05-10-2012 06:27 AM - edited 07-03-2021 10:08 PM
Hello,
I have two SSIDs on an Autonomous Access Point, that goes to a 2960 switch, that connects to a L3 3560. I have a vlan for admin/private internal access that uses the native vlan (1) and guest vlan (50). I have configured both and I am trying to get both to go out the same internet connection, however, I cannot get the guest access to access the internet. It looks like my computer will go, but it just comes up saying no internet access. I have the DHCP scope on the 3560 and I can ping the gateway (vlan management address) when I am on the SSID. All interfaces are trunking this vlan properly. I can communicate from the laptop to the 3560 but I just can't get to the internet. Am I forgetting to do something?
Pete
05-14-2012 03:13 AM
Pete:
You have two SSIDs, one on management vlan (vlan 1) and one in guest vlan (vlan 50).
The clients connected to the guest SSID can ping L3 switch but not able to go to internet.
Try to make sure about routing (if any) amont vlans in L3 switch. to which vlan your network connection is connected? or is it already connected directly to VLAN 50?
Can't you ping any website's ip address? just eliminate any DNS stuff.
Amjad
05-14-2012 04:25 AM
If the clients are capable of contacting their default gateway and getting ip address form the DHCP pool designed for guest vlan then the issue should be somewhere else.
To eliminate any possibility in DNS resolution try nslookup for certain site on the internet? You can make sure as well that you have added the DNS server in the DHCP pool configuration for the guest subnet.
And as Amjad Said try to ping a site on the internet and see if it works or not.
After trying the above you can narrow down the root cause for sure.
05-14-2012 05:40 AM
The AP is attached to a 2960, then to a 3560. The DHCP pool for guest access is on the 3560 and I can ping that gateway with no issue. From the 3560, there is a default route out to the ISP, which is on another VLAN that the private, internal WLAN uses. I can get a DHCP address, I can ping that gateway on that 3560 from the AP, but I cannot ping past it. From that 3560, there is a connection to the ISP router. (.252 is on the 3560 and .254 is on their router). I do not have access to that router so I cannot see what's going on there.
Here are some stats...
ping espn.com
Ping request could not find host espn.com. Please check the name and try again.
ping 12.127.16.67
Pinging 12.127.16.67 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 12.127.16.67:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Tracing route to 12.127.16.67 over a maximum of 30 hops
1 3 ms 1 ms 1 ms XXX.XXX.129.1
2 * *
nslookup espn.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 4.2.2.2
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
IPv4 Address. . . . . . . . . . . : xxx.xxx.129.20(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, May 14, 2012 8:33:19 AM
Lease Expires . . . . . . . . . . : Tuesday, May 15, 2012 8:33:19 AM
Default Gateway . . . . . . . . . : xxx.xxx.129.1
DHCP Server . . . . . . . . . . . : xxx.xxx.129.1
DNS Servers . . . . . . . . . . . : 4.2.2.2
05-14-2012 05:55 AM
The AP ---- 2960--- 3560( DHCP pool for guest access) ------- default route for the private vlan directly to ISP
|
|
ISP router
.252 is the 3560
.254 is the ISP router ( no access )
First can you please share the configuration on the AP, 2960 and 3560
05-14-2012 07:14 AM
dot11 syslog
!
dot11 ssid Internal
vlan 1
authentication open
!
dot11 ssid Guest
vlan 50
authentication open
guest-mode
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid Internal
!
ssid Guest
!
antenna gain 0
station-role root
infrastructure-client
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
!
ssid Internal
!
ssid Guest
!
antenna gain 0
dfs band 3 block
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
!
interface BVI1
ip address xxx.xxx.22.22 255.255.255.0
no ip route-cache
!
ip default-gateway xxx.xxx.22.252
ip http server
no ip http secure-server
bridge 1 route ip
______________________________________2960_______________--
no aaa new-model
system mtu routing 1500
authentication mac-move permit
ip subnet-zero
interface GigabitEthernet0/1 - to 3560
interface GigabitEthernet0/4 - to AP
switchport mode trunk
interface Vlan1
ip address xxx.xxx.22.30 255.255.255.0
no ip route-cache
!
ip default-gateway xxx.xxx.22.252
ip sla enable reaction-alerts
snmp-server community public RO
________________________________________________________________ 3560______________
no aaa new-model
ip subnet-zero
ip routing
ip dhcp excluded-address xxx.xxx.x29.1
!
ip dhcp pool GuestWireless
network xxx.xxx.29.0 255.255.255.0
default-router xxx.xxx.x29.1
dns-server 4.2.2.2
interface FastEthernet0/24 - to 2960
switchport trunk encapsulation dot1q
switchport mode trunk
interface Vlan1
ip address xxx.xxx.22.252 255.255.255.0
!
interface Vlan50
description Guesswireless
ip address xxx.xxx.29.1 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.22.254 240
Gateway of last resort is xxx.xxx.x22.254 to network 0.0.0.0
C xxx.xxx.22.0/24 is directly connected, Vlan1
C xxx.xxx.29.0/24 is directly connected, Vlan50
S* 0.0.0.0/0 [240/0] via xxx.xxx.22.254
05-15-2012 01:03 AM
What type of autonomous AP are you using ?. I haven't worked with autonomous mode for a very long time as I use light-weight APs. However, both are similar. For example, in a light-weight AP, when you configure a new SSID and select Guest LAN, it is a guest mode for wired Guest users and not wireless guest users. This may not apply to autonomous mode, but I suggest that you verify.
05-15-2012 02:57 AM
The AP configuration looks fine,
06-04-2012 05:03 AM
out of curriousity - did you figure it out ?
perhaps a ISP router filter ?
cant you access vlan1 from vlan 50 in your cfg ?
06-04-2012 05:06 AM
This was indeed an ISP issue, and the configuration was correct. Thanks for everyone's help.
06-04-2012 07:06 AM
well, that makes sense !
TY
out of curriousity - I can not understand this:
The VLAN50 host are able to access VLAN1 hosts ?
I can not see anything in the posted cfg that will deny this, or did you leave some parts out ?
did you test ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: