cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4035
Views
0
Helpful
9
Replies

Multiple Wireless SSIDs and VLAN tagging

HeftySeed
Level 1
Level 1

I am about to pull what hair I have left out! I have configured many a Cisco switch with VLANs and for some reason, once cell must not be firing today...

I have a client who needs a simple wireless infrastrucrure: one WLAN for company traffic and one WLAN for Guest/Vendor internet access. I have the following equipment:

Hardware

1 x Engius b/g/n PoE Access point (Forced to use what the client had on hand)

1 x SF 302-08P 8-port PoE Cisco Switch (for access point)

1 x SG500-52 52-port Gbe Cisco Switch

AP SSID config

SSID: Corp. VLAN 1, untagged (WPA2/AES/PSK)

SSID: Guest. VLAN 2, tagged (open)

VLANs (created on both Cisco switches)

Vlan1-Default

Vlan2-Guest

8-Port PoE Switch Config

Port1-To AP. Trunk port. Members: vlan1-untagged, vlan2-tagged

Port2-To Sg500 Switch. Trunk port. Members: vlan1-untagged, vlan2-tagged

SG500 Switch Config

Port2-To 8-port PoE switch (other end of the cable coming from port2 above). Trunk port. Members: vlan1-untagged, vlan2-tagged

Port3-To DHCP server. Trunk port. Members: vlan1-untagged, vlan2-tagged

Why can I not get a DHCP address on the guest SSID? I can get a DHCP address on the corp SSID.

9 Replies 9

rizwanr74
Level 7
Level 7

Hi Mike,

try this first and let me know the result on this switch where your AP is connected via trunk port.

I am assuming you are using dot1.q.

"vlan dot1q tag native"

thanks

Tom Watts
VIP Alumni
VIP Alumni

Hi Mike and Rizwan, the switch only supports IEEE standards (the only exception is CDP). I would recommend to configure a port on each switch as a VLAN 2 access and verify a computer is able to receive DHCP. If the computer is able to pull the VLAN 2 information from either switch then we know it's not a switch config issue as the original posted information is agreeable for the trunks and tags.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Thomas:

Since these are production switches at the moment and I don't have the resources to give that a try, I think since a device connecting to the SSID on VLAN 1 can obtain an address, this should be answered as it is making the necessary hops to the dhcp server.

David Hornstein
Level 7
Level 7

Mike,

Tom beat me to the punch, but i was thinking along the same lines, validate that you can propogate VLAN2 from the DHCP server.

Your description of the switch configuration suggests you really know what you are doing, so i will trust that yiou have configured the switch correctly.

So the DHCP server is VLAN aware...hmm... it better be or it wont understand how to send tagged ethernet traffic for VLAN2.

You said "Port3-To DHCP server. Trunk port. Members: vlan1-untagged, vlan2-tagged "

The switch configuration sounds, spot on. Can you do a wireshark capture on the DHCP server to validate that it is sending out untagged frames on VLAN1 and Tagged frames on VID=2 ? that easy if it works.

please note:  as something to keep in the back of your mind.Sometimes i have had to play with windows registry settings on my PC to see VLAN taggs in a wireshark packet capture.  Or as Tom said , make another port on the SG500 untagged in vlan 2 and see if that PC gets a IP address.

regards Dave

David:

if I turn off tagging on VLAN 2 on the AP and connect to the SSID defined as "untagged VLAN 2", I get an IP address from VLAN 1 just fine...

HeftySeed
Level 1
Level 1

Thanks everyone, it's still a head scratcher...

I can ping the guest gateway (on vlan2)  from any PC the main network (vlan 1) yet, I cannot ping it from either of the switches.

And as much as I would love for all CLI commands to be available as they are on the enterprise switches, they don't seem to be as I would normally add dot1q manually to each port and the command doesn't work on either of these switches:

switchport trunk encapsulation dot1q

Mike, as stated before, the switch only supports dot1q. It does not support ISL. Dot1q states there must be a native vlan 1 (vlan 1) then all additional vlans are tagged. The difference between these switches and a Catalyst switch, Catalyst switch does not require vlan tagging specified on the port, by default all vlan will go through the port. Your port configuration is currently correct with the details provided.

One thing you might be running in to, the SG500X is layer2/3 by default. If you have assigned the vlan interfaces an IP address, the SG500 is running layer 3, which would then need the DHCP relay.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Here are a few images of the Web interface:

PoE Switch (Cisco SF302-08P)

SG500-52 Switch

I guess I could always flip it over to a layer 3 and route from there?!?

Hi Mike,

Based on what you have stated so far and the configuration screen shots of the switch you should be up and running.  What are you using as the gateway and AP (model, brand)?  Also are the switch's in L2 or L3?

Thanks,

Jason Nickle

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X