8.x range, when it does not have an interface in the 192.168.8.x range.

The other issue is inter-vlan routing, you CANNOT route from 1 vlan to another WITHOUT a layer 3 interface in the vlans.

You need to re-look into what you want to do.

Cisco Employee

Re: Pulling my hair out over this VLAN Stuff

Ron,

I went over the configurations you have provided us with, and I have a couple of questions:

1.) Almost all your ports on the switches are configured as trunks. Are you sure you need something like that? The ports are normally configured as access ports and only those ports which interconnect switches are configured as trunks.

2.) The upper switch you call "2960" is in fact a 3560 series switch, according to the "show cdp neigh" output from the middle switch. Thus there seems to be an inaccuracy in the description of your network.

3.) Further on, you are claiming that on the "2960" (the upper switch), the port Fa0/23 is connected to the Orinoco AP. However, according to the "show cdp nei" output on the "2960", there is yet another 3560 series switch connected to the Fa0/23 of the "2960" with the hostname "Switch". This is yet another inaccuracy. The configuration of that previously undescribed switch must again be thoroughly inspected.

4.) You have described the middle switch as 3750. However, according to the "show cdp neigh" output on the other switches, the middle switch is in fact a 3560. Another inaccuracy?

5.) You have described the bottom switch as another 3750. Yet according to the "show cdp neigh" on the middle switch, it is in fact 3550. Another inaccuracy?

6.) Your exhibit states that the bottom switch uses the Fa0/24 port to connect go the middle switch and its Gi0/2. In reality, according to the "show cdp nei", the bottom switch uses Gi0/1 to connect to the middle switch. The port Fa0/24 is connected somewhere but it does not show up in the CDP neighbor table.

Formally, the configuration seems to be OK but as you can yourself see here, there are so many discrepancies and confusing aspects of your description here that we can't proceed further until and unless it is absolutely clear that we are looking at the correct devices and have an accurate description of the topology.

Best regards,

Peter

302
Views
5
Helpful
27
Replies
CreatePlease to create content