Changing subnet mask for guest wireless Vlan

calum.doyle · ‎02-24-2010

Hi,

We have a multiple Vlan setup at the school I work in. The wireless guest system was originally set up to use the 10.174.66.0 network with a mask of /27. All the wireless system was set up to match this and was working correctly. However I have been forced to expand the range to give more hosts. I changed the wireless system and DHCP scope to a /26 mask (there is plenty of space to do this). I also changed the Vlan mask to /26. Now only the original hosts in the 5-30 range can communicate, any new hosts ie. 31-60 cannot access anything.

The DHCP scope on WLC1 is correctly assigning addresses it is just that they cannot access any resources. DNS traffic cannot flow and therefore they don't get redirected to the web auth page.

Any insights would be great.

Thanks

Jon Marshall · ‎02-24-2010

So when you do an "ipconfig" on the clients do you see the same subnet mask and default-gateway on the new hosts 31-60 as you do on the existing hosts.

How are you routing within your network ? perhaps there is a missing route ie. the router still points to the /27 subnet.

NAT - are you doing NAT and if so has this been modified to account for the increase.

There are many things it could be. Start from a new host and can you ping it's default-gateway. If you can then do a traceroute to an address the existing clients can get to but the new ones can't and see what the difference is.

Jon

calum.doyle · ‎02-24-2010

Hi,

IPConfig on the new clients produces the same and correct details as the

original 30, which makes me think it could be a vlan problem.

Routing is done on a Cisco C3750E Layer 3 switch, this is where I've changed

the vlan mask.

NAT is performed by a Cisco router that is managed by another company that I

don't have access to.

Unfortunately with this being a guest wireless with using web authentication

passthrough, ICMP traffic is not allowed, only DNS and DHCP traffic.

Thanks

Jon Marshall · ‎02-24-2010

calum.doyle wrote:

Hi,

IPConfig on the new clients produces the same and correct details as the

original 30, which makes me think it could be a vlan problem.

Routing is done on a Cisco C3750E Layer 3 switch, this is where I've changed

the vlan mask.

NAT is performed by a Cisco router that is managed by another company that I

don't have access to.

Unfortunately with this being a guest wireless with using web authentication

passthrough, ICMP traffic is not allowed, only DNS and DHCP traffic.

Thanks

Need some more details.

The 3750E switch does routing for the vlans. But the cisco router that is managed by another company must have routes back to the subnets on your 3750. So do you use static routing between your 3750 and the cisco router or do you use a dynamic routing protocol.

Can you post "sh ip route" from your 3750 ?

Jon

calum.doyle · ‎02-24-2010

Gateway of last resort is 10.174.65.2 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 10 subnets, 6 masks

C 10.174.65.128/25 is directly connected, Vlan15

C 10.174.66.128/25 is directly connected, Vlan45

C 10.174.65.0/28 is directly connected, Vlan5

C 10.174.66.0/26 is directly connected, Vlan27

C 10.174.67.0/27 is directly connected, Vlan50

C 10.174.76.0/24 is directly connected, Vlan10

C 10.174.78.0/24 is directly connected, Vlan26

C 10.174.74.0/24 is directly connected, Vlan30

C 10.174.84.0/22 is directly connected, Vlan20

C 10.174.80.0/24 is directly connected, Vlan25

S* 0.0.0.0/0 via 10.174.65.2

Vlan27 is the one I'm having trouble with.

The external router doesn't know anything about our internal Vlan's. They

all run through the core and then out through the router.

Jon Marshall · ‎02-24-2010

The external router doesn't know anything about our internal Vlan's. They

all run through the core and then out through the router.

So how does the external router know how to route packets back to these vlans ?

Jon

calum.doyle · ‎02-24-2010

"So how does the external router know how to route packets back to these

vlans ?"

It doesn't, it route's back to the core switch and the core decides where it

goes.

Jon Marshall · ‎02-24-2010

calum.doyle wrote:

"So how does the external router know how to route packets back to these

vlans ?"

It doesn't, it route's back to the core switch and the core decides where it

goes.

So does the core switch NAT the source addresses of the packets then ?. If it does have you checked the NAT setup on the core switch ? Actually unless the switch is a 6500 or some other vendor it can't do NAT.

If it isn't doing NAT then the external router will see the source addresses as they are. The external router will have a default route pointing to the internet so it will need routes pointing back to the core for your subnets on the 3750E.

Jon

Jon Marshall · ‎02-24-2010

Come to think of it, how does the core route back to the 3750 ie. presumably with statics so have you updated the route on the core with the new

subnet mask as well ?

Jon

calum.doyle · ‎02-24-2010

The 3750 is the core!

Jon Marshall · ‎02-24-2010

Right. So the packets arrive at the external router with their source IPs. As i have said the external router will be using a default route pointing to the internet so it can't use a default route pointing back to your 3750 as well.

So it must have static routes configured for this. Perhaps the static route needs changing to reflect the new subnet mask or perhaps the NAT config needs modifying to reflect the new subnet mask. Either way you need to talk to the company managing this router and tell them that you have changed the subnet mask for vlan 27 address range.

Jon

calum.doyle · ‎02-24-2010

I'm actually doing that now, I'll let you know.

Cheers!

calum.doyle · ‎02-24-2010

Unfortunately the external router routes all traffic back to 10.174.64.0/19.

I really am unsure how it is routed back to the correct Vlans. All other

traffic works fine, it is just these extra 30 hosts I've created.

Just to recap:

1. Changed mcp_guest interface to /26 on the WLC

2. Changed internal DHCP scope on WLC to /26

3. Changed vlan27 on core switch to /26

4. Addresses from /27 subnet work, new extra /26 addresses don't

Mystery to me, I must have missed a config somewhere.

Jon Marshall · ‎02-24-2010

Calum

Sorry to belabour the point but how does this routing happen. Did they tell you how it works ie. it may be that they just have one route for the entire 10.0.0.0/8 network pointing back to your 3750 and that their NAT config is set to NAT everything - is that what they suggested.

If you set up an entirely new vlan using 10.174.x.0/24 subnet for internal use can you get out to the internet ?

Jon

calum.doyle · ‎02-24-2010

Well it turns out it was my internal ASA firewall blocking anything from the

interface that's not /27.

Thanks for all your help!