Solved: Cisco 3750X And VLANS

dcgtechnologies · ‎10-13-2025

Hi All,

I am not a stranger to Cisco Switches, but a newbie to VLANs and have had some confusion with them. I am trying to implement a 9800 wireless lan controller. but I am putting it on hold until I get all my Vlans Setup correctly.

I have a total of five vlans. See below

vlan 100 - Internal network with RADUIS server and domain and main network with Default Gateway out to the internet

vlan 200 - Wifi SSD For separate devices to connect to vlan 100 and go out to the internet that are not on the domain

vlan 300 - Wifi SSD for devices for my smart home automation and nest protect etc.

vlan 400 - For an SSID for my garage for internet access

vlan 900 - management of all network and server devices

Here are a couple sample ports that are assigned out to physical devices from a port on the switch and I am running two 3750X switches and all other ports are on native vlan 100. See below:

Vlan100 - Internal Network - About 50% of the ports are assigned to this vlan as this is the native Vlan for Internal network

interface GigabitEthernet1/0/12
switchport access vlan 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk

Vlan200 and VLAN300 Share This Port - Three Wifi SSID's

iinterface GigabitEthernet1/0/48
switchport access vlan 100
switchport trunk allowed vlan 100-300,900
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk

VLAN400 - 1 Wifi SSID

interface GigabitEthernet1/0/47
switchport access vlan 100
switchport trunk allowed vlan 400
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport mode trunk

Vlan900 - Management network

interface GigabitEthernet1/0/2
switchport access vlan 900
switchport trunk encapsulaton dot1q
switchport trunk native vlan 900
switchport mode trunk

I run a Zyxel Firewall and right now my Default Gateway is an untagged interface on the zyxel firewall. I would like it to be put under VLAN100. This device does all my routing within my network. Right now it is not working correctly, because when I introduce the VLAN100 profile with ip address 192.168.100.1 my whole network drops and loses access to everything and I have to rollback to the untagged interface for the firewall. I am keeping the same ip address of 192.168.100.1 as I do not want to Re-IP all my devices.

Here is the port that is configured to connect to firewall. See below:

interface GigabitEthernet1/0/1
switchport access vlan 100
switchport trunk allowed vlan 100-400,100
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk

I am working with my vendor and they do not understand Cisco switches, but I have a small understanding but trying to understand if my vlan configuration is correct based on the sample set of ports I have provided. I want all VLANS to have access to VLAN100 for internet and also pull resources from the servers etc. I will be using the 9800 WLC on vlan100 and vlan900. I can hit everything if I leave the untagged interface on the Zyxel with no vlan on it, but as soon as I move to the VLAN100 profile nothing works at all. Does anyone have any tips or things I should check? Thank you.

Rich R · ‎10-20-2025

Right - final attempt at explaining this stuff. If you are still struggling to grasp it then I suggest you find an appropriate face to face training course where you can ask an instructor to explain and illustrate this to you directly.
Update: And I just realised I replied to an earlier one of your 10 updates so you can ignore the responses to the items that you subsequently marked "resolved"!

A. I really do understand, but I have read some posts where others are changing the default native VLAN 1 to say VLAN 2 and assigning all interfaces to that VLAN2. So that is what I was referring too. Is this really possible? I know I cannot delete VLAN1 as it is not possible. I hope this makes more sense.
- You can use whatever VLAN you want (within the allowed VLAN numbers), It's just recommended to avoid using VLAN 1 for security reasons but you could if you desperately wanted to and didn't care about security. It's much clearer to work with and troubleshoot when every port is explicitly assigned to a VLAN (that isn't 1).

A. So in reference to VMWare I am testing this out and I was able to setup a couple access ports and one was on subnet 192.168.90.x (VLAN900 in the Switch) and another access port on subnet 192.168.10.x (VLAN100 in the Switch). The Ip address 192.168.90.10 is the management address of the ESXi host. I was able to ping the interface of that host from both subnets from the host and from the desktop (192.168.10.x). The issue I am having is reaching the management web page and being able to SSH to the host, which I am not able to do. As soon as I put the management network back on subnet 192.168.10.x, which is the subnet my dektop is on I was able to get the management web page and ssh to the host. Have you heard of this before? Has anyone posted about this before that you are aware of? I have been searching with no solid answer. I am just curious.
- It's not completely clear to me what worked and what didn't. If you can ping between 2 IPs that means you have network connectivity working. If you can't ping that can be a ROUTING problem because you need something like a router to route between subnets otherwise everything must have static routes configured. If you can ping but not SSH or HTTP then that is more likely an ACL/firewall/configuration issue to solve.

A. I get this and have experienced with this now in my testing. All interfaces and devices need to have the native VLAN100 from end to end or I will see issues.
- No! They do not all need to use the same native VLAN, in fact they do not all need native VLAN configured at all. I repeat again - native VLAN is only significant on the port where it is configured and the only thing that needs to match it is the device connected to that port. Once in the switch those frames are just like any other VLAN frame. Only devices which need untagged frames for management, like a Cisco AP, need native VLAN configured. A Local Mode AP will also work just as well on an access port because that is only untagged management traffic. If a device (like ESX) only needs tagged frames then there is no need for native VLAN to be configured and sending it untagged frames could cause problems.

A. Relating to VMWare I get it now what you mean, but I know an interface can either be an access port or a trunk and not both, but when let's say the vSwitch on an ESXI host is tagged for VLAN100 (192.168.10.x) and you have another physical device on the same subnet (192.168.10.x), but the physical device is untagged. Will the devices be able to talk to each other or does the physical device need to be tagged VLAN100 as well?
- Yes they'll be able to talk to each other. No they do not all need to be tagged at access! Again the tagging only matters at port level - if they're in the same VLAN that's it - they can talk to each other. A frame that enters VLAN 100 untagged and a frame that enters VLAN 100 tagged look identical inside the switch - they are just VLAN 100 frames - doesn't matter how they got there.

A. I want to it to be able to pass all traffic tagged and untagged through just VLAN100 on subnet 192.168.10.x on the assigned interfaces that VLAN100 belongs too. Kind of like leaving all ports to VLAN1 and the default configuration on the Cisco Switch. I really hope this makes sense. I might have explained it wrong. Sorry in advance.
- If you want to put everything in the same VLAN you can but I believe that's not actually recommended for 9800-CL. There are some corner cases which will not work if you put the WLC management interface and the WMI (wireless management interface which the APs connect to with CAPWAP) in the same subnet. It's good practice to keep the out of band management interface on a different subnet.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#C9800CLconsiderations

A. These commands are awesome and I have noted them, but this goes back to first point above. How can I make all the interfaces see another default vlan? Is this even possible?
- You can't "make all the interfaces see another default vlan". You can configure every interface in the same VLAN if you want to as I said above. It's all just a matter of configuring the ports as required. That's the whole point of VLANs!

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

dcgtechnologies · ‎10-20-2025

@Rich R

Thank you for all your wonderful explanations and I actually have everything resolved and all is talking and up and running with the proper configured VLAN's. I am sorry if I frustrated you, but YES, I got the concepts, but my wording might be a bit off. I also think I might have been reading a lot of bad posts and getting a lot of misinformation from other sources on what certain things mean and how the context of the posts were taken, which might have made this all convoluted and confusing. Again, thank you for all your help and you have been wonderful.

View solution in original post

Mark Elsen · ‎10-13-2025

- @dcgtechnologies Did you also create the vlans on the switch ?

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

dcgtechnologies · ‎10-14-2025

Hi Mark,

All vlans are on the switch as follows. See below:

1 default active Gi1/1/2, Gi1/1/3, Gi1/1/4
100 Internal_Network active Gi1/0/11, Gi1/0/14, Gi1/0/15
Gi1/0/16, Gi1/0/19, Gi1/0/20
Gi1/0/21, Gi1/0/22, Gi1/0/25
Gi1/0/26, Gi1/0/27, Gi1/0/28
Gi1/0/29, Gi1/0/30, Gi1/0/38
Gi1/0/42, Gi1/0/43, Gi1/0/45
Gi1/0/46
200 Wifi1_Network active
300 Wifi2_Network active
400 Wifi3_Network active
900 Mgmt_Network active Gi1/0/6

They are all on switches and labeled. I am just trying to see if my base configuration is setup correctly before I even move on with the 9800 WLC.

When I run the command show vlan br a port below for example

interface GigabitEthernet1/0/47
switchport access vlan 100
switchport trunk allowed vlan 400
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport mode trunk

should show here. See below

400 Wifi3_Network active

but it does not that is why I am confused. Should it show there when that command is ran?

Thank you Mark.

Mark Elsen · ‎10-14-2025

- @dcgtechnologies On the switch this looks all good. As far as the connection with the Zyxel firewall is concerned,
you will have to make sure that the firewall understands vlans and vlan tagging AND
that the port on the firewall are configured in the correct vlan and allow traffic from it.
For the 9800 I understood you where using vpsphere ; you must also
then make sure that those vlans become known in vsphere and can be made available
on the (virtual) interfaces of the 9800 virtual controller.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

dcgtechnologies · ‎10-14-2025

Hi Mark.....Thank you for all your replies. I am working with the vendor on this for my firewall and I think I have narrowed the issue down to my Dell VRTX which runs a R1-2401 switch inside the VRTX so I am working with Dell to get the VRTX configured correctly as I am using two of the four blades for vsphere. Right now I am halting all progress on the 9800 WLC until I get all my Vlans configure correctly to support the WLC.

On the second part I was curious. When I run the command show vlan br a port below for example

interface GigabitEthernet1/0/47
switchport access vlan 100
switchport trunk allowed vlan 400
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport mode trunk

should show here. See below

400 Wifi3_Network active

and also with

900 Mgmt_Network active

interface GigabitEthernet1/0/2
switchport access vlan 100
switchport trunk allowed vlan 100,900
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk

I have six of these ports and they do not show up when I run show vlan br and are not located on that table at all. Any idea why? Thank you Mark!

Rich R · ‎10-14-2025

@dcgtechnologies You have those ports configured as Trunk ports - which is why they don't show. Only access port VLANs will show there.

Note that there is special configuration required on VMware to support 9800-CL (I presume that is what you are planning to deploy?). Refer to https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#C9800CLconsiderations and the 9800-CL installation and setup guides.

If your firewall only needs to access VLAN 100 then why do you want to use VLAN tagging on the port? Why not just make it an access port in VLAN 100? (don't make it more complicated than it needs to be).

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

dcgtechnologies · ‎10-14-2025

@Rich R Hello Rich,

Thank you for the explanation about the first point and yes I did follow that guide you mentioned as well as four others out there so I have a good grasp on the setup, but I need my network and VLAN's fixed before I proceed, because the Dell VRTX r1-2401 switch is not configured correctly, which I am working through now.

If your firewall only needs to access VLAN 100 then why do you want to use VLAN tagging on the port? Why not just make it an access port in VLAN 100? (don't make it more complicated than it needs to be).

What would this configuration look like? I do want it to have access to VLAN100 and I think I have over complicated my VLAN setup now that I understand the concepts after reading a lot over the past couple of days. Thank you.

Rich R · ‎10-14-2025

> What would this configuration look like?
interface GigabitEthernet1/0/1
switchport access vlan 100
switchport mode access

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Mark Elsen · ‎10-14-2025

- @dcgtechnologies This one isn't correct :
interface GigabitEthernet1/0/47
switchport access vlan 100
switchport trunk allowed vlan 400
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport mode trunk

You set the port in vlan 100, but only allow vlan 400 on the trunk, so in that case the line protocol on
vlan 100 would remain down, because there is no active physical connection possible,

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Rich R · ‎10-14-2025

@Mark Elsen switchport access vlan 100 is ignored by the switch because switchport mode trunk

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Mark Elsen · ‎10-14-2025

- @Rich R Then I would still remove 'switchport access vlan 100 ' from the port's configuration because of
consistency.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Rich R · ‎10-15-2025

> Then I would still remove 'switchport access vlan 100 ' from the port's configuration because of consistency.
100% yes - but actually - since the trunk port only has one VLAN (400) and it's the native VLAN (untagged) there is no point in even making this a trunk port - it should be an access mode port in VLAN 400...

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Mark Elsen · ‎10-15-2025

- @Rich R Completely correct; what I would also like to point out for @dcgtechnologies is that when
an SVI (Vlan) is created and not attached to an active connected Gi-interface then the
Vlan will be up , but the line protocol will remain down (as you already observed).

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

dcgtechnologies · ‎10-15-2025

@Mark Elsen @Rich R The config for that port would look like this. See below:

Interface GigabitEthernet1/0/47
switchport mode allowed vlan 100
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport mode trunk

This is how I read it and basically there is no need to make it an access port because it is on the trunk, because of "switchport mode trunk" command. I want its native VLAN to be 400 and it needs access to resources on VLAN100. Is this accurate? Thank you.

Rich R · ‎10-15-2025

No! It is either trunk or access mode - it can't be both.
"allowed" is not a valid mode for switchport.
"switchport trunk allowed vlan" must list all the VLANs allowed on the port.

interface GigabitEthernet1/0/47
switchport trunk allowed vlan 100,400
switchport trunk encapsulation dot1q
switchport trunk native vlan 400
switchport mode trunk

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390