Autonomous AP with Guest Access

ppavlovich · ‎05-10-2012

Hello,

I have two SSIDs on an Autonomous Access Point, that goes to a 2960 switch, that connects to a L3 3560. I have a vlan for admin/private internal access that uses the native vlan (1) and guest vlan (50). I have configured both and I am trying to get both to go out the same internet connection, however, I cannot get the guest access to access the internet. It looks like my computer will go, but it just comes up saying no internet access. I have the DHCP scope on the 3560 and I can ping the gateway (vlan management address) when I am on the SSID. All interfaces are trunking this vlan properly. I can communicate from the laptop to the 3560 but I just can't get to the internet. Am I forgetting to do something?

Pete

Amjad Abdullah · ‎05-14-2012

Pete:
You have two SSIDs, one on management vlan (vlan 1) and one in guest vlan (vlan 50).

The clients connected to the guest SSID can ping L3 switch but not able to go to internet.

Try to make sure about routing (if any) amont vlans in L3 switch. to which vlan your network connection is connected? or is it already connected directly to VLAN 50?

Can't you ping any website's ip address? just eliminate any DNS stuff.

Amjad

Rating useful replies is more useful than saying "Thank you"

maldehne · ‎05-14-2012

If the clients are capable of contacting their default gateway and getting ip address form the DHCP pool designed for guest vlan then the issue should be somewhere else.

To eliminate any possibility in DNS resolution try nslookup for certain site on the internet? You can make sure as well that you have added the DNS server in the DHCP pool configuration for the guest subnet.

And as Amjad Said try to ping a site on the internet and see if it works or not.

After trying the above you can narrow down the root cause for sure.

ppavlovich · ‎05-14-2012

The AP is attached to a 2960, then to a 3560. The DHCP pool for guest access is on the 3560 and I can ping that gateway with no issue. From the 3560, there is a default route out to the ISP, which is on another VLAN that the private, internal WLAN uses. I can get a DHCP address, I can ping that gateway on that 3560 from the AP, but I cannot ping past it. From that 3560, there is a connection to the ISP router. (.252 is on the 3560 and .254 is on their router). I do not have access to that router so I cannot see what's going on there.

Here are some stats...

ping espn.com
Ping request could not find host espn.com. Please check the name and try again.

ping 12.127.16.67

Pinging 12.127.16.67 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 12.127.16.67:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

tracert 12.127.16.67

Tracing route to 12.127.16.67 over a maximum of 30 hops

1 3 ms 1 ms 1 ms XXX.XXX.129.1
2 * *

nslookup espn.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 4.2.2.2

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.

IPv4 Address. . . . . . . . . . . : xxx.xxx.129.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, May 14, 2012 8:33:19 AM
Lease Expires . . . . . . . . . . : Tuesday, May 15, 2012 8:33:19 AM
Default Gateway . . . . . . . . . : xxx.xxx.129.1
DHCP Server . . . . . . . . . . . : xxx.xxx.129.1
DNS Servers . . . . . . . . . . . : 4.2.2.2

maldehne · ‎05-14-2012

The AP ---- 2960--- 3560( DHCP pool for guest access) ------- default route for the private vlan directly to ISP

|

ISP router

.252 is the 3560

.254 is the ISP router ( no access )

First can you please share the configuration on the AP, 2960 and 3560

ppavlovich · ‎05-14-2012

dot11 syslog

!

dot11 ssid Internal

vlan 1

authentication open

!

dot11 ssid Guest

vlan 50

authentication open

guest-mode

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid Internal

!

ssid Guest

!

antenna gain 0

station-role root

infrastructure-client

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.50

encapsulation dot1Q 50

no ip route-cache

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

bridge-group 50 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

ssid Internal

!

ssid Guest

!

antenna gain 0

dfs band 3 block

channel dfs

station-role root

!

interface Dot11Radio1.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.50

encapsulation dot1Q 50

no ip route-cache

bridge-group 50

bridge-group 50 subscriber-loop-control

bridge-group 50 block-unknown-source

no bridge-group 50 source-learning

no bridge-group 50 unicast-flooding

bridge-group 50 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.50

encapsulation dot1Q 50

no ip route-cache

bridge-group 50

no bridge-group 50 source-learning

bridge-group 50 spanning-disabled

!

interface BVI1

ip address xxx.xxx.22.22 255.255.255.0

no ip route-cache

!

ip default-gateway xxx.xxx.22.252

ip http server

no ip http secure-server

bridge 1 route ip

______________________________________2960_______________--

no aaa new-model

system mtu routing 1500

authentication mac-move permit

ip subnet-zero

interface GigabitEthernet0/1 - to 3560

interface GigabitEthernet0/4 - to AP

switchport mode trunk

interface Vlan1

ip address xxx.xxx.22.30 255.255.255.0

no ip route-cache

!

ip default-gateway xxx.xxx.22.252

ip sla enable reaction-alerts

snmp-server community public RO

________________________________________________________________ 3560______________

no aaa new-model

ip subnet-zero

ip routing

ip dhcp excluded-address xxx.xxx.x29.1

!

ip dhcp pool GuestWireless

network xxx.xxx.29.0 255.255.255.0

default-router xxx.xxx.x29.1

dns-server 4.2.2.2

interface FastEthernet0/24 - to 2960

switchport trunk encapsulation dot1q

switchport mode trunk

interface Vlan1
ip address xxx.xxx.22.252 255.255.255.0
!
interface Vlan50
description Guesswireless
ip address xxx.xxx.29.1 255.255.255.0

ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.22.254 240

Gateway of last resort is xxx.xxx.x22.254 to network 0.0.0.0

C    xxx.xxx.22.0/24 is directly connected, Vlan1
C    xxx.xxx.29.0/24 is directly connected, Vlan50
S*   0.0.0.0/0 [240/0] via xxx.xxx.22.254

grabonlee · ‎05-15-2012

What type of autonomous AP are you using ?. I haven't worked with autonomous mode for a very long time as I use light-weight APs. However, both are similar. For example, in a light-weight AP, when you configure a new SSID and select Guest LAN, it is a guest mode for wired Guest users and not wireless guest users. This may not apply to autonomous mode, but I suggest that you verify.

maldehne · ‎05-15-2012

The AP configuration looks fine,

mbilgrav · ‎06-04-2012

out of curriousity - did you figure it out ?

perhaps a ISP router filter ?

cant you access vlan1 from vlan 50 in your cfg ?

ppavlovich · ‎06-04-2012

This was indeed an ISP issue, and the configuration was correct. Thanks for everyone's help.

mbilgrav · ‎06-04-2012

well, that makes sense !

TY

out of curriousity - I can not understand this:

The VLAN50 host are able to access VLAN1 hosts ?

I can not see anything in the posted cfg that will deny this, or did you leave some parts out ?

did you test ?