02-14-2019 12:04 PM - edited 07-05-2021 09:51 AM
Hi all i need help on the below question for how to configure the AP :
02-14-2019 01:31 PM
Hi
Take a look at the Mobility express deployment guide:
The AP will work in Flexconnect mode and join the Mobility Express Controller inside the AP.
To allow multiple VLANs you will need to map the to the VLANs on the switch:
Interface GigabitEthernet1/0/37
description » Connected to Master AP «
switchport trunk native vlan 122
switchport trunk allowed vlan 10,20,122
switchport mode trunk
Reference the POE draw:
The AP supports 802.3at PoE+ which it looks like the 2960 can supply:
The config can be managed via the Mobility Express WebUI or the CLI so what ever suits.
Around should you use separate VLANs for employees and guest, this is a security decision. Normally you dont want the guest traffic to be able to access the corporate traffic, so I would be using two VLANs and ACLs to block traffic not allowed between the two.
hope this helps
09-03-2019 07:10 AM
can u give me an example about acl to separate both vlans office and guest traffics ?
09-04-2019 05:58 AM
09-06-2019 09:32 PM
router i have is 2911 isr
how to let vlan wifi guest to access internet only and other vlans blocked ? and other vlans can access wifi guest
should i use access lit ?
LIST OF INTERVLAN ROUTING G.W:
VLAN 2 192.168.2.207/24VLAN 2 LAN
192.168.3.207/24VLAN 9 PRINTER
192.168.4.207/24VLAN 20 WIFI-OFFICE
192.168.5.207/24VLAN 55 NATIVE
192.168.6.207/24VLAN200 VOICE
192.168.7.207/24VLAN250 MGMT
192.168.8.207/24VLAN912 WIFI-GUEST
192.168.9.207/24 VLAN230 STREAMING
09-10-2019 02:46 AM
Correct, I would put an ACL on the guest-vlan denying access to all your other internal networks and maybe allowing to use internet.
Make sure the clients can reach the DHCP and DNS servers, if those are in your internal network.
09-10-2019 03:41 AM
yes its inside the router as below :
how to block wifi guest to access other vlans but only internet connection and should other vlans access wifi guest ? or no need so just blocking the guest from accessing other vlans ..? and how to exclude the printer vlan so wifi guest can only use the printer on my network only ?
Frico#show run
Building configuration...
Current configuration : 4318 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Frico
!
!
!
enable password cisco
!
!
ip dhcp excluded-address 192.168.2.207
ip dhcp excluded-address 192.168.3.207
ip dhcp excluded-address 192.168.4.207
ip dhcp excluded-address 192.168.5.207
ip dhcp excluded-address 192.168.6.207
ip dhcp excluded-address 192.168.7.207
ip dhcp excluded-address 192.168.8.207
ip dhcp excluded-address 192.168.9.207
ip dhcp excluded-address 192.168.7.1
ip dhcp excluded-address 192.168.7.20
ip dhcp excluded-address 192.168.7.10
ip dhcp excluded-address 192.168.7.2
ip dhcp excluded-address 192.168.3.88
ip dhcp excluded-address 192.168.2.20
ip dhcp excluded-address 192.168.2.10
ip dhcp excluded-address 192.168.2.100
ip dhcp pool LAN
network 192.168.2.0 255.255.255.0
default-router 192.168.2.207
domain-name GDS.LOCAL
ddns-server 8.8.8.8 8.8.4.4
ip dhcp pool Printers
network 192.168.3.0 255.255.255.0
default-router 192.168.3.207
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool WIFI-OFFICE
network 192.168.4.0 255.255.255.0
default-router 192.168.4.207
domain-name GDS.LOCAL
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool Native
network 192.168.5.0 255.255.255.0
default-router 192.168.5.207
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool Voice
network 192.168.6.0 255.255.255.0
default-router 192.168.6.207
option 150 ip 192.168.6.207
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool MGMT
network 192.168.7.0 255.255.255.0
default-router 192.168.7.207
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool WIFI-GUEST
network 192.168.8.0 255.255.255.0
default-router 192.168.8.207
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool STREAMING
network 192.168.9.0 255.255.255.0
default-router 192.168.9.207
dns-server 8.8.8.8 8.8.4.4
!
!
ip dhcp global-options
dns-server 163.121.128.134 163.121.128.135
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
interface FastEthernet0/0
description connected to local NW-INTERVLAN
no ip address
ip nat inside
ip flow ingress
ip flow egress
duplex auto
speed auto
!
interface FastEthernet0/0.2
description LAN
encapsulation dot1Q 2
ip address 192.168.2.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.9
description printers
encapsulation dot1Q 9
ip address 192.168.3.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.20
description WIFI-OFFICE
encapsulation dot1Q 20
ip address 192.168.4.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.55
description native
encapsulation dot1Q 55 native
ip address 192.168.5.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.200
description voice
encapsulation dot1Q 200
ip address 192.168.6.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.230
description streaming
encapsulation dot1Q 230
ip address 192.168.9.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.250
encapsulation dot1Q 250
ip address 192.168.7.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.912
description WIFI-Guest
encapsulation dot1Q 912
ip address 192.168.8.207 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
description connedted to ISP
ip address 192.168.1.207 255.255.255.0
ip nat outside
ip flow ingress
ip flow egress
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
ip flow-top-talkers
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source list 2 interface FastEthernet0/1 overload
ip nat inside source list 3 interface FastEthernet0/1 overload
ip nat inside source list 4 interface FastEthernet0/1 overload
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source list 6 interface FastEthernet0/1 overload
ip nat inside source list 7 interface FastEthernet0/1 overload
ip nat inside source list 8 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.253 or fastethernet0/1
!
ip http server
ip http authentication local
ip http secure-server
ip flow-export version 9
top 60
sort-by packets
!
router eigrp 100
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
network 192.168.5.0
network 192.168.6.0
network 192.168.7.0
network 192.168.8.0
no auto-summary
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 4 permit 192.168.5.0 0.0.0.255
access-list 5 permit 192.168.6.0 0.0.0.255
access-list 6 permit 192.168.7.0 0.0.0.255
access-list 7 permit 192.168.8.0 0.0.0.255
access-list 8 permit 192.168.9.0 0.0.0.255
no cdp run
!
!
line con 0
password cisco
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input all
line vty 5 15
exec-timeout 5 0
login local
transport input all
!
scheduler allocate 20000 1000
ntp master
!
end
09-10-2019 05:43 AM
09-10-2019 06:05 AM - edited 09-10-2019 06:29 AM
need to exclude the network traffic from blocking to other vlans
so wifi guest can access printers
my printers already has its own vlan as below :
and also what do u mean by (A very simple one (please note it might need some tweaking)) ??
ip dhcp pool Printers
network 192.168.3.0 255.255.255.0
default-router 192.168.3.207
dns-server 8.8.8.8 8.8.4.4
interface FastEthernet0/0.9
description printers
encapsulation dot1Q 9
ip address 192.168.3.207 255.255.255.0
ip nat inside
need wifi guest to access printers so they able to connect and print
09-10-2019 07:32 AM
09-10-2019 09:16 AM
what about the below :
192.168.3.2 printer
192.168.3.1 another printer
conf t
ip access-list extended in_guest_traffic
permit ip host 192.168.3.2 any
permit ip any host 192.168.3.2
permit ip host 192.168.3.1 any
permit ip any host 192.168.3.1
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
deny ip any 192.168.4.0 0.0.0.255
deny ip any 192.168.5.0 0.0.0.255
deny ip any 192.168.6.0 0.0.0.255
deny ip any 192.168.7.0 0.0.0.255
deny ip any 192.168.9.0 0.0.0.255
permit ip any any
#apply it to the interface
interface FastEthernet0/0.912
ip access-group in_guest_traffic in
i have tested and it working so is it okay for u this config?
09-10-2019 11:17 AM
also depending on the configuration that i have with all vlans ? how can i configure the ntp server
should i create another vlan for ntp server ? or how ? and how other vlans can take the correct time from it ??
09-10-2019 11:45 PM
09-11-2019 02:35 PM
JUST FOR UR INFO ALL OTHER CONFIGURATIONS ARE ON ROUTER ALREADY
on switch im only configure vlans / vtp / trunks and so on :)
thanks man
09-11-2019 03:07 PM
so ill configure the main gateway as ntp soure so ntp is not in vlan and this interface 0/0 will be the master of all so every one can take time from it ?? am i correct?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide