Cisco 2504 - setup 2 wlan, one allow internet traffic/one without

dmeduna · ‎05-25-2016

I am trying to setup 2 WLAN's on a Cisco 2504. I have the WLAN setup but when i try and setup a new interface receive and error "Cannot set the port configuration". I have the management interface with no VLAN and setup with our network information and that WLAN works fine but I want to segment our warehouse out of our normal WLAN to not allow internet traffic. I am not sure what other info would help.

Philip D'Ath · ‎05-25-2016

Can you share a screenshot of the interface configuration that is not being accepted.

dmeduna · ‎05-26-2016

I posted some screenshots.

ALIAOF_ · ‎05-26-2016

Under Controller and Interfaces you are saying you are unable to create another VLAN interface?

You should not put any user traffic on your management interface and/or bind SSID to it.

- Create two other VLAN's

- Assign SSID for regular traffic to VLAN lets say 100

- Assign SSID for non internet to VLAN lets say 200

- I'm assuming you are using a router on a stick or a L3 switch for the VLAN's?

- You can always put an ACL allowing access to RFC1918 IP's only and deny any other access on that particular interface.

Please share some screen shots and your design so we can be of more help

dmeduna · ‎05-26-2016

Here is the picture of my interfaces. First I need to create another one to get traffic off my management since everything is going through that one. When I move it to a different one can I use the same setting except IP address and does it have to be on a different port on the controller? Right now there are not VLAN's created the 'Guest' one is not being used right now.

ALIAOF_ · ‎05-26-2016

Your management network is huge do you have that many network devices in there or are you using it for user devices as well?

Any ways when you say "can I use the same settings". What settings are you talking about? If you mean assigning the WLAN SSID to the new VLAN you will create for the user traffic sure under WLAN's you will just click on the SSID and then from the drop down change the interface you are binding it to.

And you shouldn't need to use another port. Just trunk the port on the switch where you have your WLC connected.

dmeduna · ‎05-27-2016

I am new to setting up controllers and just copied the setting from our existing network into there. The AP's are only supporting about 40-50 devices. Is there a way to just have specific AP's not allow internet traffic without setting up a second WLAN?

devils_advocate · ‎05-27-2016

"Your management network is huge do you have that many network devices in there or are you using it for user devices as well?"

Its a /22 so 1022 hosts, not that big.

I have seen bigger :)

Philip D'Ath · ‎05-26-2016

Yes, it does have to be on a different interface (or use a different VLAN tag), and it has to be in a different subnet.

devils_advocate · ‎05-27-2016

It looks like you have already setup a Guest Interface with a Vlan ID of 10 and an IP address of 192.168.100.254.

You would need to create your new SSID and select the 'Guest' interface.

I can't see the details of the Guest interface but assuming you have setup the correct subnet mask and gateway, the SSID should work.

The controller will start to Tag Guest SSID packets with a VLAN ID of 10 so this vlan needs to be tagged on the interface between the switch and the controller for it to work.

Thanks

dmeduna · ‎05-27-2016

I was messing around with Guest interface to try and get a second WLAN with it's own DHCP but couldn't get it working. What i really need to do is not allow internet on specific AP's. Is there a way to do this without setting up a second WLAN?

devils_advocate · ‎05-27-2016

I would just create a second SSID and use an ACL to permit them access to only the LAN subnets and nothing else, should be fairly straight forward.

Sounds like you need to have a read up on how to configure the WLC in terms of interfaces and SSID's etc. Make sure the switchport port going to the controller is a Trunk allowing all Vlans. You can then simply create interfaces based on the Vlan ID and apply them to new SSID's.

Thanks