1. my IOS on my router supports up to 4 VLANs.

2. do I understand correctly my switch can have no more than 4 VLANs (it is limited by router 4 VLAN capabilities) ?

3. do I need to have 4 uplinks between router and switch (each one for 1 VLAN) ?

4. my switch is 3 layer capable - does point 3 somehow limit the VLANs throughput ? I mean inter VLAN traffic will go through router (100mb port) instead of being served within switch itself ?

5. I just do not get the idea how to connect my WiFi AP to the switch. I have got only one gigaport in AP, but I need at least two VLANs. how to define a port in AP and how to define a port in switch to communicate in the right way

6. how to pass DHCP server information from router to AP via switch ?

2. do I understand correctly my switch can have no more than 4 VLANs (it is limited by router 4 VLAN capabilities) ?

You can have more vlan on switch but intervlan routing will be done in that case.  In simple words routing between different subnet.  L3 device can do that thing.

3. do I need to have 4 uplinks between router and switch (each one for 1 VLAN) ?

Single Uplink will be enough and u will make that uplink trunk.  Trunk meaning it will allow all vlan.

4. my switch is 3 layer capable - does point 3 somehow limit the VLANs  throughput ? I mean inter VLAN traffic will go through router (100mb  port) instead of being served within switch itself ?

If can make your switch l3 capable that will allow to make u more vlans and in  that case intervlan routing will be done by your switch and Internet traffic will be routed towards your Router Interface by using default route.

5. I just do not get the idea how to connect my WiFi AP to the switch. I  have got only one gigaport in AP, but I need at least two VLANs. how to  define a port in AP and how to define a port in switch to communicate  in the right way

You just need to insert single cable from your ap to your switch and make it a access port.  SSID that u will  make on AP u will assing them different vlans.

6. how to pass DHCP server information from router to AP via switch ?

In l3 Switch under vlan

u can enable ip-helper address

*** Do Rate Helpful Posts ***

Jawad, first of all, many thanks for your interest so far.

I followed your instructions, but obviously I did something wrong - cannot get it working...

I have got a trunk port on my router, but my switch cannot get any ip address.

this is my router' config:

---------------------------------------------

Current configuration : 15027 bytes
!
! Last configuration change at 23:17:38 CET Sat Feb 23 2013 by admin
! NVRAM config last updated at 22:57:06 CET Sat Feb 23 2013 by admin
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service sequence-numbers
!
hostname C877W
!
boot-start-marker
boot system flash:/c870-advipservicesk9-mz.124-24.T7.bin
boot-end-marker
!
security authentication failure rate 3 log
logging message-counter syslog
logging buffered 151200
!
no aaa new-model
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 3:00 last Sun Oct 4:00
!
!
crypto pki certificate chain tti
certificate self-signed 01
  384 9999 9999 9999 9999
   quit
dot11 mbssid
dot11 syslog
dot11 vlan-name GLAN4 vlan 4
dot11 vlan-name LOCAL vlan 1
dot11 vlan-name WLAN3 vlan 3
!
dot11 ssid abc
vlan 1
authentication open eap eap_methods2
authentication network-eap eap_methods2
authentication key-management wpa
!
dot11 ssid def
vlan 4
authentication open
authentication key-management wpa
wpa-psk ascii 7 def
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.12.4 10.10.12.254
ip dhcp excluded-address 192.168.1.31 192.168.1.254
!
ip dhcp pool LAN1
   network 10.10.10.0 255.255.255.0
   dns-server 10.10.10.1 62.233.233.233 87.204.204.204
   default-router 10.10.10.1
   netbios-name-server 10.10.10.2
   lease infinite
!
ip dhcp pool WLAN4
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 62.233.233.233 87.204.204.204
   netbios-name-server 10.10.10.2
   lease infinite
!
ip dhcp pool DLAN3
   import all
   network 10.10.12.0 255.255.255.0
   default-router 10.10.12.1
   dns-server 62.233.233.233 87.204.204.204
   netbios-name-server 10.10.10.2
   lease infinite
!
ip dhcp pool HOME
   network 10.10.11.0 255.255.255.0
   default-router 10.10.11.1
   dns-server 62.233.233.233
   lease infinite
!
ip dhcp pool 10
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.2
!
!
ip cef
no ip bootp server
ip name-server 62.233.233.233
ip name-server 87.204.204.204
no ip port-map x11 port tcp from 6000 to 6606  description X Window System
ip ips config location flash:/ips5/ retries 5 timeout 10
ip ips notify SDEE
no ip ips notify log
!
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
!
ip inspect audit-trail
no ipv6 cef
!
multilink bundle-name authenticated
!
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]

!
!

crypto key pubkey-chain rsa
named-key realm-cisco.pub
  key-string
   F3020301 0001
  quit
!
!
!
archive
log config
  hidekeys
!
!
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect imap match-any imap-mail
match  login clear-text
class-map type inspect match-any printer-9100
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-any print-9100
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class class-default
  drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  inspect
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class class-default
  pass
!
zone security out-zone
zone security in-zone
zone security dmz-zone
zone security guest-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.2 point-to-point
description $FW_OUTSIDE$$ES_WAN$
ip flow ingress
zone-member security out-zone
pvc 0/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
!
!
interface FastEthernet0
description LAN1
switchport mode trunk
!
interface FastEthernet1
description WLAN2
switchport access vlan 4
switchport mode trunk
!
interface FastEthernet2
switchport access vlan 4
switchport trunk native vlan 4
switchport mode trunk
!
interface FastEthernet3
description GLAN4
switchport access vlan 4
switchport mode trunk
!
interface Virtual-Template2
ip unnumbered BVI1
!
interface Virtual-Template3
ip unnumbered BVI1
!
interface Virtual-Template4
ip unnumbered BVI1
!
interface Dot11Radio0
no ip address
ip nbar protocol-discovery
ip flow ingress
ip flow egress
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 4 mode ciphers tkip
!
ssid abc
!
ssid def
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
l2-filter bridge-group-acl
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 input-address-list 700
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.4
encapsulation dot1Q 4
no cdp enable
bridge-group 4
bridge-group 4 subscriber-loop-control
bridge-group 4 spanning-disabled
bridge-group 4 block-unknown-source
no bridge-group 4 source-learning
no bridge-group 4 unicast-flooding
!
interface Vlan1
description LAN1$FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.11.1 255.255.255.0
ip flow ingress
ip tcp adjust-mss 1452
!
interface Vlan3
no ip address
bridge-group 3
!
interface Vlan4
description GLAN4
no ip address
traffic-shape rate 64000 8000 8000 1000
bridge-group 4
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname ssss
ppp chap password 7 ssss
!
interface BVI1
description LAN1$ES_LAN$$FW_INSIDE$
ip address 10.10.15.1 255.255.255.0
ip helper-address 10.10.11.1
ip helper-address 192.168.1.1
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface BVI3
description WLAN3$FW_DMZ$
ip address 10.10.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
!
interface BVI4
description GLAN4$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip helper-address 10.10.11.1
ip helper-address 192.168.1.1
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-cache timeout active 1
ip flow-export source Dot11Radio0
ip flow-export version 5
ip flow-export destination 10.10.10.114 9996
ip flow-export destination 10.10.1.4 9996
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source list 3 interface Dialer1 overload
ip nat inside source list 4 interface Dialer1 overload
!
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended any
remark SDM_ACL Category=128
permit ip any any
ip access-list extended printer
remark SDM_ACL Category=128
permit ip any any
!
logging trap debugging
logging 10.10.11.1
access-list 1 remark inside to Internet
access-list 1 remark SDM_ACL Category=2
access-list 1 remark LAN1
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark WLAN2
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.11.0 0.0.0.255
access-list 3 remark DLAN3
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 10.10.12.0 0.0.0.255
access-list 4 remark WLAN4
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 10 remark CCP_ACL Category=1
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 10.10.11.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 10.10.12.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 10.10.11.0 0.0.0.255 any
access-list 109 remark Auto generated by SDM Management Access feature
access-list 109 remark CCP_ACL Category=1
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq telnet
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq 22
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq www
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq 443
access-list 109 permit tcp 10.10.11.0 0.0.0.255 host 10.10.11.1 eq cmd
access-list 109 deny   tcp any host 10.10.11.1 eq telnet
access-list 109 deny   tcp any host 10.10.11.1 eq 22
access-list 109 deny   tcp any host 10.10.11.1 eq www
access-list 109 deny   tcp any host 10.10.11.1 eq 443
access-list 109 deny   tcp any host 10.10.11.1 eq cmd
access-list 109 deny   udp any host 10.10.11.1 eq snmp
access-list 109 permit ip any any
no cdp run

!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 3 protocol ieee
bridge 3 route ip
bridge 4 protocol ieee
bridge 4 route ip
banner exec ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
% Password expiration warning.
-----------------------------------------------------------------------

nice, huh ?

-----------------------------------------------------------------------
^C
banner login ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
speed 115200
line aux 0
transport output telnet
line vty 0 4
access-class 105 in
exec-timeout 0 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 150.254.183.15 prefer source Dialer1
ntp server 193.110.137.171 source Dialer1
ntp server 212.244.36.227 source Dialer1
!
end

------------------------------

and this is my switch config:

-------------------------------

vlan database

vlan 11-14

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

ip dhcp snooping

ip dhcp snooping database

ip dhcp snooping information option allowed-untrusted

ip dhcp relay address 10.10.11.1

ip dhcp relay address 192.168.1.1

ip dhcp relay enable

ip dhcp information option

no boot host auto-config

bonjour interface range gi1/3

bonjour interface range vlan 1

hostname SG500

line console

exec-timeout 0

exit

line telnet

exec-timeout 0

exit

no passwords complexity enable

passwords aging 0

username cisco password encrypted 7af78c911d5b48bea1dc2449d9d89513abeb4be5 privilege 15

no snmp-server server

ip http timeout-policy 0 http-only

ip http secure-server

clock timezone " " 1

clock summer-time web recurring eu

clock source sntp

clock dhcp timezone

ip name-server  10.10.10.1 10.10.11.1

ip telnet server

!

interface vlan 1

ip address 10.10.10.2 255.255.255.0

no ip address dhcp

!

interface vlan 11

name HOME

ip address 10.10.11.2 255.255.255.0

!

interface vlan 12

name MONITORING

ip address 10.10.12.2 255.255.255.0

!

interface vlan 13

name DMZ

ip address 10.10.13.1 255.255.255.0

!

interface vlan 14

name GUESTS

ip address 192.168.1.2 255.255.255.0

!

interface gigabitethernet1/46

switchport trunk allowed vlan add 11,14                                                             

!                                                                                                    

interface gigabitethernet1/47                                                                

switchport trunk allowed vlan add 11,14                                                             

!                                                                                                  

ip helper-address 10.10.11.2 10.10.11.1 37 42 49 53 137 138                                  

ip helper-address 10.10.12.2 10.10.12.1 37 42 49 53 137 138                                       

ip helper-address 10.10.13.2 10.10.13.1 37 42 49 53 137 138                                         

ip helper-address 192.168.1.2 192.168.1.1 37 42 49 53 137 138                                       

ip helper-address all 10.10.11.1 37 42 49 53 137 138                                                 

snmp-server set  rlAutomaticClockSetFromPCEnabled rlAutomaticClockSetFromPCEnabled true              

-------------------------

1. any idea where is a bug ? router does not assign any IP address to my switch

2. I connect the switch (port 47) with the router (port FA3), and if I later connect any host to the switch, the host is given ip address from 10.10.11.0 pool. shouldn't it be a 192.168.1.0 pool ?

I am not able to understand you.  What you want to to do and you are working on new config or changing old one.

Please elaborate what u want to do.  Then i will be able to guide u in best way possible.

Thanks...

these are my current configs.

my questions:

1. why do my hosts connected to switch get ip addresses from 10.10.11.0 pool instead 192.168.1.0 pool ? switch (port GigaEth47) is connected to router (FastEth3). FastEth3 on router belongs to VLAN4 which is within 192.168.1.0 pool.

2. I connect my Access Point to any of switch poet, but nothing happens ...

Jawad, many thanks for your config,

I managed to have it working, unfortunately only partially ...

I configured my router according to your instructions. everything went well.

unfortunatelly I cannot configure my switch the way you showed me.

I mean exactly the following line (int GE1/47 part):

     "switchport trunk encapsulation dot1q"

my switch does not accept this command in "interface GE" mode

this is not the end of my observations:

I managed to assign exclusively vlan14 to some of the ports. now , if I connect any host, correcct IP address is assigned (192.168.1.0 pool)

the problem is that I wanted to do it with vlan11. in that case no host gets the IP address. they get 169.254.135.44 addresses - instead of 10.10.11.0 address pool

I did some more testing

I assigned VLAN 12 to some ports. switch works like a charm. hosts are given CORRECT addreses (10.10.12.0 pool)

looks like VLAN 11 is the only issue.

any ideas ?

Kinldy Check Vlan 11 exist in Switch and Router.  Also Vlan 11 pool also exist in router.

Check VLan11 status is up in router and switch.

Assing some interface Vlan11 and connect host to that interface.

**Do Rate Helpful Posts**

Jawad,

just found the issue. I configured too many VLANs on my router, as a result only some of them were working.

many, many help for your hints.

one thing more if you can still have got some tolerance for me

do you know how to configure an access point with two different SSIDs and connect it to my switch ? I assume my switch port must be exaclty the same as GE47 in previous example..

but I have no clue how to do it on access point side ...

good day Jawad,

could you please give me a hand one more time ?

I got everything working till yesterday (I mean AP, switch and router),

now, for some reasons my AP does not assign correct ip addresses to my wireless hosts. it gives addreses like this: 169.254.104.137, and I cannot do anything about it. do you have a clue what my be wrong, or better, do you need a config ?

Have you check ap is correct vlan and you configured ap correctly.

Also you can assing static ip  to your laptop trying conneting to that ap and check network connectivity is ok through ping.  That will confirm you.

Post AP Config

and also post show run of switch port connected to AP.