WAP communicate on both networks
At the moment, the WAPs are plugged into VLAN 1/Plant network (but are trunked) and broadcasting the SSID fine. We want to be able to broadcast a 2nd SSID, while plugged into these trunk ports to broadcast VLAN 10/Comcast network.
We are hoping to keep the architecture the same, but the more I work on this, the more it seems like I will have to remove the firewall and add routes to the switches to direct traffic between the 2 networks(?). We have a WLC (3504 cisco) that is sitting on PN-SW33 and assigned a management IP of 10.1.99.2 on VLAN 99.
But in looking at SW33 I see that it does have ip routing enabled, that it has trunks that carry both vlan 1 and vlan 10
Correct, before I came on board, the engineer before me set up a small /30 network sitting between PN-SW33 and the FW (10.255.10.0/30). So the route on the switch was 0.0.0.0 0.0.0.0 10.255.10.2 and the firewall and a route going to 10.255.10.1.
PN-SW33 connects to the firewall on port 12 which has this configuration
Apologies, PN-SW33 connects to firewall on port 10. Been running around in circles on this problem and keep switching out which port is which.
-PN-SW33 has the DHCP scope for the CC network. So any client requesting an IP address in the CC network must access the PN switch. So that pretty much bypasses the firewall which really means that the networks are not separated by the firewall. Which means that the CC network can function without the firewall except for access to the Internet.
This pool was to remove the DHCP scope from the FW, as my WAPs were sending out DHCP requests, but not getting a response. A cisco rep is under the assumption that the DHCP return message is being sent back on VLAN 1, so my device isn't getting an IP. I assure you, the only way the networks meet is at the FW.
The DHCP scope for 10.1.10.0 defines the default gateway as 10.1.10.1. That address is not either of the switches for which you provide configs. Would that address be the firewall address in vlan 10?
This is indeed the IP for the Comcast Interface on the FW.
The DHCP scope fo 10.1.10.0 excludes addresses 10.1.10.1 and 10.1.10.8. What are these addresses? The excluded addresses should include the 2 switch vlan interfaces in that subnet which are 10.1.10.5 and 10.1.10.251
Was under the assumption that this command excluded a range. All of the Comcast Switch have a static IP assigned on VLAN 10, but I believe the DHCP scope on the FW would drop those IPs from the pool.
PN-SW33 Gig1/6 specifies
This interface connects to the WLC. When first setting up the network, WAPs weren't joining the network and getting their configs. This dummy native VLAN allowed for it to work. I'm sorry, can't remember the direct explanation for it.
PN-SW33 interface vlan 1 specified this
which is a /16 and not the /24 that your description indicated.
It is a typo on my part. 199.8.0.0/16 and 10.1.10.0/24
Last note to probably cover your final post: It seems as if my firewall (CheckPoint 1430) has no way of assigning VLANs to its interface. I appreciate these questions into all of this, definitely helps me piece things together. It is looking like I have 3 possible solution
1. Find a new firewall that can handle VLAN (i.e. Cisco ASA)
2. Directly connect the switches for Plant and Comcast together. Have a single connection going into the FW. Might have to set up routing on the switches (?)
3. Drop VLAN 10 from the plant side. Try to find out how I can assign a device plugged into the Plant Network a 10.1.10.0/24 IP, and talk with the outside world as well as comcast side devices. I'm not sure if this is possible(?)
