09-24-2012 10:16 AM
I am about to pull what hair I have left out! I have configured many a Cisco switch with VLANs and for some reason, once cell must not be firing today...
I have a client who needs a simple wireless infrastrucrure: one WLAN for company traffic and one WLAN for Guest/Vendor internet access. I have the following equipment:
Hardware
1 x Engius b/g/n PoE Access point (Forced to use what the client had on hand)
1 x SF 302-08P 8-port PoE Cisco Switch (for access point)
1 x SG500-52 52-port Gbe Cisco Switch
AP SSID config
SSID: Corp. VLAN 1, untagged (WPA2/AES/PSK)
SSID: Guest. VLAN 2, tagged (open)
VLANs (created on both Cisco switches)
Vlan1-Default
Vlan2-Guest
8-Port PoE Switch Config
Port1-To AP. Trunk port. Members: vlan1-untagged, vlan2-tagged
Port2-To Sg500 Switch. Trunk port. Members: vlan1-untagged, vlan2-tagged
SG500 Switch Config
Port2-To 8-port PoE switch (other end of the cable coming from port2 above). Trunk port. Members: vlan1-untagged, vlan2-tagged
Port3-To DHCP server. Trunk port. Members: vlan1-untagged, vlan2-tagged
Why can I not get a DHCP address on the guest SSID? I can get a DHCP address on the corp SSID.
09-24-2012 10:54 AM
Hi Mike,
try this first and let me know the result on this switch where your AP is connected via trunk port.
I am assuming you are using dot1.q.
"vlan dot1q tag native"
thanks
09-24-2012 11:13 AM
Hi Mike and Rizwan, the switch only supports IEEE standards (the only exception is CDP). I would recommend to configure a port on each switch as a VLAN 2 access and verify a computer is able to receive DHCP. If the computer is able to pull the VLAN 2 information from either switch then we know it's not a switch config issue as the original posted information is agreeable for the trunks and tags.
-Tom
Please rate helpful posts
09-24-2012 12:06 PM
Thomas:
Since these are production switches at the moment and I don't have the resources to give that a try, I think since a device connecting to the SSID on VLAN 1 can obtain an address, this should be answered as it is making the necessary hops to the dhcp server.
09-24-2012 11:20 AM
Mike,
Tom beat me to the punch, but i was thinking along the same lines, validate that you can propogate VLAN2 from the DHCP server.
Your description of the switch configuration suggests you really know what you are doing, so i will trust that yiou have configured the switch correctly.
So the DHCP server is VLAN aware...hmm... it better be or it wont understand how to send tagged ethernet traffic for VLAN2.
You said "Port3-To DHCP server. Trunk port. Members: vlan1-untagged, vlan2-tagged "
The switch configuration sounds, spot on. Can you do a wireshark capture on the DHCP server to validate that it is sending out untagged frames on VLAN1 and Tagged frames on VID=2 ? that easy if it works.
please note: as something to keep in the back of your mind.Sometimes i have had to play with windows registry settings on my PC to see VLAN taggs in a wireshark packet capture. Or as Tom said , make another port on the SG500 untagged in vlan 2 and see if that PC gets a IP address.
regards Dave
09-24-2012 12:08 PM
David:
if I turn off tagging on VLAN 2 on the AP and connect to the SSID defined as "untagged VLAN 2", I get an IP address from VLAN 1 just fine...
09-24-2012 11:34 AM
Thanks everyone, it's still a head scratcher...
I can ping the guest gateway (on vlan2) from any PC the main network (vlan 1) yet, I cannot ping it from either of the switches.
And as much as I would love for all CLI commands to be available as they are on the enterprise switches, they don't seem to be as I would normally add dot1q manually to each port and the command doesn't work on either of these switches:
switchport trunk encapsulation dot1q
09-24-2012 12:12 PM
Mike, as stated before, the switch only supports dot1q. It does not support ISL. Dot1q states there must be a native vlan 1 (vlan 1) then all additional vlans are tagged. The difference between these switches and a Catalyst switch, Catalyst switch does not require vlan tagging specified on the port, by default all vlan will go through the port. Your port configuration is currently correct with the details provided.
One thing you might be running in to, the SG500X is layer2/3 by default. If you have assigned the vlan interfaces an IP address, the SG500 is running layer 3, which would then need the DHCP relay.
-Tom
Please rate helpful posts
09-24-2012 12:20 PM
Here are a few images of the Web interface:
PoE Switch (Cisco SF302-08P)
SG500-52 Switch
I guess I could always flip it over to a layer 3 and route from there?!?
10-01-2012 05:08 AM
Hi Mike,
Based on what you have stated so far and the configuration screen shots of the switch you should be up and running. What are you using as the gateway and AP (model, brand)? Also are the switch's in L2 or L3?
Thanks,
Jason Nickle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide