I have setup a WAP with 2 SSIDs, one untagged and the other on VLAN tag 8. I tested it with one 2960 switch and I can get to my corp lan on the untagged and can get to a public TimeWarner connection on Vlan 8 SSID.
Once I have added a couple more switches to the mix I cannot get the VLAN 8 to give me an address for the public connection. On VLAN 8 SSID, I get an address from my corp DHCP server but should not.
I think the tags are working because when I connect to the VLAN 8 SSID and get a corp address, I cannot get to the Internet.
When I connect to the SSID for the corp lan, I get a corp address and can get to the Internet.
I have attached my setup that work and don't work. No routing between VLANs is needed.
A couple of questions:
1.) Why is in both cases the connection to your corporate server made as trunk? Moreover, the trunk seems to be limited to VLAN 1 only, and because the VLAN 1 is the native VLAN by default, you are essentially degrading that trunk to access operation in VLAN 1. If the corporate DHCP server is in a single VLAN only (which it normally should), you should set up the port as static access port, probably with VLAN 1 membership.
2.) Does the VLAN 8 exist on all your switches?
Yes, VLAN 8 does exist on all the switchs. So, If I remove the trunking on the ports that are normally just my corp lan and leave the interconnecting ports how I have it now, should it work.
I have updated my drawing to make my corp lan only port for DHCP to access mode. I can get the SSID for VLAN1 to work, but cannot get an address for VLAN8. What else in my configs do I need to change. Does VLAN8 need an IP address on each switch? All I did on the switches to define vlan8 was configure the port with VLAN8.
I assume you have 3 Catalyst 2950/2960 switches. Can you issue the show vlan brief command on each switch and confirm that the VLAN 8 exists everywhere? I am asking again because you have not defined the VLAN 8 as it is normally explicitely done - you have just used it but you haven't created it. Especially the middle switch does not have any access ports in VLAN 8 - you have just referenced the VLAN in a trunk configuration. Therefore I wonder if the VLAN 8 indeed exists.
What commands have you configured to route between VLAN 8 and VLAN 1?
You'll need to have an SVI in place somewhere on VLAN 8 with an IP Helper Address pointing at your DHCP server on VLAN 1 and your DHCP server should have a scope setup for VLAN 8 requests.
The DHCP server will not understand frames tagged with VLAN 8.
You need to configure the ip helper - on a vlan 8 SVI interface pointing to the DHCP server.
Ok, the DHCP server should only respond to items on VLAN 1. The NETGEAR should respond to items on VLAN 8. The WAP has 2 SSIDs, one is (untagged vlan1) the other is tagged VLAN 8. The untagged should go to internal network, the VLAN 8 should go to the NETGEAR for guest internet access.
The corp Dhcp give out address to all my workstations and such. The Netgear gives out its own addresses to people on VLAN 8 and routes them to a TimeWarner connection for guest internet access.
In my test diagram that worked, yes everything worked exactly like I wanted it to. Only when I put the other swithes in place did the VLAN 8 stop working.
are you running vtp? ALL switches must know about vlan 8, if not VTP - then you have to configure vlan 8 on all switches.
The switches will not pass traffic for unknown vlans.
I would still configure VTP - that way you know all switches in the vtp domain will all have the correct vlan's.
Also make sure the vlan's are allowed on the trunk ports.
If possible, please, post the complete configurations of all three switches. Also include the output of the following commands on each switch:
show cdp neigh
show int trunk
show vlan brief
show int status
That will be a long output but please no simplification. All that is necessary.
Ok, here are all the configs. I can change pretty much anything.
I have a WAP with 2 SSIDs.
SSID - PRIVATE - Gets internal DHCP
SSID - PUBLIC - Get ip from netgear
PRIVATE = VLAN1
PUBLIC = VLAN8
PRIVATE goes to our corp inter.
PUBLIC goes to a TW Cable Conn.
If I can find out what settings to put on each port I can get this done. VLAN info can be adjusted as needed.
In the config for "bottom3750.txt" in port Fa0/17 is connected to "Netgear Port 1" is this the netgear dhcp server?
This port is a trunk port! perhaps it should be a switch port in vlan 8.
No I cannot.
If I had to use VLAN1 as my internal lan and VLAN 8 as my "guest lan". How would you setup the ports to use with the WAP with two SSIDs
Hold on a sec, if you can't ping the netgear from the AP - how do you expect it to get an IP address, you are missing something.
Is the netgear pingable at all??
In my original config, see attachment. My laptop could connect to both SSIDs on the one WAP.
PRIVATE, I was on the corp internal network, got 192.168.100.x address
PUBLIC, I was on the TimeWarner(Netgear) network, got 192.168.8.x address
The netgear gives out dhcp of 192.168.8.x, and only for vlan 8
Yes I saw that - but you are not answering the question, can you ping the netgear device from anywhere in the network or not?
Not without manually assigning my laptop a 192.168.8.x address and being on a port that allows VLAN 8 traffic to the port the Netgear box is on.
Listen you are missing the point, let me phrase it another way.
1) Does the netgear have an IP address?
2) Does the netgear route or switch?
3) Do you have a layer 3 interface on your network in the vlan 8 that does have an IP address?
1) Does the netgear have an IP address? Yes. 192.168.0.1
2) Does the netgear route or switch? Route to the Internet cable modem.
3) Do you have a layer 3 interface on your network in the vlan 8 that does have an IP address? Nothing on the network has a 192.168.0.x address besides the Netgear.
Well I dont know how the netgear wil be able to alocate an IP address out of the 192.168.8.x range, when it does not have an interface in the 192.168.8.x range.
The other issue is inter-vlan routing, you CANNOT route from 1 vlan to another WITHOUT a layer 3 interface in the vlans.
You need to re-look into what you want to do.
I went over the configurations you have provided us with, and I have a couple of questions:
1.) Almost all your ports on the switches are configured as trunks. Are you sure you need something like that? The ports are normally configured as access ports and only those ports which interconnect switches are configured as trunks.
2.) The upper switch you call "2960" is in fact a 3560 series switch, according to the "show cdp neigh" output from the middle switch. Thus there seems to be an inaccuracy in the description of your network.
3.) Further on, you are claiming that on the "2960" (the upper switch), the port Fa0/23 is connected to the Orinoco AP. However, according to the "show cdp nei" output on the "2960", there is yet another 3560 series switch connected to the Fa0/23 of the "2960" with the hostname "Switch". This is yet another inaccuracy. The configuration of that previously undescribed switch must again be thoroughly inspected.
4.) You have described the middle switch as 3750. However, according to the "show cdp neigh" output on the other switches, the middle switch is in fact a 3560. Another inaccuracy?
5.) You have described the bottom switch as another 3750. Yet according to the "show cdp neigh" on the middle switch, it is in fact 3550. Another inaccuracy?
6.) Your exhibit states that the bottom switch uses the Fa0/24 port to connect go the middle switch and its Gi0/2. In reality, according to the "show cdp nei", the bottom switch uses Gi0/1 to connect to the middle switch. The port Fa0/24 is connected somewhere but it does not show up in the CDP neighbor table.
Formally, the configuration seems to be OK but as you can yourself see here, there are so many discrepancies and confusing aspects of your description here that we can't proceed further until and unless it is absolutely clear that we are looking at the correct devices and have an accurate description of the topology.