11-20-2003 06:05 AM - edited 07-04-2021 09:09 AM
I am having problems creating two VLANS on a Aironet 350. I am running 12.03T on the access points. I need to create an open VLAN that I route to the internet. The other VLAN is a secure VLAN that is internal to the organization. When I connect to the unsecure VLAN it still grabs a DHCP address from the secure VLAN. The unsecure client has no SSID or WEP configured so I know it is not connecting to the secure side. I am broadcasting the unsecure connection. I have the unsecure VLAN configured in the core. What am I doing wrong.
11-26-2003 07:53 AM
The folllowing document might be helpful to you:
02-10-2004 06:18 PM
Hi,
I've just done that.
Both secure and unsecured clients need an SSID. This indicates what VLAn they will enter on.
WEP is optional but advisable.
Ensure that your two VLANs are defined on the AP with their correct SSID etc.
Test that you can associate to each.
IP side of it.
We used 10.17.107.x for private lan connections and 10.17.201.x for public access
Fa0 connected the AP to the router.
Then on the ROUTER do something like this.
!Define dhcp for private
ip dhcp pool aironet
network 10.17.107.0 255.255.255.240
default-router 10.17.107.1
domain-name abc.net
dns-server 10.17.101.3 ! Internal DNS
lease 8
!Define dhcp for public
ip dhcp pool hot_spot_wireless
network 10.17.201.0 255.255.255.192
default-router 10.17.201.1
domain-name def.net
dns-server 139.130.4.4 ! an ISP dns
lease 8
!
!VLAN 4 for Private
interface FastEthernet0.4
description --- test Airnonet ---
encapsulation dot1Q 4
ip address 10.17.107.1 255.255.255.240
!
!VLAN 99 for Public
interface FastEthernet0.99
description Hot Spot VLAN
encapsulation dot1Q 99
ip address 10.17.201.1 255.255.255.192
ip access-group 111 in
ip access-group 112 out
!access-lists allow dhcp and bootp and outside world only......
access-list 111 remark -- Hot Spot Outbound Access --
access-list 111 permit udp any any eq bootpc
access-list 111 permit udp any any eq bootps
access-list 111 permit udp any any eq domain
access-list 111 permit ip 10.17.201.0 0.0.0.63 host 10.17.201.63
access-list 111 permit ip 10.17.201.0 0.0.0.63 host 10.17.201.1
access-list 111 remark deny private address access
access-list 111 deny ip 10.17.201.0 0.0.0.63 10.0.0.0 0.255.255.255
access-list 111 deny ip 10.17.201.0 0.0.0.63 192.168.0.0 0.0.255.255
access-list 111 deny ip 10.17.201.0 0.0.0.63 172.16.0.0 0.15.255.255
access-list 111 remark - permit all other access
access-list 111 permit ip 10.17.201.0 0.0.0.63 any
access-list 111 deny ip any any
access-list 112 remark --- Hot Spot Inbound Access ---
access-list 112 permit udp any any eq bootpc
access-list 112 permit udp any any eq bootps
access-list 112 permit udp any eq domain any
access-list 112 permit ip host 10.17.201.63 10.17.201.0 0.0.0.63
access-list 112 permit ip host 10.17.201.1 10.17.201.0 0.0.0.63
access-list 112 remark deny private address access
access-list 112 deny ip 10.0.0.0 0.255.255.255 10.17.201.0 0.0.0.63
access-list 112 deny ip 192.168.0.0 0.0.255.255 10.17.201.0 0.0.0.63
access-list 112 deny ip 172.16.0.0 0.15.255.255 10.17.201.0 0.0.0.63
access-list 112 remark - permit all other access
access-list 112 permit ip any 10.17.201.0 0.0.0.63
access-list 112 deny ip any any!
Tested and implemented OK.
Hope this helps.
cheers
Bill CCNP/CCSP.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: