Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
632
Views
0
Helpful
3
Replies

Multiple networks and SSIDs on Cisco C1111-8PW

Spork Schivago
Level 1
Level 1

‎01-22-2019 11:46 AM - edited ‎07-05-2021 09:44 AM

Hello!

I've been reading a few documents here on setting up multiple SSIDs and networks on Cisco devices but I am having some issues.   Currently, I want at least three VLANs, one called IoT, one called Enterprise, and one called Guests.   I have a total of four wireless APs that I want setup, so when people move out of range with the first one, it will automatically connect them to the second one.   I want all APs to share the same SSIDs, but right now, I've been only concentrating on getting the first AP setup.

The first AP and the wireless network controller are built into my router, the Cisco C1111-8PW.  I have a static public IP address setup on the router, interface gigabitethernet 0/0/1, and I can ping the outside world.   I have setup a DHCP server on the router, which hands out IP addresses on the 10.0.0.x network, with a netmask of 255.255.255.0.   The wireless network controller is assigned an IP of 10.0.0.2 and I can access it's web based config from the network or via the CLI.   I have two SSIDs setup on the AP, we can pretend the first one is called SSID_1 and the second is called SSID_2.

I can successfully connect to SSID_1, I receive an IP address in the 10.0.0.x range, I can ping the outside world, and everything is good there.   However, it's the SSID_2 I am having trouble with.    I want the SSID_2 on the 10.0.10.0 network, with a netmask of 255.255.255.0.   I have created a DHCP pool on the WLC and assigned it to the SSID_2.   I have also assigned the SSID_2 to VLAN 40.   This is where I think I am having issues.    When I connect to the wireless SSID_2, it shows the gateway address is 10.0.0.2, but I cannot ping 10.0.0.2 and I cannot reach the outside internet.

I have a DHCP server running on the router which hands out the 10.0.0.x addresses to the wireless LAN controller and any device physically plugged into the router, and on the wireless LAN controller, I have a DHCP server setup to hand out addresses in the 10.0.10.x network.   The DHCP server on the WLC is set so it hands out the WLC's IP address as the gateway address.   I want to keep these two networks isolated, so people on SSID_2 cannot access stuff on the 10.0.0.x network.

Is there any config files I could show and could someone please try help me figuring out what I have done wrong and how to fix it?

Thanks!

Labels:
0 Helpful
3 Replies 3

Spork Schivago
Level 1
Level 1

‎01-22-2019 12:28 PM - edited ‎01-23-2019 12:55 PM

 

I've uploaded three files to make the thread a little cleaner.   One shows the current running config of the router, one shows the start-up commands of the Wireless LAN Controller, and the final one shows the output of the show flexconnect group detail default-flexgroup.

 

I am not certain what I am doing wrong.   I noticed if I connect to my "guest" network, I do receive an IP address from the WLC, but ipconfig /all in Windows shows the DHCP server is actually running on address 10.0.40.254, not 10.0.40.2.   I am almost certain that I have the VLANs configured incorrectly.

I can submit a drawing of the network topology with the various hardware if it helps.

 

It looks a little like this:

 

WAN
 |
ONT
 |
C1111-8PW with built-in WLC + AP0
 |
HPE 5900AF-48G-4XG-2QSFP+
 |
VLAN1                  VLAN20              VLAN40
ENTERPRISE            IOT                   GUESTS
10.0.0.0/24        10.0.20.0/24       10.0.40.0/24

I need the VLANs configured on the WLC and router as well, because my switch does not support POE, however, the router does.   I think it would be best if I tried configuring the DHCP server on the router with three pools, one for each VLAN / network, but I am not certain how to configure it so people on the VLAN networks receive the addresses from the proper pool.   I think that would be better than having a DHCP server running on the router, and one running on it's built-in WLC.

I'd greatly appreciate any help at all!   Thanks!!!!!

Preview file
6 KB
Preview file
34 KB
Preview file
3 KB
0 Helpful

Spork Schivago
Level 1
Level 1
In response to Spork Schivago

‎01-23-2019 02:42 PM

I believe I figured it out now.   I have the DHCP server setup on the router with the two pools.   I forgot to modify my ACL rules.   Now, I just need to figure out how to isolate the VLANs, however, I think that's for a different thread.

Preview file
6 KB
0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Spork Schivago

‎01-25-2019 07:27 AM

The traditional way to isolate the VLANs is by adding an access-list incoming to the vlan interface, where you deny the traffic of the other vlan and permit all the other traffic. Keep in mind, the idea of a router is to connect different networks, not to block them. That's what firewalls are for :)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card