Getting no reply is disheartening, but I'll continue with my question...

I've managed to get this working on the switch which is directly connected to the firewall.  However, internet access is not working from the other switches which are wired into the primary switch.

What I've done is this:

Port 50 on the primary switch --- 2UP

Port 36 on the primary switch (which connects to the access point which is working) --- 1UP 2T

Port 41/42/44 on the primary switch (which connect to the other switches) --- 1UP 2T

On the secondary switches, the ports which lead to the primary switch --- 1UP 2T

On the secondary switches, the ports which connect to the access points --- 1UP 2T.

Any wireless connection on a guest network ssid which is hosted on a secondary switch is not reaching the firewall.  This leads me to believe there is an error in my configuration of the VLAN.  How do I need to set this up in order to have the secondary switches pass the VLAN information to the primary switch?  These are all SG300's.

Hello,

Here are some things you might want to double check.

1) The guest VLAN should be configured on all devices in the network that handle that VLAN's traffic. (i.e. The firewall, switches, and access points)

2) On the firewall, make sure that DHCP is enabled for the guest VLAN.

3) On the access points, make sure that the guest SSID is only using the guest VLAN.

Check these settings. If they are not the problem, then we can try to figure something else out.

Thanks,

Alex

Thanks for the response.

The guest VLAN is present on all the devices.  VLAN 2 is set to tagged on all related ports and access points.  VLAN 2 is tied to the Guest SSID.  The Guest wireless works perfectly fine on the access point which is connected to the switch which contains the port running to the firewall, port 50. However, when I switch to an access point that is on a secondary switch I no longer reach the firewall on the guest ssid.  Corporate SSID still works perfectly fine on all switches.

This leads me to believe that there is an error in my configuration in relation to getting the VLAN information to travel between the switches.  The ports which connect to the primary switch on all secondary switches are trunk ports.

How is VLAN information supposed to travel inbetween switches?  As of now I have the VLAN information configured on the ports which connect the secondary switches to the primary switches and those access points are not working.

Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. Thank you for using the Cisco Community Post Forums.

I agree with your assessment on where the issue could be. So, what are the two switches in question here?  Could you give a little detail on that second switch?

Thanks

Eric Moyers    .:|:.:|:.

Cisco Small Business US STAC Advanced Support Engineer

CCNA, CCNA-Wireless

866-606-1866

Mon - Fri 09:00 - 18:00 (UTC - 05:00)

*Please rate the Post so other will know when an answer has been found.

Hi Eric, thanks for the reply.

The primary switch which is connected to the firewall is a SG300-52 Port Managed Switch.  It's in our server room and contains the port which is vlan'd to the firewall.  This switch has the access point which works properly as a guest network.

All of the secondary switches are SG300-20 Port Managed Switches.  There are two of them which have access points connected to them.  One has a single access point connected to it, the other has two access points connected to it.  All of these access point ports are configured as 1UP 2T because all of our access points also host the corporate ssid which is on 1.  The guest is on 2.

These SG300-20 switches have direct connections to ports 41,42,44 on the primary switch.  These are also tagged 1UP 2T.  The ports on these switches which run to the primary switch are taged 1UP 2T as well.

Basically every port involved in the process of getting back to the primary switch from the access point has been VLAN'd to include 2 and leaving 1 as untagged.  The only port which is 2UP is the firewall port on the primary switch.

Ok, are all of the AP, configured exactly the same? If you plug a PC (configured for VLAN2) into the port that the WAP is using can it get to the Internet? Does the Corporate SSID work correctly?

Eric

All APs are exactly the same aside from hostname, device name, and IP address.

Im unsure how I would be able to configure a PC for vlan 2.  I haven't tried it.  A PC directly to the firewall does get internet.

Corporate SSID works perfectly on all access points.

I'll be doing the layer 2 switch. Unsure as to why they were on layer 3 in the first place --- before my time I suppose.

Thanks Eric and Alex for your suggestions.

Hi Mynameismethoz,

When you put the switch in L3 mode it still operates on L2 the same way.  L3 just gives you L3 capabilities on top of what you have with L2.  Unless you are using the switch as the default gateway or DHCP server I don't see why this would cause you any issues.

For me it sounds like you have everything setup correctly.  To troubleshoot I would set one interface on the problem switch to 2 untagged and connect a PC to it and see if you get an IP address and internet access.  If you don't have access move to the next switch in the data path to the firewall/dhcp server and set a port as 2Untagged again and see if you have access there.

Do this until you figure out where your VLAN 2 network connectivity drops off.  If you have VLAN 2 network connectivity on the switch where the AP in question is connected I would look at problems with the AP. 

A general rule of thumb when connecting devices is you want to ensure you have the same settings on each side.  Let me know if you have any questions.  Have a wonderful day!

-Trent Good

** Please rate useful posts! **