Solved: Re: Cisco 3550 and Wireless Access Points

Chris Whiteley · ‎02-12-2013

Hello All,

I am hoping someone can help me with insight on what I can do to accomplish my end goal of safe public wifi and configuration.

I have 2 domain controllers (for redundancy) with a split scope for DHCP and they both serve DNS.

I have VLAN 2 (management), VLAN 3 (Servers), VLAN 4 (Wired Access), VLAN 6 (Wireless Access) and VLAN 480 (Outside Wireless).

I have setup INT VLANs for all of these on my main router (Cisco 3550) with the ip-helper address to the DC for all but the VLAN 480. All of this works great, and the scopes are setup just like the VLANs. (ie 192.168.2.0 (management) .3 (servers) etc.)

I was wondering if there is a way to have VLAN 480 get DHCP from the cisco 3550 as a random address say, 172.16.0.0 255.255.248.0?

On a side note, I have seperate Wireless Access Points for the outside. (From a guy before me) I understand you can have a guest wireless setup on the newer Access Points, and trunk (cisco term) the 2 VLANs and seperate them out with Access Control Lists so they don't talk to each other, but I would rather just give the VLAN 480 it's own DHCP from the router.

Is this possible or am I just thinking about this too much?

Thanks for any comments!!

paul driver · ‎02-12-2013

Hello Chris,

First of all dont be sorry for asking - this is what CSC is for- There is so much technical support for free on here you should be able to find a solution to most networking problems.

regards your queries, Yes apply the secondary address on the

3550

#####

interface Vlan480

description Outside Wireless

ip address 172.16.0.1 255.255.255.0

ip address 10.10.1.1 255.255.255.0 secondary

wlan ap - 10.10.1.2 255.255.255.0
######

configure terminal

ip dhcp excluded-address 10.10.1.1 10.10.1.2

ip dhcp pool vlan 480

network 10.10.1.0 255.255.255.0

lease 10

default-router 10.10.1.2

end

res

paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Gregory Snipes · ‎02-12-2013

I am not sure I fully understand your need, but if you are just asking if you can have your 3550 act as a DHCP server for that VLAN, the answer is a definite yes.

Here is a configuration guide for setting up a DHCP server in IOS. If this is not what you are looking for or you need any further assistance with this, let me know.

Best Regards,

Greg

Chris Whiteley · ‎02-12-2013

I am going to attach a very very rough outline of my network and my end goal. With at the end of my access switch 2

WAP's.

Leo Laohoo · ‎02-12-2013

I was wondering if there is a way to have VLAN 480 get DHCP from the cisco 3550 as a random address say, 172.16.0.0 255.255.248.0?

On VLAN 480, stick a secondary IP address of 172.16.0.X 255.255.248.0.

Chris Whiteley · ‎02-12-2013

Here is my switch config. Let me know if I am doing this right or not

#sh run

Building configuration...

Current configuration : 10787 bytes

!

! Last configuration change at 17:28:14 PDT Sun Oct 7 2012 by admin

! NVRAM config last updated at 16:52:35 PDT Tue Aug 7 2012 by admin

!

version 12.2

no service pad

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname Switch

!

logging buffered 16384

no logging console

enable secret 5 $1$JwuS$pZzOBIIyfkICo2bionMs40

!

username admin privilege 15 password 7 113B2F3544071B1C54383F

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

clock timezone PST -8

clock summer-time PDT recurring

errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause security-violation

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery cause sfp-config-mismatch

errdisable recovery cause gbic-invalid

errdisable recovery cause l2ptguard

errdisable recovery cause psecure-violation

errdisable recovery cause port-mode-failure

errdisable recovery cause dhcp-rate-limit

errdisable recovery cause mac-limit

errdisable recovery cause vmps

errdisable recovery cause storm-control

errdisable recovery cause arp-inspection

errdisable recovery cause loopback

errdisable recovery interval 400

ip subnet-zero

ip routing

ip name-server 192.168.3.21

ip name-server 192.168.3.22

ip dhcp excluded-address 172.16.0.1

!

ip dhcp pool GuestWLAN

Network 172.16.0.0 255.255.248.0

Default-router 172.16.0.1

dns-server 8.8.8.8 8.8.4.4.4

!

crypto pki trustpoint TP-self-signed-1707699712

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1707699712

revocation-check none

rsakeypair TP-self-signed-1707699712

!

crypto pki certificate chain TP-self-signed-1707699712

certificate self-signed 01

3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31373037 36393937 3132301E 170D3131 30313035 31333139

32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37303736

39393731 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B5D9 FFF52E45 9792108A 049792F2 FADF1086 3B96E2DC 135B98A3 2B2F84B7

935C763A A47B3AA5 DF7F4E06 401E2F5C 5201B1F5 4CBE97EE 5C572736 5429AE5D

5D160311 5061B6C1 CBED14FA D203A802 5E891603 52D6FF93 5EA34D6F 515F9360

DD5A4549 8E051E13 225F5597 6EF931F0 C527A727 AB531C9F 59D840B0 7FF7502E

1E5D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

551D1104 1B301982 17727670 2D72656D 6F74652D 312E7276 646F6373 2E6E6574

301F0603 551D2304 18301680 140DE10A E69572F5 95BF5CC7 52935ACA 1DDFDB2B

75301D06 03551D0E 04160414 0DE10AE6 9572F595 BF5CC752 935ACA1D DFDB2B75

300D0609 2A864886 F70D0101 04050003 81810055 1D10804C FDB2A4E9 64FF1DB9

425AA2B9 E1058E58 BF1B7373 C9B8BBA7 44C80C87 F5967E63 838ED60D D38FD20F

2376660F B662C479 0EC21793 715EB681 349D60FA EA71C63A 9DD68240 5AC83801

A4C4BC29 FF5FC2AC 60D8BBAA 42E95578 6106086F 42339BED 66E8024B E23933D4

5A579CBE 0E5588D9 A9422731 A2E3F2DD 715DE7

quit

!

spanning-tree mode rapid-pvst

spanning-tree portfast bpduguard default

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface FastEthernet0/47

description Inside Wireless AP

switchport mode access

switchport access VLAN 6

!

interface FastEthernet0/48

description Outside Wireless AP

switchport mode access

switchport access VLAN 480

!

interface Vlan1

no ip address

shutdown

!

interface Vlan2

description Management

ip address 192.168.2.1 255.255.255.0

ip helper-address 192.168.3.21

!

interface Vlan3

description Servers

ip address 192.168.3.1 255.255.255.0

ip helper-address 192.168.3.21

!

interface Vlan4

description Wired Access

ip address 192.168.4.1 255.255.254.0

ip helper-address 192.168.3.21

!

interface Vlan6

description Wireless Access

ip address 192.168.6.1 255.255.254.0

ip helper-address 192.168.3.21

!

interface Vlan13

description Inside

ip address 192.168.13.1 255.255.255.0

ip helper-address 192.168.3.21

!

interface Vlan480

description Outside Wireless

ip address 172.16.0.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.13.2 (Pointing to Cisco ASA 5505)

!

no ip http server

ip http secure-server

!

paul driver · ‎02-12-2013

Hello chirs,

Is there a reason why you dont wont to create a new dhcp scope on the exisiing dhcp servers for vlan 480?

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Chris Whiteley · ‎02-12-2013

I don't want the outside wireless to go through the network at all. I want it to go from the access point, trunked to the router, trunked to the cisco asa 5505 and out. I don't want anyone on the outside using the internal DHCP or DNS servers.

paul driver · ‎02-12-2013

Hello Chirs,

So you can do as lealaloo has suggested and add a secondary ip address on the 3350 svi 480 and set the outside WLAN AP a dhcp server.

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Chris Whiteley · ‎02-12-2013

I am so sorry to ask this of you, but could you show me via some code as to where the secondary IP address is supposed to go? Are you talking about just setting the IP address of the interface, and then on the Access Point itself change it to DHCP, so that the AP is giving it out and not the switch?

paul driver · ‎02-12-2013

Hello Chris,

First of all dont be sorry for asking - this is what CSC is for- There is so much technical support for free on here you should be able to find a solution to most networking problems.

regards your queries, Yes apply the secondary address on the

3550

#####

interface Vlan480

description Outside Wireless

ip address 172.16.0.1 255.255.255.0

ip address 10.10.1.1 255.255.255.0 secondary

wlan ap - 10.10.1.2 255.255.255.0
######

configure terminal

ip dhcp excluded-address 10.10.1.1 10.10.1.2

ip dhcp pool vlan 480

network 10.10.1.0 255.255.255.0

lease 10

default-router 10.10.1.2

end

res

paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Chris Whiteley · ‎02-12-2013

What if my access point are just some horrible Linksys WRT54g's? I don't think I can configure them this way...unless I probably installed DD-WRT on them. I guess I was hoping to turn those into just access points, and not setup dhcp on them, but if there is no way to set the router to give DHCP to only 1 vlan and not the others, than I guess this is the only option I have.

paul driver · ‎02-12-2013

Hello chris,

Yes of course you can, I was assuming your aps were cisco, but If the ap's are no cisco or not able to support the dhcp service then you can enable it on your switch instead.

res

Paul

Please don't forget to rate this post if it has been helpful.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Chris Whiteley · ‎02-12-2013

So how would I accomplish this?

int vlan 480

ip address 192.168.2.5 255.255.255.0

ip address 172.16.0.1 255.255.248.0 secondary

is this correct?

Leo Laohoo · ‎02-12-2013

Chris,

conf t

int vlan 480

ip address

172.16.0.X 255.255.248.0 secondary

end

Chris Whiteley · ‎02-13-2013

I have figured out my issue... I had the dhcp pool and everything setup correctly, however I had my access list backwards. I had:

access-list 199 deny ip 192.168.0.0 255.255.224.0 any instead of

access-list 199 deny ip any 192.168.0.0 255.255.224.0

Thanks for all your guys help!