Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Vlan access and trunk question

I have a Cisco 1841 as my router which routes my wired and wireless VLAN's. I also have a 3750G as my switch and some 1141n AP's

 

My switch is setup so that the ports the AP's plug into is set to access vlan 2 which is my wireless lan. The access points however have a IP address on the Wired lan to keep people on WiFi from accessing them directly. My question is how can I keep the port on access mode and still add a trunk or tag vlan 1 to the port as well so my wired network can access them for SNMP use? If I set the mode to trunk on the port it works but kills my wireless routing.

 

Thank you for the help

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

haaa it's required to

haaa it's required to confgure subinterface and some more things..

Here we go with the configuration..

conf t 
dot11 ssid J&B2
vlan 2
Mbssid Guest-mode
authentication open
authentication key-management wpa version 2
wpa-psk ascii #####
end

conf t
int dot11 0
mbssid
ssid J&B2
encryption vlan 2 mode ciphers aes-ccm
end


conf t
int dot11 0.2
encapsulation dot1q 2
bridge-group 2
no shut 
end 

conf t
int gig 0.2
encapsulation dot1q 2
bridge-group 2
no shut
end

 

 

Configure and let me know if you have any issues. :)

11 REPLIES
Cisco Employee

You can't do what you're

You can't do what you're asking.  If it's access mode, there are no tags.  Technically, I suppose you could configure a voice vlan or configure a trunk with your wireless VLAN set as the native VLAN, which would sort of give you what you're asking but it's not going to do what you're trying to do, which is allow both VLANs to function on the AP.

Are you configuring the port on the AP as a trunk?  The two sides need to match - you can't have one set as a trunk and one as an access port.  How are you configuring the AP - via the command line or via the gui?  Is the AP a standalone or an LAP?

New Member

I have the ap as access so I

I have the ap as access so I guess that would be part of my issue as well. I configured it via the cmd line and it's a standalone ap

 

I've attached the configs of the switch and router

New Member

The trunk port option will

The trunk port option will work. But i see tricky configuration .

Would like to understand , What is the reason behind applying the restriction for WLAN, if you want to apply the restriction for wifi user it's better to apply on vlan 2 not on vlan 1 ,

 

I would suggest to apply the below configuration and try every thing will work

 

interface FastEthernet0/1.1
 description LAN
 encapsulation dot1Q 1 native
 ip address 10.10.1.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly


interface FastEthernet0/1.2
 description WIRELESS
 encapsulation dot1Q 2
 ip address 192.168.2.254 255.255.255.0
 ip access-group Wifi_block in
  ip nat inside
 ip virtual-reassembly
!

access-list wifi_block permit 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list NAT deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list NAT deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list NAT permitip any any

New Member

on the access-list wifi_block

on the access-list wifi_block permit 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255 would it be deny then a permit any below? I guess Im confused on that.

 

Thank you for the help

New Member

Huhhh yaaa missed it.. :D

Huhhh yaaa missed it.. :D

 

here we go with correct one 

 

access-list wifi_block deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list wifi_block permit ip any any 

 

Let me know whether above proposed solution wored or not.. ;)

New Member

so on the router it would

so on the router it would be

old configuration 

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.1.14 3389 interface FastEthernet0/0 3389
!
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 10 deny   192.168.2.0 0.0.0.255
access-list 10 permit any

 

Then the new one would be

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.1.14 3389 interface FastEthernet0/0 3389

access-list 1 permit 10.10.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

access-list wifi_block deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list wifi_block permit ip any any 

 

Would this be correct and also turn the port on the AP's to trunk mode and allow vlan 1,2

 

Thank you again

New Member

New one would be as below :

New one would be as below :

 

Then the new one would be

ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.1.14 3389 interface FastEthernet0/0 3389

access-list NAT deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list NAT deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list NAT permitip any any

access-list wifi_block deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list wifi_block permit ip any any 

New Member

One more question before I

One more question before I try it. On the AP's since they are currently set on a access port, when I change it to a trunk port how would I tell that SSID to be dumped off into the vlan 2 and not the native vlan? I want to make the port on it trunk on vlan 1 and 2.

 

Thank you again

New Member

You can configure particular

You can configure particular vlan for the SSID. No issues for that

New Member

I got the router and switch

I got the router and switch configured just fine. However on the AP I am still having issues getting an IP on VLAN 2. I thought I changed the vlan correctly but I guess not. Here is my config before I started messing with it. 

What do I need to change to get the ssid J&B2 ssid to get an ip on vlan 2 but still allow the gigabit port to see both vlans so i can use ssh to talk to it from vlan 1?

Does the ssid need a sub interface or something?

 

Thank you for all your help. You've helped me greatly on this.

New Member

haaa it's required to

haaa it's required to confgure subinterface and some more things..

Here we go with the configuration..

conf t 
dot11 ssid J&B2
vlan 2
Mbssid Guest-mode
authentication open
authentication key-management wpa version 2
wpa-psk ascii #####
end

conf t
int dot11 0
mbssid
ssid J&B2
encryption vlan 2 mode ciphers aes-ccm
end


conf t
int dot11 0.2
encapsulation dot1q 2
bridge-group 2
no shut 
end 

conf t
int gig 0.2
encapsulation dot1q 2
bridge-group 2
no shut
end

 

 

Configure and let me know if you have any issues. :)

200
Views
10
Helpful
11
Replies
CreatePlease to create content