Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1812
Views
20
Helpful
16
Replies

Aironet 2702 setting VLANs with individual SSIDs

Go to solution
magic
Level 1
Level 1

‎12-06-2020 02:55 AM - edited ‎07-05-2021 12:52 PM

Hi,

 

 I tried to configure 3 VLANs each with own SSID but unsuccessfully. Here is my network setup:

- 2 AIR-CAP2702E-A-K9 all in autonomous mode;

- SG500-52P switch to which both access points are connected;

- additional router (DHCP, internet gateway).

I configured 3 VLANs (ids: 1-native, 2 and 3) each with own SSID (v1 – native, v2 and v3) on the APs. They seem to be working i.e. I’m able to connect to them but there is no IP routing outside of them except the native VLAN which is working perfectly fine. As there is no DHCP routing to the v2 and v3 VLANs, I set card IP address manually but still wasn’t able to communicate with outside networks. Therefore I think that there is something wrong with APs VLAN setup. Do you have any idea what I have missed?

 

Here is snippet from the APs config:

interface Dot11Radio0.1

 encapsulation dot1Q 1 native

 no ip route-cache

 bridge-group 1

 bridge-group 1 subscriber-loop-control

 bridge-group 1 spanning-disabled

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.2

 encapsulation dot1Q 2

 no ip route-cache

 bridge-group 2

 bridge-group 2 subscriber-loop-control

 bridge-group 2 spanning-disabled

 bridge-group 2 block-unknown-source

 no bridge-group 2 source-learning

 no bridge-group 2 unicast-flooding

!

interface Dot11Radio0.3

 encapsulation dot1Q 3

 no ip route-cache

 bridge-group 3

 bridge-group 3 subscriber-loop-control

 bridge-group 3 spanning-disabled

 bridge-group 3 block-unknown-source

 no bridge-group 3 source-learning

 no bridge-group 3 unicast-flooding

!

interface GigabitEthernet0.1

 encapsulation dot1Q 1 native

 bridge-group 1

 bridge-group 1 spanning-disabled

 no bridge-group 1 source-learning

!

interface GigabitEthernet0.2

 encapsulation dot1Q 2

 bridge-group 2

 bridge-group 2 spanning-disabled

 no bridge-group 2 source-learning

!

interface GigabitEthernet0.3

 encapsulation dot1Q 3

 bridge-group 3

 bridge-group 3 spanning-disabled

 no bridge-group 3 source-learning

 

The Dot11Radio1 is configured by analogy. The switch works in trunk mode (all ports) and I configured the same VLAN ids as the APs, but I think there is something missing in the APs setup, as I’m not able to communicate from the VLANs to outside network.

 

Shall you need more setup information, please let me know. I got blocked and cannot find working solution to multiple VLANs on APs.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to magic

‎12-07-2020 10:57 AM

I understand, it doesn't matter if you configure the ap and switch as a trunk port, you would need to also trunk the switch to the router and define the vlans there.  If you can't, then it will not work as the router only know of vlan 1 and doesn't read any of the other tagging.

Put it this way... if you have vlan 1-10 on your switch, then you need vlan 1-10 on your router.

-Scott
*** Please rate helpful posts ***

View solution in original post

16 Replies 16

Go to solution
MHM Cisco World
VIP
VIP

‎12-06-2020 05:41 AM - edited ‎12-06-2020 11:11 AM

... 

Go to solution
magic
Level 1
Level 1
In response to MHM Cisco World

‎12-06-2020 10:16 AM

I'm not sure what you mean, but ip communication works well from native VLAN (v1), the BVI1 interface properly fetches ip address from DHCP server. It doesn't work from other VLANS (v2 and v3), even when I assigned IP settings (incl. address, mask, gateway and DNS server) manually to a station connected to the wireless network associated with the WLAN (VLAN - v2 and SSID v2 as well).

However your reply convinced me to make an experiment and enable BVI2 interface. Here is brief status:

#show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI1 156.17.21.108 YES DHCP up up
BVI2 unassigned YES DHCP up up
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio0.1 unassigned YES unset up up
Dot11Radio0.2 unassigned YES unset up up
Dot11Radio0.3 unassigned YES unset up up
Dot11Radio1 unassigned YES NVRAM up up
Dot11Radio1.1 unassigned YES unset up up
Dot11Radio1.2 unassigned YES unset up up
Dot11Radio1.3 unassigned YES unset up up
GigabitEthernet0 unassigned YES NVRAM up up
GigabitEthernet0.1 unassigned YES unset up up
GigabitEthernet0.2 unassigned YES unset up up
GigabitEthernet0.3 unassigned YES unset up up
GigabitEthernet1 unassigned YES NVRAM up down

 

It looks like the BVI2 didn't fetch IP address from DHCP server, also I found out that it doesn't support bridging, when I tried to assign bridge-group 2 to that itnerface. Any ideas?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to magic

‎12-06-2020 11:14 AM

let first config static ip for BVI2

interface BVI 2

ip add 

no shut 

!

bridge 2 route ip 

!

bridge irb

 

try above and see show in brief and test connect.

0 Helpful

Go to solution
magic
Level 1
Level 1
In response to MHM Cisco World

‎12-06-2020 01:08 PM

I appreciate that you are trying to help me solve my issue.

I assigned static IP addres to the BVI2 interface, here is compressed status (remaining part is as previously):

#show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI1 156.17.21.108 YES DHCP up up
BVI2 156.17.21.99 YES manual up up

 

and connected to the WLAN v2 a PC with static IP belonging to the same network. While pinging the BVI2 address I didn't get response - the host was unreachable.

I can share with you config file, if you think it would be helpful. I was trying different settings thus it might be that I mess up something.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎12-06-2020 01:35 PM

Where inter vlan happened in MLS or in router via subinterface?

0 Helpful

Go to solution
magic
Level 1
Level 1
In response to MHM Cisco World

‎12-06-2020 11:18 PM

The v2 and v3 VLANs are setup in AP and switch (SG500) with the same IDs. The router/gateway is not aware of them. However the issue seems to be in the AP, as there is no IP communication in the WLAN - just to be clear SSID is assignedd per VLAN.

0 Helpful

Go to solution
magic
Level 1
Level 1
In response to magic

‎12-07-2020 07:40 AM

I have attached Access Point config file, I hope it will help to identify fix for the issue.

Preview file
5 KB
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to magic

‎12-07-2020 08:20 AM - edited ‎12-07-2020 08:24 AM

The router needs to know of the vlan’s. The ap will not do any routing as that is a layer 2 device. A layer 3 devices required to have more than one vlan to have connectivity to other vlans and or internet.

-Scott
*** Please rate helpful posts ***

Go to solution
magic
Level 1
Level 1
In response to Scott Fella

‎12-07-2020 08:53 AM

Access Points are connected to switch which is setup in trunk mode, it has the same VLANs configured as the APs. The router provides only DHCP service and is internet gateway. The issue is that devices connected to AP's WLAN are not communicating with other network resources (no ping) except native VLAN (v1) which is working fine. I hope it explains better than what I described in the very first post.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to magic

‎12-07-2020 08:59 AM

If you don't have a router or layer 3 device to router traffic, then devices on vlan 1 will communicate with each other, Devices on vlan 2 would only communicate with each other, etc.  Since your vlan 1 is your native and your router knows of this, that is why it works.  Does your router not support vlans?  What router do you have?

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
magic
Level 1
Level 1
In response to Scott Fella

‎12-07-2020 10:25 AM

The router I have is Tp-link TD-W8970, it doesn't support VLANs but it does support multiple SSIDs.

 

Also, devices from VLAN v2 do not communicate with each other (no ping response), they were connected to the AP.

 

/Magic

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to magic

‎12-07-2020 10:52 AM

If your router doesn't support multiple vlans, then your solution will not work.  Now, when you associate to an ssid on vlan 2 for example, all devices should be able to  communicate unless point to point blocking is enabled.  Also make sure the device firewall is disabled if you are trying to ping.  Basically without a layer 3 router, your other vlans are basically segregated and will never have connectivity to other vlans nor internet.  You probably need to look at routers from Ubiquity, Meraki (but you have to pay for license), Firewalla or stand up a vm and run PFsense or something else.

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
magic
Level 1
Level 1
In response to Scott Fella

‎12-07-2020 11:04 AM

That would explain why it didn't work so far. Thanks for explaining.

 

What if I used the switch to which access points and the router are connected and shift DHCP service there? That should work then... Of course by assigning specific switch ports I could select what device belongs to what VLAN.

 

/Magic

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to magic

‎12-07-2020 10:57 AM

I understand, it doesn't matter if you configure the ap and switch as a trunk port, you would need to also trunk the switch to the router and define the vlans there.  If you can't, then it will not work as the router only know of vlan 1 and doesn't read any of the other tagging.

Put it this way... if you have vlan 1-10 on your switch, then you need vlan 1-10 on your router.

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card