Solved: VLAN problems... - Page 2

Liam Dwyer · ‎01-04-2013

hello,

I am installing a new wireless solution in a hotel environment and I am having a problem with DHCP traffic on the VLAN.

here is the scenario..

there is already a wireless infrastructure in place.

ISP -> default gateway -> cisco 3550 switches -> fiber trunks to 2950 switches on upper floors cisco AP's attached to those switches.

I have a new default gateway doing another subnet and DHCP scope for my solution. I will also have new switches attached to the old 2950 switches.

I have added a new VLAN for this traffic and added the gigabit cat5 port to this VLAN and trunked that port on the core 3550.

I should add that I have added the VLAN to the switch on the upper floor.

I have also added a Vlan interface for the new traffic since the default gateway is already pointing to the old DHCP server.

How do I get the DHCP traffic for my new equipment up to the closet switch without crossing DHCP scopes.

I had also added a ip route on the3550 core pointing to the new default gateway.

I am trying to do this without taking out the old solution in one shot.

I feel as though I have tried everything but I am missing just one little thing.

Any help would be greatly appreciated!

thanks

Liam Dwyer · ‎01-14-2013

Hi Shamal,

Yes part of the building is free the other part is paid for. the problem is that they paid section of the hotel is pulling DHCP from my equipment hence giving out free wifi.

Or I should say that differently, it is pulling DHCP from my DHCP server therefore going out my gateway and bypassing the old equipment that interfaces with the billing.

Does that make sense?

shamax_1983 · ‎01-14-2013

Hi Liam,

So the new APs you've installed are used by these Paid users as well ?

If the answer is yes, there is only one way you can tackle this scenario, You will have to create 2 SSID's on the new APs,

one for the Paid customers ( SSID-PAID or leave it as it is ) and one for free users ( SSID-FREE ) and tie each SSID to VLAN's within the AP, like so..

SSID-PAID ---> VLAN1 ( default vlan )

SSID-FREE --> VLAN15

** you will have to define Pre-shared key for the SSID-FREE (in the AP), so the Paid users wouldn't be able to get in.

After this, you will have to change ports on your switches as shown below

** I think the AP's ports are by default trunks.. but make sure that's the case.

This way, By selecting the SSID, we selected the VLAN we want to connect ( an in turn the DHCP ). So the PAID user will not be able to get in to the FREE zone as long as they don't know the key..

Shamal

Liam Dwyer · ‎01-15-2013

Shamal,

I think we are getting a little off track.

The old DHCP server is serving up DHCP for paid wireless.

My new DHCP server is serving up DHCP for the new equipment but in the process the old equipment is pulling DHCP from my new DHCP server therefore not getting to the billing process on the old server.

Essentially giving people that should be paying free wifi.

The SSID's are all set up on my new equipment and working but I need to have that paid process in place with the old equipment for a while longer.

Liam Dwyer · ‎01-15-2013

Meaning that DHCP is crossing paths even with the vlans setup.

I didnt know if there is a way to seperate the VLANs so that traffic for my stuff goes out my gateway and traffic for the old stuff goes out there gateway.

thanks

shamax_1983 · ‎01-16-2013

Hi Liam,

Are you handing IPs from same IP-subnets (pools) in both DHCP servers ? If the answer is yes, this is not going to work.

If the answer is No, I think you still have some VLAN configuration issues. If you completely separate the old system and the new system by VLANs you should not have DHCP cross talk at all.

Can you show me your switch configs and DHCP scopes/default-router settings ? I think that will help a lot to understand what's going on.

Thanks

Shamal

Liam Dwyer · ‎01-16-2013

There are two different subnets using different pools so there is no overlapping...but you are correct the VLAN config could be off and I am not sure why? here is a config from the core switch I am connected to I will get one of the closet switches as well.

My equipment is on VLAN 15 and I am plugged into the gig 0/12 port.

CORE CONFIG -

o service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

ip subnet-zero

ip routing

!

spanning-tree extend system-id

spanning-tree vlan 1 priority 4096

spanning-tree vlan 2 priority 4096

spanning-tree vlan 8 priority 4096

spanning-tree vlan 12 priority 4096

spanning-tree vlan 15 priority 4096

!

interface GigabitEthernet0/1

description floor37

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface GigabitEthernet0/2

description EMPTY

switchport mode access

no ip address

!

interface GigabitEthernet0/3

description floor45

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface GigabitEthernet0/4

description floor48

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface GigabitEthernet0/5

description floor52

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface GigabitEthernet0/6

description EMPTY

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface GigabitEthernet0/7

description floor42

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface GigabitEthernet0/8

description EMPTY

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface GigabitEthernet0/9

description EMPTY

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface GigabitEthernet0/10

description switchUPLINK

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface GigabitEthernet0/11

description WIRELESS_MINIBAR

switchport access vlan 8

switchport mode access

no ip address

!

interface GigabitEthernet0/12

switchport access vlan 15

switchport trunk allowed vlan 15

no ip address

!

interface Vlan1

ip address 10.0.100.3 255.255.0.0

!

interface Vlan2

description hotel_admin

no ip address

!

interface Vlan12

description TMOBILE

no ip address

!

interface Vlan15

description Meraki

ip address 10.20.0.8 255.255.248.0

ip helper-address 10.20.0.1

!

ip default-gateway 10.0.0.1

ip classless

ip route 10.20.0.0 255.255.248.0 10.20.0.1 name MX400

ip http server

!

snmp-server engineID local 800000090300000CCEAC8001

snmp-server community tbmanager RW

snmp-server community tbconferences RO

snmp-server host 10.0.0.1 tbconferences

!

line con 0

password 7 0459190D210F1D

login

line vty 0 4

password 7 0111140F752557

login

line vty 5 15

password 7 13070519252255

log

Liam Dwyer · ‎01-16-2013

Oh and I should mention that port 0/12 is now to set to switchport access vlan 15 not trunked.

I have been throwing different configs at it to try and get the cross talk to stop.

thanks

Liam Dwyer · ‎01-16-2013

here is the closet switch config - for this particular closet I am plugged into port 22 - and that port is currently set to trunk.

service timestamps log uptime

service password-encryption

ip subnet-zero

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

interface FastEthernet0/1

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/2

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/3

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/4

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/5

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/6

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/7

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/8

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/9

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/10

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/11

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/12

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/13

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/14

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/15

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/16

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/17

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/18

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/19

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/20

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/21

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/22

switchport mode access

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/23

switchport mode trunk

switchport protected

no ip address

spanning-tree portfast

!

interface FastEthernet0/24

switchport mode trunk

no ip address

!

interface Vlan1

ip address 10.0.152.97 255.255.0.0

no ip route-cache

!

ip default-gateway 10.0.0.1

ip http server

!

cdp timer 5

snmp-server community tbmanager RW

snmp-server community tbconferences RO

snmp-server host 10.0.0.1 tbconferences

!

line con 0

password 7 06041D2A626058

login

line vty 0 4

password 7 08235E45273754

login

line vty 5 15

password 7 0204165025285E

login

shamax_1983 · ‎01-16-2013

On the Core switch, Port connected to the DHCP server should only have following lines..

!

interface GigabitEthernet0/12

switchport mode access

switchport access vlan 15

no ip address

!

Also, I don't think Following highlighted lines have any effect,

!

interface Vlan15

description Meraki

ip address 10.20.0.8 255.255.248.0

ip helper-address 10.20.0.1

!

ip default-gateway 10.0.0.1

ip classless

ip route 10.20.0.0 255.255.248.0 10.20.0.1 name MX400

ip http server

!

So, the closet switch is currently plugged in to the Core switch.. and for that connection, you have trunk ports from both sides.

And I believe the second configs you posted is the closet switch's, And you new switch is plugged in to the closet switch , I gathered the new switch is plugged in to port FastEthernet0/22 on the closet switch..??

If that's the case, that's where you went wrong, ( And that's why your DHCP is cross talking )

This port should also be an Access Port to VLAN 15 so it should be like this (from the closet port side),

!

interface FastEthernet0/22

switchport mode access

switchport access vlan 15

no ip address

!

And from the New Switchs' side, the port connected to the closet switch should be like this,

** Assuming it is port FastEthernet0/19

!

interface FastEthernet0/19

switchport mode access

no ip address

!

And on the new switch, all the ports the Access Points are connected, should be like this

!

interface FastEthernet0/XX

switchport mode access

no ip address

!

Also, I gethered with this configuration, your DCHP server is 10.20.0.1. Make sure the DHCP pool is handing out IPs from the same range 10.20.0.8 255.255.248.0 ( exluding the fixed addresses ) and the default-router is set to 10.20.0.1

You should be fine with this setup..

Ohh one other thing,

If you set it up like this, and If you want to manage your New switches, you should assign them with an IP addresses from 10.20.0.8 255.255.248.0 range as well ( Including your New Access Points that are connected to the new switch).

So on the new switches, The Management IP should look like this,

!

interface Vlan1

ip address 10.20.0.13 255.255.0.0

!

Note that you have to assign this on the interface Vlan1 NOT interface Vlan15 ( this is because you are only getting untagged pakcets in to the new switch. It will only get tagged as it enteres the Closet swtich.

Let me know how you go with it.

Also don't forget to rate helpful answers..

Shamal

Liam Dwyer · ‎01-16-2013

Hi, thank you for the reply...again.

No, the pools do not overlap. they are on different subnets and they start on different ranges.

If the closet switch is on access mode as well as the new switch is that still going to pass that different VLAN traffic??

Especially if the AP's are on access mode as well??

shamax_1983 · ‎01-16-2013

Yes, There is a difference between

!

interface FastEthernet0/22

switchport mode access

switchport access vlan 15

!

AND

!

interface FastEthernet0/19

switchport mode access

no ip address

!

Because you have your New APs plugged in to the just "switchport mode access" ports ( which is VLAN1 ) all the traffic from your new APs will flow in to the new switch in VLAN1. But when the traffic goes in to the closet switch it will get Tagged ans VLAN 15 ( hence, totally seperated from your old AP traffic ) so from there onwords, these packets will be tagged until it leaves out in to the new DHCP box ( through the "switchport access vlan 15" port)

The concept here is,

if you have access port with "switchport access vlan 15" command, traffic on VLAN1 will be tagged as it enters the switch via that port. And the tagged VLAN 15 traffic will be untagged ( hense VLAN1 ) when traffic leaves out through this port. And only the tagged VLAN 15 packets will able to get out of these ports..

Let me know how you go with this.

THanks

shamal

Liam Dwyer · ‎01-16-2013

thank you sir!

I will let you know tomorrow.

thanks