Configuring a VLAN for WiFi guests

Merrily Mundane · ‎07-08-2024

I have a Cisco Catalyst 2970 switch with a Firewalla firewall on port 13 and a Linksys MX4000 V2 running OpenWRT on port 3.

I would like my Cisco to provide trunks to these to ports for VLANs 1 (default) and 99 (guest).

If I connect my Linksys directly to my Firewalla, my guest traffic is correctly tagged VLAN99 and all others with VLAN1. But when I go through my Cisco, all traffic remains on the default network.

What do I need to change in my switch configuration to get the desired behavior?

Switch#show int Gi0/3 trunk

Port Mode Encapsulation Status Native vlan
Gi0/3 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi0/3 1-4094

Port Vlans allowed and active in management domain
Gi0/3 1,99

Port Vlans in spanning tree forwarding state and not pruned
Gi0/3 1,99

Switch#show int trunk

Port Mode Encapsulation Status Native vlan
Gi0/3 on 802.1q trunking 1
Gi0/5 on 802.1q trunking 1
Gi0/13 on 802.1q trunking 1

Port Vlans allowed on trunk
Gi0/3 1-4094
Gi0/5 1-4094
Gi0/13 1-4094

Port Vlans allowed and active in management domain
Gi0/3 1,99
Gi0/5 1,99
Gi0/13 1,99

Port Vlans in spanning tree forwarding state and not pruned
Gi0/3 1,99
Gi0/5 1,99
Gi0/13 1,99

Switch#show int vlan99
Vlan99 is up, line protocol is up
Hardware is EtherSVI, address is 0015.fa04.b441 (bia 0015.fa04.b441)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:03, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
56128 packets input, 18114955 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out

Switch#show int vlan1
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0015.fa04.b440 (bia 0015.fa04.b440)
Internet address is 192.168.173.254/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
432366 packets input, 52744175 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
35452 packets output, 2358921 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out

MHM Cisco World · ‎07-08-2024

Why ypu not make guest in vlan 99 for both fw and cisco ?

I dont get what you want exactly

Thanks

MHM

Merrily Mundane · ‎07-09-2024

I have a guest wifi network. My Linksys is configured to put guests on VLAN 99 and all other WiFi clients on the default VLAN 1.

My firewall is configured to provide clients on VLAN99 a different set of rules and IP addresses from clients on VLAN 1.

If I connect my Linksys directly to a port on my firewall, this works as expected. If I put the Cisco switch between the firewall and WiFi, then my guest network clients are given the same IP and rules as my default network clients.