10-27-2014 06:54 PM - edited 03-07-2019 09:15 PM
I have a Cisco 1841 as my router which routes my wired and wireless VLAN's. I also have a 3750G as my switch and some 1141n AP's
My switch is setup so that the ports the AP's plug into is set to access vlan 2 which is my wireless lan. The access points however have a IP address on the Wired lan to keep people on WiFi from accessing them directly. My question is how can I keep the port on access mode and still add a trunk or tag vlan 1 to the port as well so my wired network can access them for SNMP use? If I set the mode to trunk on the port it works but kills my wireless routing.
Thank you for the help
Solved! Go to Solution.
10-30-2014 09:48 PM
haaa it's required to confgure subinterface and some more things..
Here we go with the configuration..
conf t
dot11 ssid J&B2
vlan 2
Mbssid Guest-mode
authentication open
authentication key-management wpa version 2
wpa-psk ascii #####
end
conf t
int dot11 0
mbssid
ssid J&B2
encryption vlan 2 mode ciphers aes-ccm
end
conf t
int dot11 0.2
encapsulation dot1q 2
bridge-group 2
no shut
end
conf t
int gig 0.2
encapsulation dot1q 2
bridge-group 2
no shut
end
Configure and let me know if you have any issues. :)
10-28-2014 10:17 AM
You can't do what you're asking. If it's access mode, there are no tags. Technically, I suppose you could configure a voice vlan or configure a trunk with your wireless VLAN set as the native VLAN, which would sort of give you what you're asking but it's not going to do what you're trying to do, which is allow both VLANs to function on the AP.
Are you configuring the port on the AP as a trunk? The two sides need to match - you can't have one set as a trunk and one as an access port. How are you configuring the AP - via the command line or via the gui? Is the AP a standalone or an LAP?
10-28-2014 10:39 AM
10-28-2014 02:55 PM
The trunk port option will work. But i see tricky configuration .
Would like to understand , What is the reason behind applying the restriction for WLAN, if you want to apply the restriction for wifi user it's better to apply on vlan 2 not on vlan 1 ,
I would suggest to apply the below configuration and try every thing will work
interface FastEthernet0/1.1
description LAN
encapsulation dot1Q 1 native
ip address 10.10.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1.2
description WIRELESS
encapsulation dot1Q 2
ip address 192.168.2.254 255.255.255.0
ip access-group Wifi_block in
ip nat inside
ip virtual-reassembly
!
access-list wifi_block permit 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list NAT deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list NAT deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list NAT permitip any any
10-28-2014 03:01 PM
on the access-list wifi_block permit 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255 would it be deny then a permit any below? I guess Im confused on that.
Thank you for the help
10-28-2014 03:16 PM
Huhhh yaaa missed it.. :D
here we go with correct one
access-list wifi_block deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list wifi_block permit ip any any
Let me know whether above proposed solution wored or not.. ;)
10-28-2014 03:42 PM
so on the router it would be
old configuration
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.1.14 3389 interface FastEthernet0/0 3389
!
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 10 deny 192.168.2.0 0.0.0.255
access-list 10 permit any
Then the new one would be
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.1.14 3389 interface FastEthernet0/0 3389
access-list 1 permit 10.10.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list wifi_block deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list wifi_block permit ip any any
Would this be correct and also turn the port on the AP's to trunk mode and allow vlan 1,2
Thank you again
10-28-2014 03:49 PM
New one would be as below :
Then the new one would be
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 10.10.1.14 3389 interface FastEthernet0/0 3389
access-list NAT deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list NAT deny ip 192.168.2.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list NAT permitip any any
access-list wifi_block deny ip 10.10.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list wifi_block permit ip any any
10-29-2014 08:15 AM
One more question before I try it. On the AP's since they are currently set on a access port, when I change it to a trunk port how would I tell that SSID to be dumped off into the vlan 2 and not the native vlan? I want to make the port on it trunk on vlan 1 and 2.
Thank you again
10-29-2014 11:17 AM
You can configure particular vlan for the SSID. No issues for that
10-30-2014 10:16 AM
I got the router and switch configured just fine. However on the AP I am still having issues getting an IP on VLAN 2. I thought I changed the vlan correctly but I guess not. Here is my config before I started messing with it.
What do I need to change to get the ssid J&B2 ssid to get an ip on vlan 2 but still allow the gigabit port to see both vlans so i can use ssh to talk to it from vlan 1?
Does the ssid need a sub interface or something?
Thank you for all your help. You've helped me greatly on this.
10-30-2014 09:48 PM
haaa it's required to confgure subinterface and some more things..
Here we go with the configuration..
conf t
dot11 ssid J&B2
vlan 2
Mbssid Guest-mode
authentication open
authentication key-management wpa version 2
wpa-psk ascii #####
end
conf t
int dot11 0
mbssid
ssid J&B2
encryption vlan 2 mode ciphers aes-ccm
end
conf t
int dot11 0.2
encapsulation dot1q 2
bridge-group 2
no shut
end
conf t
int gig 0.2
encapsulation dot1q 2
bridge-group 2
no shut
end
Configure and let me know if you have any issues. :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: