Cisco WLC and vlans

CPark · ‎10-17-2017

This is a complete newby question but currently we have a virtual WLC located at our main offices controlling 30 APs here as well as controlling APs at two other offsite locations across an MPLS site to site. currently running no vlans but we would like to add our guest network (separate carrier) to the WLC to be broadcast. VLan 50 setup on the main layer 3 switch and WLC right now. this is currently not working as we still get a 10.x.x.x IP from the new guest SSID. what things should we start checking or is this setup even possible currently with only using one WLC for multiple locations?

Francesco Molino · ‎10-17-2017

Hi

Can you share screenshots on how you configured the SSID and how you add this SSID on your APs or Flexconnect group ? I bet you have setup it as local switching and assigned the vlan on your Flexconnect group?

If yes, you will use the same vlan id on all sites (HeadOffice and remote sites) even if the subnet isn't the same.

Have you trunked this vlan to your AP switch interfaces?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CPark · ‎10-17-2017

Right now the vlan is only set on the controller and the layer 3 switch (gateway which also has the second guest carrier plugged in and tagged on port 41), I have not gone further with it since I was unsure from this point.

[cid:image001.png@01D34745.C7CA3630][cid:image002.png@01D34745.C7CA3630][cid:image003.png@01D34745.C7CA3630][cid:image004.png@01D34745.C7CA3630][cid:image005.png@01D34745.C7CA3630]

Francesco Molino · ‎10-17-2017

I'm sorry I don't see your pictures.
Just to recap, you want this particular SSID to be local switched in central offices and remote offices right?
You can have a mix, I mean having the central office central switched to WLC and remote offices local switched.

Anyway, to locally switch your SSID:
- modify your Access Point switch port from access to trunk. Don't forget to add your AP management vlan as native vlan.
- Add the vlan subnet for this SSID in the AP trunk.
- Then clients will be locally switched and get an IP from DHCP configured on the local SVI. The vlan has to be the same on all sites but subnets are different.

Does that help?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CPark · ‎10-18-2017

Sorry the images didnt come through for some reason , i attached them to this reply. What you posted is starting to make some sense now.

Francesco Molino · ‎10-18-2017

Ok thanks.
You don't need the vlan 50 (guest) layer 3 interface on the WLC.
It has to be configured on the switch if you want a local switching SSID.

Here a word doc with few screenshots

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CPark · ‎10-23-2017

Those changes made the difference, i can now connect to the guest network and pull a valid IP from our guest network. the only issue I am having now and it may be a small oversight is once i get an IP I cannot get out to the internet. I can see the gateway and log in to the router etc.. but cannot get past it. I am wondering if i have a loop somplace at this point. I attached the output of the two ports

port 42 is the direct connection to our guest network gateway

Port 41 is the port connected to the test AP

C1L3#show running-config in gi1/0/42
Building configuration...

Current configuration : 62 bytes
!
interface GigabitEthernet1/0/42
switchport mode trunk
end

C1L3#show running-config in gi1/0/41
Building configuration...

Current configuration : 39 bytes
!
interface GigabitEthernet1/0/41
end

C1L3#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2, Gi1/0/3, Gi1/0/4, Gi1/0/5, Gi1/0/6, Gi1/0/7, Gi1/0/8, Gi1/0/9, Gi1/0/10, Gi1/0/11, Gi1/0/12, Gi1/0/13, Gi1/0/14, Gi1/0/15, Gi1/0/16, Gi1/0/17, Gi1/0/18, Gi1/0/19, Gi1/0/20
Gi1/0/21, Gi1/0/22, Gi1/0/23, Gi1/0/24, Gi1/0/25, Gi1/0/26, Gi1/0/27, Gi1/0/28, Gi1/0/29, Gi1/0/30, Gi1/0/31, Gi1/0/32, Gi1/0/33, Gi1/0/34, Gi1/0/35, Gi1/0/36, Gi1/0/37, Gi1/0/38, Gi1/0/39
Gi1/0/40, Gi1/0/41, Gi1/0/43, Gi1/0/44, Gi1/0/45, Gi1/0/46, Gi1/0/47, Gi1/0/48, Gi1/0/49, Gi1/0/50, Gi1/0/51, Gi1/0/52
50 guest active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
50 enet 100050 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Remote SPAN VLANs
------------------------------------------------------------------------------

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

Francesco Molino · ‎10-23-2017

Hi

You get an IP right? Are you able to ping your gateway? if yes, try pinging google dns. As it's a new subnet, maybe the nat is missing.
Have you tried first to ping google dns (8.8.8.8) from the switch itself, the one which is hosting the SVI?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CPark · ‎10-24-2017

Yes I can ping out on the switch fine, no problems with the other vlan running (default vlan)

paul driver · ‎10-24-2017

Hello

"get an IP I cannot get out to the internet"

Disable ip routing on the switch as the router is performing the L3 for your guest vlan

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CPark · ‎10-24-2017

Ip routing seems to be disabled already, it should be listed in the top section correct?

C1L3#show running-config
Building configuration...

Current configuration : 4591 bytes
!
! Last configuration change at 03:13:20 UTC Mon Oct 23 2017
! NVRAM config last updated at 03:23:33 UTC Tue Oct 24 2017
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C1L3
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$yBL7$FXqANJhg6jKo4L9gc7r9l1
!
no aaa new-model
clock timezone UTC -5 0
clock summer-time UTC recurring
switch 1 provision ws-c2960xr-48fps-i
system mtu routing 1500
!
!
!
!
!
!
!
udld aggressive

!
mls qos map cos-dscp 0 8 16 24 32 46 46 56
!
crypto pki trustpoint TP-self-signed-3307956736
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3307956736
revocation-check none
rsakeypair TP-self-signed-3307956736

Francesco Molino · ‎10-24-2017

Hi,

I've you tried pinging your default gateway from your client ? Have you also tried pinging internet from the switch itself using the SVI (wifi svi) as source to validate that connectivity is working and issue isn't your routing.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CPark · ‎10-24-2017

Yes, I can ping the gateway from the client and even log into the gateway router from the client, I am able to ping the internet from the switch directly as well. Google dns 8.8.8.8 no problem

Francesco Molino · ‎10-24-2017

From the client, can you do a traceroute and see the path, at least up to your firewall.
You tried pinging google dns from client as well?

Are there any ACLs for that SSID? or on the switch SVI?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

CPark · ‎10-24-2017

I will try the trace route now, cannot pink google DNS from client. Give me a few minutes to try the trace route