Guest VLAN and SSID with a DHCP router

Similar Messages

• 802.1x Guest Vlan and Routed access layer design

  Hi!
  For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
  Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???

  You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
  The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
  Hope this helps,

• Vlan and SSID not showing in AP Web Interface

  We have a couple of APs that do not show the Vlans and SSIDs through the AP web interface.  If you go to the SSID manager page in web interface, the page comes up but does not show any of the SSIDs configured.  The same goes for Services - Vlan.  That page comes up but does not show any Vlans configured.  If you telnet to the APs, you see the listed mssid and all the SSID interfaces.  The SSIDs on the APs are functional and working.  This just makes it difficult to use the web interface for these APs.  I have tried to compare running configs on APs where web interface is not showing this and on APs that it is showing but cannot see any differences.
  Thanks.

  Unsupported things are never documented. You can't possibly list all browsers that you don't support.
  But if it's not mentionned clearly as supported then it means "it might work but we never tested with it".
  Let us know how it goes with the 12.4.21
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• Multiple Guest VLANs and Shared WLC

  Hi,
  I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
  I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
  Please advise how best I should implement this.
  many thanks
  Sankung   

  It sounds like you already have this done.  You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
  Then on the internal anchor the SSID to the same SSID in the DMZ
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Need help configuring multiple VLANs and SSIDs

  Hi,
  We bought a Cisco SGE2000P 24Port switch and 10 WAP4410N access points. Our intent is to provide a secure network to our LAN, and a guest network to the Internet.
  We are thinking 3 VLANs would be best for this: VLAN 100 connected to the LAN, VLAN 1000 for the Internet Router and Filter, and VLAN 1100 for the Guest Wireless access.
  We have the switch configured for all three of these, and 1 initial access point configured for the VLANS, too.
  We have not yet moved the current Internet connection to VLAN 1000 because we aren't sure how to setup routing between VLANS.
  Here are some specifics on how the traffic needs to route:
  1. We have the DHCP server, which is the PDC, handling both scopes for the LAN and Guest VLAN.
  2. The web filter in VLAN 1100 needs to authenticate with the DHCP server as there are different filter rules based on authenticated user. Any users coming from VLAN 1100 will have a default filter rule without requiring any authentication.
  3. Certain traffic coming in from the Internet needs to be able to get to VLAN 100. The router has a built-in firewall that handles NAT and port forwarding, so as long as traffic can be forwarded to VLAN 100 we should be good.
  4. Traffic on VLAN 1100 (guest Wireless network) should only be allowed to go to Internet (VLAN 1000).
  Right now I have the VLANs configured and the ports assigned to the Access Points are set for TAGGED and on VLAN 100 and VLAN 1100.
  The SGE2000P has the following IP addresses assigned to the VLANS:
  10.7.3.252 - VLAN 100
  10.7.40.254 - VLAN 1000
  192.168.254.254 - VLAN 1100
  Has anyone been able to setup a similar configuration? We have scoured the Internet for documentation but it seems to be very difficult to find!
  Thank you!
  Gary Smith

  Based on your description of a 'Hybrid Port' this sounds like Cisco's 'Multi-VLAN Port' that was a feature of the 2900XL/3500XL series switches. This feature has however long since gone......
  With a Cisco switch an access port supporting an Access VLAN & a Voice VLAN is effectively a Trunk with only one Tagged VLAN and the Native VLAN:
  interface FastEthernet0/1
  switchport mode access
  switchport access vlan 10
  switchport voice vlan 100
  This results in the same configuration as:
  interface FastEthernet0/1
  switchport mode trunk
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 10
  switchport trunk allowed vlan 100
  With the exception of CDP packets being sent advertising the Voice VLAN.
  With regards to other IP Phone vendors and DHCP Vendor Options - the answer is it depends....
  Nortel use Vendor Option 144 to inform the IP Phone of the Voice VLAN and Option 128 for the Server (PBX) to use. Ericsson uses Vendor Option 43 that can be configured to tell the IP Phone the VLAN and the Web server to read the config file from.
  I don't think you will get this working automatically with your 3Com switches, you can however manually configure the VLAN on the Cisco IP Phones.
  HTH
  Andy

• WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

  Hi
  We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
  Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
  If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
  I can't find any recommandations regarding the use of native vlan/ssid vlan
  Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
  Regards,
  Lars Christian

  It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
  From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Help and questions with a belkin router

  so I am new to wireless networking. I bought a Belkin MIMO router, the connection is great. Took phone support to help with set up because not as straight forward as I thought it would be. My only concern is: When I tried to set up WEP encryption my mac wouldn't recognize the password...
  .in the end the tech guy said not to use a password.
  Question 1: Anybody have problems with setting up a password with a belkin router?
  Question 2: does this mean anyone who can see my network can ride along for free?
  Question3: does this mean people can see what sites I am using (like bank sites)
  The tech support said there was built in firewall and was enough protection. Is there something I should be doing on my mac as well?
  I don't mind so much others 'using' my connection. I just want it secure. I am soon ridding of wired PC so i will do banking online and want protection.....
  (BTW I am also considering getting a belkin with USB port for my printer to print wireless with my mac laptop)
  TIA

  If you do not setup a password, then your network is open for everyone to access - which is a bad thing in case you are wondering. Try using your password, but put a "$" in front of it. Some users have reported problems setting up WEP and sometimes adding that "$" works for some reason.
  As far as using that Canon printer wirelessly, if you have it connected to another computer, then you can print to it using printer sharing with no problems at all. If you want to have it free standing with no Mac/PC connected to it, then you will have to either get a wireless print server for it, go with Bluetooth, or use Apple's Airport which has a built-in print server.
  Since you already have the router, then using another PC as the print server or getting a print server is probably the way to go.

• Autonymouse AP1121 - Management Vlan and SSID Vlan

  Hello,
  We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
  current switch port config ap is plugged into.
  interface FastEthernet1/0/48
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 500
  switchport mode trunk

  Do you have sub interfaces for vlan 10 being brigged through the radio interface?
  Example config below...
  interface Dot11Radio0.10
  description Secure Wireless access
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface FastEthernet0.10
  encapsulation dot1Q 10
  no ip route-cache
  bridge-group 10
  no bridge-group 10 source-learning
  bridge-group 10 spanning-disabled
  Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk"

• Multiple VLANs per SSID with local switch

  Is it possible to use an 'AP Group' or 'Interface group' to assign multiple VLANs to a WLAN when remote, h-reap APs are in local switch mode? 
  If not, is there a way to overcome 500 maximum host per VLAN when APs are local switching?
  Thanks!

  dont think its possible...
  I donno if the following config will even work but u can have the hreap APs connected at the remote site to map to different vlans...
  Example:
  AP1 -- ssid 1 --- vlan 10
  AP2 -- said 1 --- vlan 11 and so forth..
  Sounds crazy but i ll have to ponder on this a bit more.. Need a pen and paper to draw a quick topology :)...
  Sent from Cisco Technical Support iPhone App

• Wired guest vlan with ISE

  Hi all,
  For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
  Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
  Thanks
  Sent from Cisco Technical Support iPad App

  I will try to answer all of your quesitons:
  1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
            - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab
  2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
            - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.
  3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"
            - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break

• 802.1.x guest VLAN problem

  Hi,
  I have configured Guest Vlan in switch port, when i power on PC and i didn't make login, PC after some time goes to Guest Vlan but it didn't acquire an IP address and after some time port goes to unauthorized state and then after some time goes to guest vlan.and so on
  I'm using XP sp2 with:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\Suppli
  cantModeDWORD Value = 3
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMo
  deDWORD Value = 0
  Could someone give some help,please.
  Thanks
  BR

  The key here is your AuthMode setting to 0. With this setting, if a connection has already been authenticated with machine-auth, the user’s credentials will not be used for authentication. The only way I can imagine that the Guest-VLAN even comes up is of you have configured AuthMode = 0 AND then turned off machine-authentication.
  As for the Guest-VLAN getting deployed to a port, and how quickly this occurs, it's a function of the tx-period timer on the switch port. Once 3 Identity requests go unanswered, AND if you have Guest-VLAN configured, the port can then be enabled into the Guest-VLAN. DHCP cannot happen until a) 802.1x authorizes a port, or b) the Guest-VLAN is enabled (in which 802.1x authorization will time out).
  I have a general question though. What are you looking to accomplish with these specific settings? Based on your registry settings:
  *machine-auth should work if you have both 802.1x-user-auth + 802.1x-machine-auth enabled.
  *user-auth should work if you have 802.1x-user-auth enabled and 802.1x-machine-auth disabled.
  *Guest-VLAN should work if you have 802.1x disabled completely. NOTE: Guest-VLAN should not get deployed in the config, since the supplicant will send EAPOL-Starts, even though you have disabled machine-auth.
  Hope this helps.

• Guest-vlan; catalyst 2960

  Hello,
  I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
  The IOS version (obtained trough: show version) is:
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  12.2(53)SE2           C2960S-UNIVERSALK9-M
  I am trying to configure the interface using the following commands:
  RAK-ASW01#configure
  Configuring from terminal, memory, or network [terminal]?
  Enter configuration commands, one per line.  End with CNTL/Z.
  RAK-ASW01(config)#interface gigabitEthernet 1/0/11
  RAK-ASW01(config-if)#switchport mode access
  RAK-ASW01(config-if)#dot1x port-control auto
  RAK-ASW01(config-if)#dot1x guest-vlan 17
  RAK-ASW01(config-if)#end
  the result is the following, as if the guest-vlan is not supported:
  RAK-ASW01#show dot1x interface gigabitEthernet 1/0/11
  Dot1x Info for GigabitEthernet1/0/11
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  RAK-ASW01#
  similar result is obtained while trying to configure a auth-fail vlan.
  the full configuration file is attached.
  many thanks in advance,
  Alaeddine

  Hi,
  I am trying to see the guest-vlan configuration, but I was not able to see it. Therefore, my first thought was that the guest-vlan is not supported by this IOS release.
  Another point is that, although I am not able to see the configuration of the guest-vlan and the auth-fail vlan, they do exist and they are operational: when I try to connect a device to the switch and it fails to authenticate, the switch connects the device to the restricted vlan.
  So my question is: why I can not see the guest-vlan and the auth-fail vlan configuration?
  Thanks in advance,
  Alaeddine

• Dot1x guest VLAN on 2960G

  Hi,
  I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status.
  The server is Juniper IC4500.
  Switch is 2960G, IOS 15.0(1)SE2
  the configuration:
  aaa new-model
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  aaa authorization network default group radius
  dot1x system-auth-control
  dot1x test timeout 30
  dot1x guest-vlan supplicant
  dot1x critical eapol
  interface FastEthernet0/32
  switchport access vlan 28
  switchport mode access
  authentication event fail action authorize vlan 41
  authentication event server dead action authorize vlan 41
  authentication event server dead action authorize voice
  authentication event no-response action authorize vlan 41
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab
  authentication port-control auto
  authentication timer reauthenticate 300
  authentication violation protect
  mab eap
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x max-req 1
  dot1x max-reauth-req 1
  dot1x max-start 1
  spanning-tree portfast
  Anyone with experience on this pls help.
  Thanks,
  hoanghiep

  forgot to mention that multi-auth do not support actions on either no-response or fail authentication events. So you need to set host-mode to MDA or single host.
  Ref:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875

• Multiple vlans configuration issue with RV016 router and SG 300-10MP witch

  Hi,
  I have to configure multiple vlans served with a unique DCHP server . As first step, I just will The DHCP server to serve 2 vlans. The following is the hardware and configuration that I implemented :
  Router (RV016 10/100 16-Port VPN Router) as gateway mode:
  IP : 172.16.0.1/24
  DHCP Server :
  IP : 172.16.0.2/24 GW: 172.16.0.1
  2 subnets :
  172.16.1.0/24 GW: 172.16.1.1 to serve vlan 1
  172.16.2.0/24 GW:172.16.2.1 to serve vlan 2
  Switch (SG 300-10MP 10-Port Gigabit PoE Managed Switch) as layer 3 mode:
  IP 172.16.0.254 (vlan 8 default)
  Vlan 1 : 172.16.1.1
  Vlan 2 : 172.16.2.1
  1 device connected on each vlan
  a workstation on the vlan 1
  a laptop on the vlan 2
  In this scenario (see the attached pdf file) the DHCP server is connected on a router, hosts on vlans dont receive any IP address.
  But If I connect the DHCP server on a trunked switch port and adapt the DHCP server gateway 172.16.0.1 to 172.16.0.254, hosts receive ip address properly.
  I have to connect the DHCP server directly to the router. How can I do that, what is wrong in the configuration ?
  I hope the explanations are clear enough and my English too
  Any help will be highly appreciated,
  Zoubeir

  Hi Eric, the small business group doesn't support the ASA config, but  I can help with the switch.
  A couple things I notice in your description-
  48 port (192.168.1.254) and the other 24P (192.168.1.253)  we have a  second vlan 20 set up on the 24P switch (192.168.2.253)  we have ports  1-12 set for vlan20 (untagged and trunk), the remaining ports on on the  default vlan 1.
  The connection between the switches, is it 1u, 2t?
  The link between the switches should be 1u, 2t, the switches support the trunking and vlan tagging, meaning all communication will work fine.
  We have the 24p and 48p switches connect using GE1 and GE1.  We are unable to ping a device on vlan 20 ( on the 24p switch
  The 24p switch should be in layer 2 mode, if you have the 48 port l3 switch upstream. Additionally, you need to have the default gateway set on the 24p switch.
  We have a static route set on the 24p switch (0.0.0.0 192.168.1.0). 
  Between the switches, it shouldn't require any static routes, assuming you correctly trunk / tag your ge1 ports, with both switches operating in l3, the ip route table dynamically builds the connected routes, therefore a static route is redundant.
  -Tom
  Please rate helpful posts

• Connectig an AP1131 act as WGB to AP root with two VLANS and two SSIDs

  Someone Knows, if I can connect an AP 1131 configured as WGB to other AP 1131 acting as root with 2 Vlans and 2 SSIDs, and pass all of them to the WGB ethernet port, a mean, passing the traffic from the 2 differents VLANs with two differnts IP range from the ethernet AP root port, to the ethernet WGB port.
  Thanks.

  Unfortunately it will not play. AP as a WGB can cary only one (native) VLAN. For interconnecting more VLANs you need a full wireless bridge but it cannot be AP11xx.