Configuring two different VLANs on a Aironet 350

rustc · ‎11-20-2003

I am having problems creating two VLANS on a Aironet 350. I am running 12.03T on the access points. I need to create an open VLAN that I route to the internet. The other VLAN is a secure VLAN that is internal to the organization. When I connect to the unsecure VLAN it still grabs a DHCP address from the secure VLAN. The unsecure client has no SSID or WEP configured so I know it is not connecting to the secure side. I am broadcasting the unsecure connection. I have the unsecure VLAN configured in the core. What am I doing wrong.

sbilgi · ‎11-26-2003

The folllowing document might be helpful to you:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml

bill.sheldon · ‎02-10-2004

Hi,

I've just done that.

Both secure and unsecured clients need an SSID. This indicates what VLAn they will enter on.

WEP is optional but advisable.

Ensure that your two VLANs are defined on the AP with their correct SSID etc.

Test that you can associate to each.

IP side of it.

We used 10.17.107.x for private lan connections and 10.17.201.x for public access

Fa0 connected the AP to the router.

Then on the ROUTER do something like this.

!Define dhcp for private

ip dhcp pool aironet

network 10.17.107.0 255.255.255.240

default-router 10.17.107.1

domain-name abc.net

dns-server 10.17.101.3 ! Internal DNS

lease 8

!Define dhcp for public

ip dhcp pool hot_spot_wireless

network 10.17.201.0 255.255.255.192

default-router 10.17.201.1

domain-name def.net

dns-server 139.130.4.4 ! an ISP dns

lease 8

!

!VLAN 4 for Private

interface FastEthernet0.4

description --- test Airnonet ---

encapsulation dot1Q 4

ip address 10.17.107.1 255.255.255.240

!

!VLAN 99 for Public

interface FastEthernet0.99

description Hot Spot VLAN

encapsulation dot1Q 99

ip address 10.17.201.1 255.255.255.192

ip access-group 111 in

ip access-group 112 out

!access-lists allow dhcp and bootp and outside world only......

access-list 111 remark -- Hot Spot Outbound Access --

access-list 111 permit udp any any eq bootpc

access-list 111 permit udp any any eq bootps

access-list 111 permit udp any any eq domain

access-list 111 permit ip 10.17.201.0 0.0.0.63 host 10.17.201.63

access-list 111 permit ip 10.17.201.0 0.0.0.63 host 10.17.201.1

access-list 111 remark deny private address access

access-list 111 deny ip 10.17.201.0 0.0.0.63 10.0.0.0 0.255.255.255

access-list 111 deny ip 10.17.201.0 0.0.0.63 192.168.0.0 0.0.255.255

access-list 111 deny ip 10.17.201.0 0.0.0.63 172.16.0.0 0.15.255.255

access-list 111 remark - permit all other access

access-list 111 permit ip 10.17.201.0 0.0.0.63 any

access-list 111 deny ip any any

access-list 112 remark --- Hot Spot Inbound Access ---

access-list 112 permit udp any any eq bootpc

access-list 112 permit udp any any eq bootps

access-list 112 permit udp any eq domain any

access-list 112 permit ip host 10.17.201.63 10.17.201.0 0.0.0.63

access-list 112 permit ip host 10.17.201.1 10.17.201.0 0.0.0.63

access-list 112 remark deny private address access

access-list 112 deny ip 10.0.0.0 0.255.255.255 10.17.201.0 0.0.0.63

access-list 112 deny ip 192.168.0.0 0.0.255.255 10.17.201.0 0.0.0.63

access-list 112 deny ip 172.16.0.0 0.15.255.255 10.17.201.0 0.0.0.63

access-list 112 remark - permit all other access

access-list 112 permit ip any 10.17.201.0 0.0.0.63

access-list 112 deny ip any any!

Tested and implemented OK.

Hope this helps.

cheers

Bill CCNP/CCSP.