Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
290
Views
2
Helpful
2
Replies

Cisco VLAN Taking up Entire Subnet

IT_Joe
Level 1
Level 1

‎11-03-2023 01:35 PM

I have a default vlan 1 that has an IP configuration of 10.20.11.0 with a subnet mask of 255.255.255.0.

I have an AP 10.20.11.55 that I want to place on its own VLAN because I intend to make this AP guest-accessible. I would want to segregate traffic on this AP from the rest of my network.

I am able to add the AP to the VLAN, but it gets no internet because IP isn't configured. When I try to give the VLAN interface its own IP such as "10.20.11.223 255.255.255.0" (that's not taken) it says it overlaps. What's the solution to giving the VLAN its own IP so it may give guests access to internet?

Labels:
0 Helpful
2 Replies 2

Torbjørn
Spotlight
Spotlight

‎11-03-2023 04:37 PM - edited ‎11-03-2023 04:40 PM

The reason you are getting the message saying the IP overlaps is that the subnet overlaps with the one configured for VLAN 1. If you have two VLAN interfaces with the same subnet configured, how will your switch determine which VLAN it should forward traffic into when it receives traffic destined for the subnet? This should be solved by using a separate subnet for your guest VLAN, for example 10.20.12.0/24.

You should also make sure that clients on the guest VLAN cannot reach clients on your internal VLAN. This can be achieved with access lists applied to the VLAN interfaces. The configuration for this would look something like this(substitute the subnets as needed):

! Define access list that denies traffic to internal network
ip access-list extended 101
5 deny ip 10.20.12.0 255.255.255.0 10.20.11.0 255.255.255.0
10 permit ip any any

! Defines access list that denies traffic to the guest network
ip access-list extended 102
5 deny ip 10.20.11.0 255.255.255.0 10.20.12.0 255.255.255.0 
10 permit ip any any

! Apply traffic filtering per ACL on the interfaces.
interface vlan {your guest vlan}
 ip access-group 101 in

interface vlan 1
 ip access-group 102 in

If your access-point supports it you probably want to attach it to a trunk interface. This way you can create a guest WLAN that forwards traffic in the guest VLAN while also being able to have a management address in a separate VLAN. This will also allow you to create another WLAN on the same access point for the internal network.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

saagar
Level 1
Level 1

‎11-03-2023 06:08 PM

It seems like you are trying to create a separate VLAN for your guest network and give it a unique IP address for internet access. The error message you're encountering typically indicates that the IP address you're trying to assign to the VLAN interface conflicts with another IP address in your network.

Here's a step-by-step guide to create a guest VLAN and provide internet access to your AP while avoiding IP conflicts:

  1. Create a Guest VLAN:
    • On your network switch, create a new VLAN for the guest network. Let's say you want to create VLAN 10 for guests.
    • Assign an unused VLAN ID (e.g., 10) and configure the VLAN on your switch.
  2. Assign the AP to the Guest VLAN:
    • Configure the access point (AP) to use VLAN tagging for VLAN 10. This will segregate the guest traffic from the rest of your network.
  3. Create a Subnet for the Guest VLAN:
    • Determine an available IP address range for your guest network. For example, if your existing network is on the 10.20.11.0/24 subnet, you could use 10.20.12.0/24 for your guest network.
  4. Configure the Guest VLAN Interface:
    • On your router, configure the new VLAN interface (SVI) for the guest VLAN. For example:

Router(config)# interface Vlan10 Router(config-if)# ip address 10.20.12.1 255.255.255.0 Router(config-if)# no shutdown

  1. Provide Internet Access:
    • Ensure that your router is properly configured to provide NAT (Network Address Translation) for the guest VLAN, allowing guest devices to access the internet. Make sure there is a default route pointing to your internet gateway.
  2. Configure DHCP:
    • Set up a DHCP server for the guest VLAN to automatically assign IP addresses to guest devices. You can use the router as the DHCP server or a separate DHCP server.
  3. Apply Access Control:
    • To enhance security, consider implementing access control lists (ACLs) to restrict guest VLAN access to your internal network while allowing internet access. ACLs can help define which traffic is allowed or denied.
  4. Test and Monitor:
    • Test your configuration to ensure that guest devices can connect to the internet while being segregated from your main network.
    • Monitor the network for any issues or security concerns and adjust your configuration as needed.

By following these steps, you can create a separate VLAN for your guest network, assign it a unique IP address range, and provide internet access while keeping it isolated from your primary network. The key is to ensure that there are no IP address conflicts, and the routing and NAT configurations are correctly set up on your router.

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card