Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2399
Views
5
Helpful
10
Replies

VLAN issue for Guest WLAN on 2504 WLC

Go to solution
yasib ahmed
Level 1
Level 1

‎02-24-2016 11:30 PM - edited ‎07-05-2021 04:40 AM

Hi,

I have  configure  a WLC 2504, i have to pass 2 network between WLC.

I have already configure a management interface with untagged Vlan 0, and other is VLAN-40.

Here is the information:

For Untagged Vlan:

VLAN Identifier: 0

IP Address: 192.168.100.20/24

Gateway:192.168.100.1

Port Number:1

Primary DHCP Server:192.168.100.1

For Vlan-40:

VLAN Identifier: 40

IP Address: 192.168.40.10/24

Gateway:192.168.40.1

Port Number:1

Primary DHCP Server:192.168.40.1

And after that i create a WLAN (SSID) and select the Interface/Interface Group: vlan-40

but it couldn't work.

the user can connect to this SSID but they get the wrong ip address block, like 192.168.100.94

but it has to be 192.168.40.25.

i have also try to configure using with Interface Group also. but didn't worked.

Can any one help me to solve this problem.

For better understand here i attached some snap shoots.

Regards,

Yasib

1 person had this problem
Labels:
wlc-problem.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ric Beeching
Level 7
Level 7
In response to yasib ahmed

‎02-25-2016 04:19 AM

Thanks for that - great info. 

I'm struggling to find a reason on the WLC for your clients to pick up the wrong IP.

1) You can try enabling Option 82 / DHCP Proxy on the vlan-40 interface and test.

2) Confirm a wired client on vlan 40 on that switch receives the correct IP (this would be a key test if you can do it)

At the moment evidence suggests something going wrong after the packet leaves the WLC as your tagging and interface setup looks correct to me.

-----------------------------
Please rate helpful / correct posts

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Ric Beeching
Level 7
Level 7

‎02-25-2016 02:03 AM

Hi Yasiba,

1) Remove the interface group - you don't need it.

2) You cannot map WLANs/Interfaces to individual physical interfaces so don't worry about that LAG part for now.

3) Can you ping 192.168.40.1 from your WLAN Controller?

4) Is the switchport that the WLAN Controller is plugged into set to TRUNK?

Ric

-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
yasib ahmed
Level 1
Level 1
In response to Ric Beeching

‎02-25-2016 02:22 AM

Hi Ric,

Thank you for your response. According to your reply i have done the below configuration:

1. I remove the interface group

2. LAG mode is disable(by default)

3.Yes i can ping 192.168.40.1 from my WLAN Controller.

4. Yes i have configure the switch interface in trunk mode.Mention that, the switch is 2960.

Here i attached some screen shoot. please check those

upgra.zip
0 Helpful

Go to solution
Ric Beeching
Level 7
Level 7
In response to yasib ahmed

‎02-25-2016 03:09 AM

So without seeing it in-depth your config looks good but obviously IPs are being handed out incorrectly which indicates it could be the IP Helper on either the WLAN Controller or the switch.

Under WLAN you can configure the DHCP Server IP (Advanced -> Tick DHCP Server Overrride and enter IP). 

Can you paste your switch config for that VLAN / DHCP Scope and the Trunk config?

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
yasib ahmed
Level 1
Level 1
In response to Ric Beeching

‎02-25-2016 03:33 AM

Hi,

For switch i have create a vlan, VLAN-40.  switch to AP, switch to DHCP server and switch to WLC   all are configured with simple command like,

int fa0/12

switchport mode trunk

no shutdown

exit

that's it.

Let me inform you that, those AP are configure with static IP address like 192.168.100.4, same as management interface(Untagged Vlan)

Here i attached some snap shoot to help me find problems.

new_folder_3.zip
0 Helpful

Go to solution
Ric Beeching
Level 7
Level 7
In response to yasib ahmed

‎02-25-2016 03:53 AM

Under the Interface for VLAN-40 can you enable DHCP Proxy and test? Just curious to see if the helps.

If that fails from the CLI can you post the following:

1) show wlan <#> where <#> is the number of wlan for your CAPTIVE SSID.

2) show network

3) show interface detailed vlan-40

A test to rule out DHCP mis-configuration on the switch side could be to plug in a wired device to a port configured for VLAN 40 just in case.

-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
yasib ahmed
Level 1
Level 1
In response to Ric Beeching

‎02-25-2016 04:10 AM

Here is the answer in following:

1.

(Cisco Controller) >show wlan 3
WLAN Identifier.................................. 3
Profile Name..................................... TEST-CAPTIVE
Network Name (SSID).............................. CAPTIVE
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Client Profiling Status
    Radius Profiling ............................ Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
    Local Profiling ............................. Disabled
     DHCP ....................................... Disabled
     HTTP ....................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200

--More-- or (q)uit
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ Disabled
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... SM-GROUP-wlc
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ vlan-40
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
WLAN Layer2 ACL.................................. unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... 192.168.40.1
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Tunnel Profile................................... Unconfigured
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream      Downstream

--More-- or (q)uit
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1

--More-- or (q)uit
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Global Servers
   Accounting.................................... Global Servers
      Interim Update............................. Disabled
      Interim Update Interval.................... 0
      Framed IPv6 Acct AVP ...................... Prefix
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Radius NAI-Realm................................. Disabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Enabled
      WPA (SSN IE)............................... Disabled
      WPA2 (RSN IE).............................. Enabled
         TKIP Cipher............................. Disabled
         AES Cipher.............................. Enabled
      Auth Key Management

--More-- or (q)uit
         802.1x.................................. Disabled
         PSK..................................... Enabled
         CCKM.................................... Disabled
         FT-1X(802.11r).......................... Disabled
         FT-PSK(802.11r)......................... Disabled
         PMF-1X(802.11w)......................... Disabled
         PMF-PSK(802.11w)........................ Disabled
      FT Reassociation Timeout................... 20
      FT Over-The-DS mode........................ Enabled
      GTK Randomization.......................... Disabled
      SKC Cache Support.......................... Disabled
      CCKM TSF Tolerance......................... 1000
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web Authentication Timeout.................... 300
   Web-Passthrough............................... Disabled
   Mac-auth-server............................... 0.0.0.0
   Web-portal-server............................. 0.0.0.0
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled

--More-- or (q)uit
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Disabled
   FlexConnect Central Association............... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   flexconnect PPPoE pass-through................ Disabled
   flexconnect local-switching IP-source-guar.... Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Optional
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
   Eap-params.................................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Split Tunnel Configuration
    Split Tunnel................................. Disabled
Call Snooping.................................... Disabled

--More-- or (q)uit
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
802.11v Directed Multicast Service............... Disabled
802.11v BSS Max Idle Service..................... Enabled
802.11v BSS Transition Service................... Disabled
802.11v BSS Transition Disassoc Imminent......... Disabled
802.11v BSS Transition Disassoc Timer............ 200
802.11v BSS Transition OpRoam Disassoc Timer..... 40
DMS DB is empty
Band Select...................................... Disabled
Load Balancing................................... Disabled
Multicast Buffer................................. Disabled
Universal Ap Admin............................... Disabled

 Mobility Anchor List
 WLAN ID     IP Address            Status                             Priority
 -------     ---------------       ------                             --------


--More-- or (q)uit
802.11u........................................ Disabled

MSAP Services.................................. Disabled

Local Policy
----------------
Priority  Policy Name
--------  ---------------

2.

(Cisco Controller) >show network summary

RF-Network Name............................. SM-GROUP
Web Mode.................................... Enable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
Secure Web Mode RC4 Cipher Preference....... Disable
Secure Web Mode SSL Protocol................ Disable
OCSP........................................ Disabled
OCSP responder URL..........................
Secure Shell (ssh).......................... Enable
Secure Shell (ssh) Cipher-Option High....... Disable
Telnet...................................... Disable
Ethernet Multicast Forwarding............... Disable
Ethernet Broadcast Forwarding............... Disable
IPv4 AP Multicast/Broadcast Mode............ Multicast   Address : 239.1.1.1
IPv6 AP Multicast/Broadcast Mode............ Multicast   Address : ::
IGMP snooping............................... Disabled
IGMP timeout................................ 60 seconds
IGMP Query Interval......................... 20 seconds
MLD snooping................................ Disabled
MLD timeout................................. 60 seconds

--More-- or (q)uit
MLD query interval.......................... 20 seconds
User Idle Timeout........................... 300 seconds
ARP Idle Timeout............................ 300 seconds
Cisco AP Default Master..................... Disable
AP Join Priority............................ Disable
Mgmt Via Wireless Interface................. Enable
Mgmt Via Dynamic Interface.................. Disable
Bridge MAC filter Config.................... Enable
Bridge Security Mode........................ EAP
Mesh Full Sector DFS........................ Enable
Mesh Backhaul RRM........................... Disable
AP Fallback ................................ Enable
Web Auth CMCC Support ...................... Disabled
Web Auth Redirect Ports .................... 80
Web Auth Proxy Redirect  ................... Disable
Web Auth Captive-Bypass   .................. Disable
Web Auth Secure Web  ....................... Enable
Web Auth Secure Redirection  ............... Disable
Fast SSID Change ........................... Disabled
AP Discovery - NAT IP Only ................. Enabled
IP/MAC Addr Binding Check .................. Enabled
Link Local Bridging Status ................. Disabled
CCX-lite status ............................ Disable

--More-- or (q)uit
oeap-600 dual-rlan-ports ................... Disable
oeap-600 local-network ..................... Enable
oeap-600 Split Tunneling (Printers)......... Disable
WebPortal Online Client .................... 0
WebPortal NTF_LOGOUT Client ................ 0
mDNS snooping............................... Disabled
mDNS Query Interval......................... 15 minutes
Web Color Theme............................. Default
Capwap Prefer Mode.......................... IPv4
Network Profile............................. Disabled
Client ip conflict detection (DHCP) ........ Disabled
Mesh BH RRM ................................ Disable
Mesh Aggressive DCA......................... Disable
Mesh Auto RF................................ Disable

3.

(Cisco Controller) >show interface detailed vlan-40

Interface Name................................... vlan-40
MAC Address...................................... dc:eb:94:ff:3a:44
IP Address....................................... 192.168.40.10
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 192.168.40.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 40
Quarantine-vlan.................................. 0
NAS-Identifier................................... SM-GROUP-wlc
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. 192.168.40.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
DHCP Option 82 bridge mode insertion............. Disabled
IPv4 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... No

--More-- or (q)uit
Guest Interface.................................. No
3G VLAN.......................................... Disabled
L2 Multicast..................................... Enabled

I found a client is connected with different IP but it shows  Vlan id-40.

Here it is attached.

86 KB
0 Helpful

Go to solution
Ric Beeching
Level 7
Level 7
In response to yasib ahmed

‎02-25-2016 04:19 AM

Thanks for that - great info. 

I'm struggling to find a reason on the WLC for your clients to pick up the wrong IP.

1) You can try enabling Option 82 / DHCP Proxy on the vlan-40 interface and test.

2) Confirm a wired client on vlan 40 on that switch receives the correct IP (this would be a key test if you can do it)

At the moment evidence suggests something going wrong after the packet leaves the WLC as your tagging and interface setup looks correct to me.

-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
Ric Beeching
Level 7
Level 7
In response to Ric Beeching

‎02-25-2016 04:27 AM

You don't have any AP Groups enabled by chance?

-----------------------------
Please rate helpful / correct posts
0 Helpful

Go to solution
yasib ahmed
Level 1
Level 1
In response to Ric Beeching

‎02-25-2016 04:53 AM

Hi Ric,

I have found the problem. it was need to enable the DHCP Proxy Mode.

Thank you for your help.

you help me a lot.

Here is the solution screen shoot.

Regard,

Yasib

80 KB

Go to solution
Ric Beeching
Level 7
Level 7
In response to yasib ahmed

‎02-25-2016 04:55 AM

Glad it worked :-).

-----------------------------
Please rate helpful / correct posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card