10-25-2018 01:05 PM - edited 03-08-2019 04:28 PM
hi, i am not a cisco engineer so i hope to explain this correctly. i have searched for the possible answer to this, and have attempted to make the config changes needed to get this to work as i believe it should work to no avail. so my problem is: i have inherited a network, it consists of four cisco switches, (yes i know they are old, but work)1- 3750, 3- 3560G, an ISA570 cisco router/firewall, and they are using 8- unifi AP-AC-Pro access points running VLAN1 for internal networking (192.168.1.x) and VLAN2 for guests (192.168.10.x).
there are several VLANs setup and either channels between the switches.
what is happening, everything appears to work correctly, access to the internet is fine from both wired and wireless, access to the servers is fine from both the wired and wireless. but if the ISA570 is turned off, all wireless access stops to both the internet and to the servers. this would tell me that the ISA570 is acting as a router from the vlans trunks to internal VLAN1 destinations. my understanding is that the switches would switch VLAN1 traffic to other VLAN1 destinations locally and not forward that traffic to the router (ISA570).
here is some of the configuration of the switch that four of the AP are connected to:
port-channel load-balance src-dst-ip
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel1
description ***** uplink to server rack *****
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-3,10,25
switchport mode trunk
port gi0/45 is connected to port 8 of the ISA570 for guest access to the internet
interface GigabitEthernet0/45
description *** guest network vlan 2 to isa570 ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2
switchport mode trunk
port gi0/47 is connected to port 2 of the ISA570 for VLAN1
interface GigabitEthernet0/47
description ***** uplink to ISA570 *****
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode trunk
interface GigabitEthernet0/1
description ***** AP06 ***** > one of the access point ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2
switchport mode trunk
interface GigabitEthernet0/3
description ***** AP04 ***** > another of the access points ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2
switchport mode trunk
do these switch/port setting look correct? would they cause the behavior noted?
thank you for any assistance.
bof
10-25-2018 01:19 PM
Technically config ok.
ISA570 - acting as your gateway. I am still trying to understand what is your question here ?
10-25-2018 02:49 PM
bof
If I am understanding it correctly the original post says that normally pretty much every thing works fine. But if the router/firewall is turned off that wireless does not work. It does not mention impact on wired users. Do wired users work ok or are they impacted? Are wired users part of vlan 1 or are they in one of the other vlans? The config shows that there are multiple vlans (at least 1, 2, 3, 10, 25). We are told that vlan 1 is internal networking and vlan 2 is guests. And clearly vlans 1 and 2 carry traffic for wireless. We have no information about other vlans. We are not told whether the switch does any routing between vlans or whether all routing between vlans is done on the router/firewall. Perhaps the original poster can provide some clarification about these points?
The partial config posted shows that there is layer 2 link from the switch to the router for vlans 1 and 2. This implies that the router is providing routing for these vlans. Is that correct? If that is the case then it certainly explains why wireless users are impacted when the router is down. And given the decision that the router provides routing for the wireless vlans I am not sure what you would want to happen if the router goes down.
While I do not see anything in the config that looks like a problem I am puzzled at the fact that the connection from switch to router for vlan 1 is a trunk port which carries only vlan 1. And puzzled why the connection from switch to router for vlan 2 is a trunk port that carries only vlan 2. If these interfaces carry only a single vlan then why not make them access ports in their respective vlans?
HTH
Rick
10-26-2018 05:42 AM
you need to check more of your components
like the unify quick install guide mentions
A UniFi Cloud Key or management station running the UniFi Controller v5.4 (or newer) software
it could mean that connection to this unify controller is established through the router.
and the AP may not work without this connection, like a Cisco CAPWAPP AP needs a WLC.
10-29-2018 05:22 AM
richard burts - i ran some tests this morning, i started ping tests to the domain controllers on VLAN1 (all wired users and servers are on VLAN1, small network), from two wired desktop systems and from a wireless laptop and my cell phone connected to the APs (internal network, VLAN1 ip address). all were showing pings of <1ms, but as soon as i turned off the ISA570 router/firewall the wireless laptop and my cell phone stopped receiving pings. the wired systems were still able to ping the doamin controllers. so it does look like the switches are fowarding all of the traffic from the AP ports to the firewall/router to be just put back on to VLAN1, instead of the switches recognizing that there is VLAN1 traffic coming in from the AP and sending it to its destination internally.
so
VLAN1 is 192.168.1.x/24 (internal to servers/clients, wired and wireless, internet access)
VLAN2 is 192.168.10.x/24 (guest wireless, internet access)
VLAN3 is 192.168.30.x/24 (test equipment, no internet access)
other VLANs are not used
i do not know why VLAN1 port is trunked, but only carries VLAN1 traffic, same with VLAN 2. could this be the issue why the router is routing VLAN1 trunked traffic from the APs back to VLAN1?
i will try to change the trunked ports connected to the ISA570 to access ports carring only the VLANx traffic the need.
the four switches are daisy chained using ether-channel.1-2-3-4 with switch 2 connecting all the servers in the data room, switch 3 connects the router/firewall int he telephone closet.
11-02-2018 03:23 PM
bof
Can you tell us how your wireless laptop and cell phone were set up? In particular what was their default gateway? Perhaps we need to know more about how the unifi access points are set up. The behavior certainly suggests that the access point is using the router as the device to forward its traffic into the network.
HTH
Rick
10-26-2018 12:51 PM
Hello
But also nice to know how are the other switches connected , would it be applicable to post a topology of how you have this all interconnected?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide