Solved: When Tagged AP clients not receiving dhcp address

MSDelamater · ‎05-25-2022

Having an problems passing dhcp traffic between Unifi APs and 1121-4p router. Physical layout is:

1121-4 Router --> SG200 switch -->TLS circuit --> UAP-AC-SHD

When the APs are using default vlan, clients and APs receive dhcp addresses. 10.20.30.x When I switch the SSID to use VLAN30. The APs receive 10.20.30.x addresses but clients do not. Have tried setting 10.20.20.1 as the IP helper-address in VLAN30 but it did not solve the issue.

Below is the run from the router, show vlan, show ip route, SG200 port/vlan connections.

Thanks,

Mark.

PoplarRC#show vlan

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1/2, Gi0/1/3
10 VLAN0010 active
30 VLAN0030 active Gi0/1/0, Gi0/1/1
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
10 enet 100010 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0

Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------

PoplarRC#

***********************************************************************

PoplarRC#show ip route

Gateway of last resort is 172.87.0.1 to network 0.0.0.0

S* 0.0.0.0/0 [254/0] via 172.87.0.1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.20.20.0/24 is directly connected, Vlan1
L 10.20.20.1/32 is directly connected, Vlan1
C 10.20.30.0/24 is directly connected, Vlan30
L 10.20.30.1/32 is directly connected, Vlan30
172.87.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.87.0.0/21 is directly connected, GigabitEthernet0/0/1
L 172.87.4.26/32 is directly connected, GigabitEthernet0/0/1
199.59.116.0/32 is subnetted, 1 subnets
S 199.59.116.1 [254/0] via 172.87.0.1, GigabitEthernet0/0/1
PoplarRC#

***********************************************************************

PoplarRC#show run
Building configuration...

Current configuration : 7690 bytes
!
! Last configuration change at 10:34:04 UTC Wed May 25 2022
!
version 17.5
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname PoplarRC
!

!
no aaa new-model
!
!
!
!
ip name-server 64.90.65.2 64.90.65.5 8.8.8.8
ip dhcp excluded-address 10.20.20.1 10.20.20.10
ip dhcp excluded-address 10.20.30.1 10.20.30.10
ip dhcp excluded-address 10.20.10.1 10.20.10.10
!
ip dhcp pool PoplarPool1
import all
network 10.20.20.0 255.255.255.0
default-router 10.20.20.1
dns-server 8.8.8.8 8.8.4.4 10.20.20.1
lease 0 4
!
ip dhcp pool PoplarPool2
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
dns-server 8.8.8.8 8.8.4.4 10.20.30.1
lease 0 4
!
ip dhcp pool PoplarPool3
import all
network 10.20.10.0 255.255.255.0
default-router 10.20.10.1
dns-server 8.8.8.8 8.8.4.4 10.20.10.1
lease 0 4
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-767876715
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-767876715
revocation-check none
rsakeypair TP-self-signed-767876715
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-767876715
certificate self-signed 01
28
quit
!
!
license udi pid C1121-4P sn FGL2608L9LX
memory free low-watermark processor 70642
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
ip nat outside
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
ip dhcp client hostname PRC
ip dhcp client update dns
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 30
!
interface GigabitEthernet0/1/1
switchport access vlan 30
switchport trunk native vlan 10
switchport trunk allowed vlan 10,30
switchport mode trunk
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
ip address 10.20.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
ip address 10.20.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan30
ip address 10.20.30.1 255.255.255.0
ip helper-address 10.20.20.1
ip nat inside
ip virtual-reassembly
!
no ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/1
ip forward-protocol nd
ip nat inside source list NATout interface GigabitEthernet0/0/1 overload
ip nat inside source list NATout2 interface GigabitEthernet0/0/0 overload
!
!
ip access-list standard NATout
10 permit 10.20.20.0 0.0.0.255
20 permit 10.20.30.0 0.0.0.255
30 permit 10.20.10.0 0.0.0.255
ip access-list standard NATout2
10 permit 10.20.30.0 0.0.0.255
20 permit 10.20.20.0 0.0.0.255
30 permit 10.20.10.0 0.0.0.255
!
!
*************************************************************
SG200 Switch

GE1 Trunk 10UP 30T 50T Connects to unmanaged switch which Unifi APs connect to

GE9 Trunk 10UP 30T 50T Connected to Router Gi0/1/0

GE18 Trunk 1UP Connected to Router Gi0/1/3

MSDelamater · ‎05-25-2022

Before creating the vlan10 and its dhcp setting, I had tried setting interface GigabitEthernet0/1/1, switchport mode trunk.

Deleted the switchport-access setting.

Current config.

interface GigabitEthernet0/1/1
switchport trunk native vlan 10
switchport trunk allowed vlan 10,30
switchport mode trunk

Performed the cable switch late afternoon. The APs and Clients are now being assigned. 10.20.10.x addresses.

Later tonight I will test switching the clients to vlan30.

-Mark

View solution in original post

Flavio Miranda · ‎05-25-2022

Hi

Not familiar with Unifi APs but it seems to me that your missing trunk between switch and AP. If you want to send SSID traffic to a specific vlan, then, you need to extend this vlan using trunk from the switch up to the AP.

when using default vlan, which must be the Native vlan, it works because this vlan is not tagged, so you dont need trunk for that.

MSDelamater · ‎05-25-2022

Since the C1121-4P has both a switch and router built in. It causes a bit of confusion on my part.

Presently Gi0/1/0 is set to :

interface GigabitEthernet0/1/0
switchport access vlan 30

I have tried connecting the SG200 to Gi0/1/1 in trunk mode but have not had success:

Presently Gi0/1/1 is set to:

interface GigabitEthernet0/1/1
switchport access vlan 30
switchport trunk native vlan 10
switchport trunk allowed vlan 10,30
switchport mode trunk

Before I switch the cable from the SG200 to Gi0/1/1, do you see any changes that need to be made to Gi0/1/1?

Thanks

Flavio Miranda · ‎05-25-2022

this config is not good:

interface GigabitEthernet0/1/1
switchport access vlan 30
switchport trunk native vlan 10
switchport trunk allowed vlan 10,30
switchport mode trunk

Or you config the interface as access or trunk, no both.

Take this line "switchport access vlan 30" off

For start and to keep it simple, as you are still implementing, config like this:

nterface GigabitEthernet0/1/1
switchport mode trunk

MSDelamater · ‎05-25-2022