cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2506
Views
0
Helpful
7
Replies

Guest Network On AP541N

Keegan Santos
Level 1
Level 1

      Good afternoon everyone.  I'm trying to setup a guest wireless network that isolates traffic on said guest network from the internal network and only provides internet access and have been unsuccesful thus far, I'll outline my setup below.

The AP has two wireless networks setup on it, one is the primary network, using vlan 1 and wpa (which works with no issues), the second is what is supposed to be the guest wifi, and its using vlan 5 and no security (on this one i just changed the name of the cisco-scan network)

On the switch (SG-200-50) the AP is on port 8, which is setup as a member of vlan 5 (tagged, untagged on vlan 1) and port 24 (tagged in vlan 5 tagged in vlan 1) runs to port two on a cisco ASA 5505, port 2 is configured on an interface called DMZ, this interface is using security level 50 and is also using vlan 5 for its ports.  on this interface, due to the rather stupid licensing restrictions, i cannot setup the interface as a trunk, nor can i create another interface and use that one as a trunk, so i'm stuck with using the DMZ interface.  I also setup a DHCP server to use a different subent than the internal network to dish out addresses. 

Problem is that whenever i connect to the guest network i cannot ping the address assigned to the DMZ interface no matter what I do, nor will it give out addresses.  If I hook directly to the port on the router with my laptop it works just fine, internet access is up, no access to the internal network, and dhcp works perfectly, but if I try to get to it through the switch then it doesn't work.

If I can provide any more information please let me know, and thank you in advance for any help you can provide.

1 Accepted Solution

Accepted Solutions

Hello,

From my understanding, the problem is with connecting ASA with switch. An access port on ASA is connected to trunk port on switch. So the tagged packets from VLAN 5 will be dropped at ASA ingress point. Here is my suggestion from my lab. Connect the two access ports from ASA to two access ports on switch with access vlans (untagged vlans) matching. Connect a trunk port on switch with (1UT,5T) to AP541N with both SSIDs. This setup worked for me.

Please rate helpful ports, so that others may find answers fast.

       

View solution in original post

7 Replies 7

stumulur
Level 1
Level 1

Hello Keegan,

I am trying to setup lab for the scenario discussed. If possible could please share the configuration of the devices to make things move faster

Great day!

-

Sai

You mean the config from a show run in the cli?  If so then I'll see if I can get them next time I'm on site, which should hopefully be tomorrow or the next day, i would do it now but I can't seem to get telnet up and running on those things from the web gui

Yes, i would also like to confirm few points that i understood.

  • I guess ASA has license wich does not support trunk links
  • Port on ASA is access link and is on VLAN 5
  • Interfaces of switch are configured as trunk with (1UT, 5T)
  • Management VLAN on AP is on its default 1

Could please let me know if understood the scenario correctly

-Sai

1. no it doesn't support it

2. port 0 is wan on vlan 2, port 1 is lan on vlan 1, port 2 is DMZ on vlan 5

3. yes

4. yes

thank you for you replies

Hello,

From my understanding, the problem is with connecting ASA with switch. An access port on ASA is connected to trunk port on switch. So the tagged packets from VLAN 5 will be dropped at ASA ingress point. Here is my suggestion from my lab. Connect the two access ports from ASA to two access ports on switch with access vlans (untagged vlans) matching. Connect a trunk port on switch with (1UT,5T) to AP541N with both SSIDs. This setup worked for me.

Please rate helpful ports, so that others may find answers fast.

       

Ah I hadn't thought about that, if I can make it back out to the site today I'll give that a try, otherwise I'll try it tomorrow and let you know if it works, thanks alot

Absolutely perfect, achieved everything I was needing, you my friend, are awesome XD.