Re: how can i connect and configure AIR-AP2802I-I-K9C

amralrazzaz · ‎02-14-2019

Hi all i need help on the below question for how to configure the AP :

how can i connect and configure AIR-AP2802I-I-K9C (AP only ill use without WLC) to my network ?
how can i create two ssid one for wifi office and other for guest ?
i have cisco switch SW 24 ports 2960 -X series gige poe 370w 4 x 1G SFP LAN Base
what kind of the switch port should I connect the AP to (trunk port or access port)?
Should I create the vlan for geust and another vlan for employee on the AP then I have to create it again on the switch and assign it to the port which connected to AP ? need example
The AP configuration is from GUI mobility express. Correct?
Can you please check the attached pic for my network diagram? (2 switch and 1 router )
Regarding the power feeding from the switch to c AP ? is it feeding with enough power and stable to my AP? (the kind of SW I have can feed power via poe to AP )?

amr alrazzaz

Haydn Andrews · ‎02-14-2019

Hi

Take a look at the Mobility express deployment guide:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_Cisco_Mobility_Express_Deployment_Guide/b_Cisco_Mobility_Express_Deployment_Guide_chapter_010.html

The AP will work in Flexconnect mode and join the Mobility Express Controller inside the AP.

To allow multiple VLANs you will need to map the to the VLANs on the switch:

Interface GigabitEthernet1/0/37
description » Connected to Master AP « 
switchport trunk native vlan 122 
switchport trunk allowed vlan 10,20,122
switchport mode trunk

https://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/83/user_guide/b_ME_User_Guide_83/b_ME_User_Guide_83_chapter_01000.html#topic_2604B144ADFA42BEBBC5A1C706B80C5E

Reference the POE draw:

The AP supports 802.3at PoE+ which it looks like the 2960 can supply:

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-x-series-switches/datasheet_c78-728232.html

The config can be managed via the Mobility Express WebUI or the CLI so what ever suits.

Around should you use separate VLANs for employees and guest, this is a security decision. Normally you dont want the guest traffic to be able to access the corporate traffic, so I would be using two VLANs and ACLs to block traffic not allowed between the two.

hope this helps

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

amralrazzaz · ‎09-03-2019

can u give me an example about acl to separate both vlans office and guest traffics ?

amr alrazzaz

patoberli · ‎09-04-2019

You could do that on the AP, but it's much better to do that on the router which is connecting those two VLANs. What kind of router are you using?
Assuming your guest and office traffic is not in the same VLAN.

amralrazzaz · ‎09-06-2019

router i have is 2911 isr

how to let vlan wifi guest to access internet only and other vlans blocked ? and other vlans can access wifi guest

should i use access lit ?

LIST OF INTERVLAN ROUTING G.W:

VLAN 2 192.168.2.207/24VLAN 2 LAN

192.168.3.207/24VLAN 9 PRINTER

192.168.4.207/24VLAN 20 WIFI-OFFICE

192.168.5.207/24VLAN 55 NATIVE

192.168.6.207/24VLAN200 VOICE

192.168.7.207/24VLAN250 MGMT

192.168.8.207/24VLAN912 WIFI-GUEST

192.168.9.207/24 VLAN230 STREAMING

amr alrazzaz

patoberli · ‎09-10-2019

Correct, I would put an ACL on the guest-vlan denying access to all your other internal networks and maybe allowing to use internet.

Make sure the clients can reach the DHCP and DNS servers, if those are in your internal network.

amralrazzaz · ‎09-10-2019

yes its inside the router as below :

how to block wifi guest to access other vlans but only internet connection and should other vlans access wifi guest ? or no need so just blocking the guest from accessing other vlans ..? and how to exclude the printer vlan so wifi guest can only use the printer on my network only ?

Frico#show run
Building configuration...

Current configuration : 4318 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Frico
!
!
!
enable password cisco
!
!
ip dhcp excluded-address 192.168.2.207
ip dhcp excluded-address 192.168.3.207
ip dhcp excluded-address 192.168.4.207
ip dhcp excluded-address 192.168.5.207
ip dhcp excluded-address 192.168.6.207
ip dhcp excluded-address 192.168.7.207
ip dhcp excluded-address 192.168.8.207
ip dhcp excluded-address 192.168.9.207
ip dhcp excluded-address 192.168.7.1
ip dhcp excluded-address 192.168.7.20
ip dhcp excluded-address 192.168.7.10
ip dhcp excluded-address 192.168.7.2
ip dhcp excluded-address 192.168.3.88
ip dhcp excluded-address 192.168.2.20
ip dhcp excluded-address 192.168.2.10
ip dhcp excluded-address 192.168.2.100

ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.207
domain-name GDS.LOCAL
ddns-server 8.8.8.8 8.8.4.4
ip dhcp pool Printers
network 192.168.3.0 255.255.255.0
default-router 192.168.3.207
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool WIFI-OFFICE
network 192.168.4.0 255.255.255.0
default-router 192.168.4.207
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool Native
network 192.168.5.0 255.255.255.0
default-router 192.168.5.207
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool Voice
network 192.168.6.0 255.255.255.0
default-router 192.168.6.207
option 150 ip 192.168.6.207
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool MGMT
network 192.168.7.0 255.255.255.0
default-router 192.168.7.207
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool WIFI-GUEST
network 192.168.8.0 255.255.255.0
default-router 192.168.8.207
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool STREAMING
network 192.168.9.0 255.255.255.0
default-router 192.168.9.207
dns-server 8.8.8.8 8.8.4.4
!
!
ip dhcp global-options
dns-server 163.121.128.134 163.121.128.135
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef

interface FastEthernet0/0
description connected to local NW-INTERVLAN
no ip address
ip nat inside
ip flow ingress
ip flow egress
duplex auto
speed auto
!
interface FastEthernet0/0.2
description LAN
encapsulation dot1Q 2
ip address 192.168.2.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.9
description printers
encapsulation dot1Q 9
ip address 192.168.3.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.20
description WIFI-OFFICE
encapsulation dot1Q 20
ip address 192.168.4.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.55
description native
encapsulation dot1Q 55 native
ip address 192.168.5.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.200
description voice
encapsulation dot1Q 200
ip address 192.168.6.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.230
description streaming
encapsulation dot1Q 230
ip address 192.168.9.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.250
encapsulation dot1Q 250
ip address 192.168.7.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.912
description WIFI-Guest
encapsulation dot1Q 912
ip address 192.168.8.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
description connedted to ISP
ip address 192.168.1.207 255.255.255.0
ip nat outside
ip flow ingress
ip flow egress
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown

ip flow-top-talkers

ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source list 2 interface FastEthernet0/1 overload
ip nat inside source list 3 interface FastEthernet0/1 overload
ip nat inside source list 4 interface FastEthernet0/1 overload
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source list 6 interface FastEthernet0/1 overload
ip nat inside source list 7 interface FastEthernet0/1 overload
ip nat inside source list 8 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.253 or fastethernet0/1
!
ip http server
ip http authentication local
ip http secure-server
ip flow-export version 9
top 60
sort-by packets
!

router eigrp 100
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
network 192.168.5.0
network 192.168.6.0
network 192.168.7.0
network 192.168.8.0
no auto-summary

!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 4 permit 192.168.5.0 0.0.0.255
access-list 5 permit 192.168.6.0 0.0.0.255
access-list 6 permit 192.168.7.0 0.0.0.255
access-list 7 permit 192.168.8.0 0.0.0.255
access-list 8 permit 192.168.9.0 0.0.0.255

no cdp run

!
!
line con 0
password cisco
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input all
line vty 5 15
exec-timeout 5 0
login local
transport input all

!
scheduler allocate 20000 1000
ntp master
!
end

amr alrazzaz

patoberli · ‎09-10-2019

A very simple one (please note it might need some tweaking):
conf t
ip access-list extended in_guest_traffic
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
deny ip any 192.168.4.0 0.0.0.255
deny ip any 192.168.5.0 0.0.0.255
deny ip any 192.168.6.0 0.0.0.255
deny ip any 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
permit ip any any
#apply it to the interface
interface FastEthernet0/0.912
ip access-group in_guest_traffic in
end

Please test if all other networks are blocked. The last line should provide full internet access without restrictions.

Not sure what you mean with the printer vlan.

amralrazzaz · ‎09-10-2019

need to exclude the network traffic from blocking to other vlans

so wifi guest can access printers

my printers already has its own vlan as below :

and also what do u mean by (A very simple one (please note it might need some tweaking)) ??

ip dhcp pool Printers
network 192.168.3.0 255.255.255.0
default-router 192.168.3.207
dns-server 8.8.8.8 8.8.4.4

interface FastEthernet0/0.9
description printers
encapsulation dot1Q 9
ip address 192.168.3.207 255.255.255.0
ip nat inside

need wifi guest to access printers so they able to connect and print

amr alrazzaz

patoberli · ‎09-10-2019

Ok, then it depends on the printing protocol you want to allow. Assuming LPR (tcp/9100), it looks like:
ip access-list extended in_guest_traffic
deny ip any 192.168.2.0 0.0.0.255
permit tcp any 192.168.3.0 0.0.0.255 eq 9100
deny ip any 192.168.3.0 0.0.0.255
deny ip any 192.168.4.0 0.0.0.255
deny ip any 192.168.5.0 0.0.0.255
deny ip any 192.168.6.0 0.0.0.255
deny ip any 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
permit ip any any

amralrazzaz · ‎09-10-2019

what about the below :

192.168.3.2 printer

192.168.3.1 another printer

conf t
ip access-list extended in_guest_traffic

permit ip host 192.168.3.2 any
permit ip any host 192.168.3.2
permit ip host 192.168.3.1 any
permit ip any host 192.168.3.1

deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
deny ip any 192.168.4.0 0.0.0.255
deny ip any 192.168.5.0 0.0.0.255
deny ip any 192.168.6.0 0.0.0.255
deny ip any 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
permit ip any any
#apply it to the interface
interface FastEthernet0/0.912
ip access-group in_guest_traffic in

i have tested and it working so is it okay for u this config?

amr alrazzaz

amralrazzaz · ‎09-10-2019

also depending on the configuration that i have with all vlans ? how can i configure the ntp server

should i create another vlan for ntp server ? or how ? and how other vlans can take the correct time from it ??

amr alrazzaz

patoberli · ‎09-10-2019

ACL looks fine.
I suggest you directly configure NTP on the Router, it can serve time to the other clients.
A very simple configuration:

ntp source Fastethernet0/1 #the interface with which the router tries to contact the external ntp sources
ntp access-group peer 80 #acl to restrict access to the ntp functionality
ntp master 6
ntp server 82.220.2.2 #a public server
ntp server 195.141.190.190 #a public server

ip access-list standard 80
permit 195.141.190.190
permit 82.220.2.2
permit 192.168.0.0 0.0.0.255
permit 192.168.1.0 0.0.0.255
permit 192.168.2.0 0.0.0.255
permit 192.168.3.0 0.0.0.255
#add other networks here that should access the ntp
deny any

amralrazzaz · ‎09-11-2019

JUST FOR UR INFO ALL OTHER CONFIGURATIONS ARE ON ROUTER ALREADY

on switch im only configure vlans / vtp / trunks and so on :)

thanks man

amr alrazzaz

amralrazzaz · ‎09-11-2019

so ill configure the main gateway as ntp soure so ntp is not in vlan and this interface 0/0 will be the master of all so every one can take time from it ?? am i correct?

amr alrazzaz