cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
0
Helpful
6
Replies

trunking from Acess Points across four switches works, until the router is turned off?

bofcchmw
Level 1
Level 1

hi, i am not a cisco engineer so i hope to explain this correctly. i have searched for the possible answer to this, and have attempted to make the config changes needed to get this to work as i believe it should work to no avail. so my problem is: i have inherited a network, it consists of four cisco switches, (yes i know they are old, but work)1- 3750, 3- 3560G, an ISA570 cisco router/firewall, and they are using 8- unifi AP-AC-Pro access points running VLAN1 for internal networking (192.168.1.x) and VLAN2 for guests (192.168.10.x).

there are several VLANs setup and either channels between the switches.

what is happening, everything appears to work correctly, access to the internet is fine from both wired and wireless, access to the servers is fine from both the wired and wireless. but if the ISA570 is turned off, all wireless access stops to both the internet and to the servers. this would tell me that the ISA570 is acting as a router from the vlans trunks to internal VLAN1 destinations. my understanding is that the switches would switch VLAN1 traffic to other VLAN1 destinations locally and not forward that traffic to the router (ISA570).

here is some of the configuration of the switch that four of the AP are connected to:

 

port-channel load-balance src-dst-ip
!
spanning-tree mode pvst
spanning-tree loopguard default
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel1
 description ***** uplink to server rack *****
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-3,10,25
 switchport mode trunk

 

port gi0/45 is connected to port 8 of the ISA570 for guest access to the internet

interface GigabitEthernet0/45
 description *** guest network vlan 2 to isa570 ***
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2
 switchport mode trunk

 

port gi0/47 is connected to port 2 of the ISA570 for VLAN1

interface GigabitEthernet0/47
 description ***** uplink to ISA570 *****
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1
 switchport mode trunk

 

interface GigabitEthernet0/1
description ***** AP06 *****    > one of the access point ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,2
switchport mode trunk

 

interface GigabitEthernet0/3
 description ***** AP04 *****   > another of the access points ports
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,2
 switchport mode trunk

 

do these switch/port setting look correct? would they cause the behavior noted?

 

thank you for any assistance.

 

bof

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

Technically config ok.

 

ISA570  - acting as your gateway. I am still trying to understand what is your question here ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts
Hall of Fame
Hall of Fame

bof

 

If I am understanding it correctly the original post says that normally pretty much every thing works fine. But if the router/firewall is turned off that wireless does not work. It does not mention impact on wired users. Do wired users work ok or are they impacted? Are wired users part of vlan 1 or are they in one of the other vlans? The config shows that there are multiple vlans (at least 1, 2, 3, 10, 25). We are told that vlan 1 is internal networking and vlan 2 is guests. And clearly vlans 1 and 2 carry traffic for wireless. We have no information about other vlans. We are not told whether the switch does any routing between vlans or whether all routing between vlans is done on the router/firewall. Perhaps the original poster can provide some clarification about these points?

 

The partial config posted shows that there is layer 2 link from the switch to the router for vlans 1 and 2. This implies that the router is providing routing for these vlans. Is that correct? If that is the case then it certainly explains why wireless users are impacted when the router is down. And given the decision that the router provides routing for the wireless vlans I am not sure what you would want to happen if the router goes down.

 

While I do not see anything in the config that looks like a problem I am puzzled at the fact that the connection from switch to router for vlan 1 is a trunk port which carries only vlan 1. And puzzled why the connection from switch to router for vlan 2 is a trunk port that carries only vlan 2. If these interfaces carry only a single vlan then why not make them access ports in their respective vlans? 

 

HTH

 

Rick

HTH

Rick

you need to check more of your components

like the unify quick install guide mentions 

     A UniFi Cloud Key or management station running the UniFi Controller v5.4 (or newer) software

it could mean that connection to this unify controller is established through the router.

and the AP may not work without this connection, like a Cisco CAPWAPP AP needs a WLC.

richard burts - i ran some tests this morning, i started ping tests to the domain controllers on VLAN1 (all wired users and servers are on VLAN1, small network), from two wired desktop systems and from a wireless laptop and my cell phone connected to the APs (internal network, VLAN1 ip address). all were showing pings of <1ms, but as soon as i turned off the ISA570 router/firewall the wireless laptop and my cell phone stopped receiving pings. the wired systems were still able to ping the doamin controllers. so it does look like the switches are fowarding all of the traffic from the AP ports to the firewall/router to be just put back on to VLAN1, instead of the switches recognizing that there is VLAN1 traffic coming in from the AP and sending it to its destination internally.

so
VLAN1 is 192.168.1.x/24 (internal to servers/clients, wired and wireless, internet access)
VLAN2 is 192.168.10.x/24 (guest wireless, internet access)
VLAN3 is 192.168.30.x/24 (test equipment, no internet access)
other VLANs are not used

i do not know why VLAN1 port is trunked, but only carries VLAN1 traffic, same with VLAN 2. could this be the issue why the router is routing VLAN1 trunked traffic from the APs back to VLAN1?

i will try to change the trunked ports connected to the ISA570 to access ports carring only the VLANx traffic the need.

 

the four switches are daisy chained using ether-channel.1-2-3-4 with switch 2 connecting all the servers in the data room, switch 3 connects the router/firewall int he telephone closet.

bof

 

Can you tell us how your wireless laptop and cell phone were set up? In particular what was their default gateway? Perhaps we need to know more about how the unifi access points are set up. The behavior certainly suggests that the access point is using the router as the device to forward its traffic into the network.

 

HTH

 

Rick

HTH

Rick

Hello

But also nice to know how are the other switches connected , would it be applicable to post a topology of how you have this all interconnected?

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card