11-03-2023 01:35 PM
I have a default vlan 1 that has an IP configuration of 10.20.11.0 with a subnet mask of 255.255.255.0.
I have an AP 10.20.11.55 that I want to place on its own VLAN because I intend to make this AP guest-accessible. I would want to segregate traffic on this AP from the rest of my network.
I am able to add the AP to the VLAN, but it gets no internet because IP isn't configured. When I try to give the VLAN interface its own IP such as "10.20.11.223 255.255.255.0" (that's not taken) it says it overlaps. What's the solution to giving the VLAN its own IP so it may give guests access to internet?
11-03-2023 04:37 PM - edited 11-03-2023 04:40 PM
The reason you are getting the message saying the IP overlaps is that the subnet overlaps with the one configured for VLAN 1. If you have two VLAN interfaces with the same subnet configured, how will your switch determine which VLAN it should forward traffic into when it receives traffic destined for the subnet? This should be solved by using a separate subnet for your guest VLAN, for example 10.20.12.0/24.
You should also make sure that clients on the guest VLAN cannot reach clients on your internal VLAN. This can be achieved with access lists applied to the VLAN interfaces. The configuration for this would look something like this(substitute the subnets as needed):
! Define access list that denies traffic to internal network
ip access-list extended 101
5 deny ip 10.20.12.0 255.255.255.0 10.20.11.0 255.255.255.0
10 permit ip any any
! Defines access list that denies traffic to the guest network
ip access-list extended 102
5 deny ip 10.20.11.0 255.255.255.0 10.20.12.0 255.255.255.0
10 permit ip any any
! Apply traffic filtering per ACL on the interfaces.
interface vlan {your guest vlan}
ip access-group 101 in
interface vlan 1
ip access-group 102 in
If your access-point supports it you probably want to attach it to a trunk interface. This way you can create a guest WLAN that forwards traffic in the guest VLAN while also being able to have a management address in a separate VLAN. This will also allow you to create another WLAN on the same access point for the internal network.
11-03-2023 06:08 PM
It seems like you are trying to create a separate VLAN for your guest network and give it a unique IP address for internet access. The error message you're encountering typically indicates that the IP address you're trying to assign to the VLAN interface conflicts with another IP address in your network.
Here's a step-by-step guide to create a guest VLAN and provide internet access to your AP while avoiding IP conflicts:
Router(config)# interface Vlan10 Router(config-if)# ip address 10.20.12.1 255.255.255.0 Router(config-if)# no shutdown
By following these steps, you can create a separate VLAN for your guest network, assign it a unique IP address range, and provide internet access while keeping it isolated from your primary network. The key is to ensure that there are no IP address conflicts, and the routing and NAT configurations are correctly set up on your router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide