Wireless Vlan

Similar Messages

• Wireless VLAN question

  I have two SSIDs on my Cisco 1242 APs.
  On one of the SSIDs i have clients that will constantly broadcast data (required).
  Will the brodcast traffic reach my other SSID? If so, is there a way to avoid it?
  Will creating a separate wireless VLAN on my AP and assigning it to that SSID contain broadcast traffic so it does not flood my other SSID?
  Thank you.

  Broadcast is allowed on the same subnet, so yes, broadcast will affect everyone in that subnet. Creating multiple subnets is what allows you to control the broadcast. Here is a link for autonomous for creating multiple vlan's.
  https://supportforums.cisco.com/docs/DOC-14496
  Sent from Cisco Technical Support iPhone App

• CAPWAP Wireless VLAN in Routed Campus LAN

  I am configuring CISCO Wireless LAN Controller in College campus. we have the following components
   1. CISCO 4510R as core switch and a centralized WLC is connected to Core Switch
   2. CISCO 3560 L3 switch at Distribution Layer Switch
   3. CISCO LWAP 1142
  I want to configure Wireless VLAN in a college campus. Wireless LAN.  The requirement is to configure Distribution switch as L3 so that VLAN will not reach till the Core Switch. That is the Link between Distribution and Core Switch will be Layer 3 routed link and not a Trunk Link.
  Since it is a routed back bone environment, VLAN is configured only in distribution layer switches. So, these configured VLAN will not reach core
  switch.
  With that said, is it technically possible to achieve the Wireless VLAN in this above proposed setup.?
  Do I have to configure Trunk between Distribution Switch (APs are connected) and Core Switch (WLC is connected), to pass the Wireless VLAN in the trunk link?
  Advance Thanks for reading and helping to get it clarified
  SAIRAM

  We are in the process of moving to a mostly routed Campus, and had similar questions and a few more. We will be using only EIGRP, with each enclave set-up as a stub. I was wondering if I can modify our wireless network to be strictly routed, and remove all the trunk/access configurations from the switch ports facing  theAPs, and hard code (static) all of them to IP routed ports. We only have one WLC active, with one back-up. The WLC is facing our core switches in a LAG set-up. The network was originally set-up with all the dynamic interfaces for each AP set-up in a GLBP fashion between our two cores. Each AP had a dynamic interface created in the WLC and added to one AP group. All of our APs are now connected via ethernet to the wired infrastructure, so none of our APs are in true MESH fashion anymore. We use Microsoft DHCP to issue out IPs to our APs.
  I was wondering if I can remove the dynamic interfaces from the WLC, and use EIGRP to sort of the routing of our wireless network. I would create L3 SVIs (multiple in some cases) on all the switches that APs are attached too, and modify each Microsoft DHCP scope to point to whatever AP model was used and to point to the WLC. Now, what I'm unsure on, how would this behave with no Native Vlan/User Vlans configured on trunk ports pointing toward the AP. I was thinking of using what was once used at the Native Vlan (subnet info), and using that same subnet to create a IP routed port facing the AP and modify the AP IP via the WLC to select static assign. I can place IP helper addresses under the routed port to face our DHCP server (not sure if this really matters, if I already place them under the user L3 SVIs). Before, I had a DHCP scope for the native and user subnet. Would the AP still be able to connect to the WLC correctly, if I delete the scope (used before for the native vlan), since it usually resolved the WLC IP via option 43 (it can use DNS instead). I would imagine so, since I will be placing these networks under EIGRP to advertise within our Campus, which has L3 reachability to the WLC. And under the user subnets, I would still configure the Microsoft DHCP scope to face the AP model and controller IP. There just woundn't be a scope for the subnet that use to be for the Native Vlan. For any new set-up, I would pre-provision the AP under a user subnet access port, and then hard code it within the controller a static IP, to deploy later at the new site. For routed networks, are dynamic interfaces really necessary on the WLC? As long as L3 is working as intended, and the user switch has reachability to the Microsoft DHCP server, then users should be able to pull IPs fine through, correct? I've tested already with a PTP bridge we have, and hardcoded the ports to IP routed ports, and advertised it via EIGRP, and haven't noticed any issues with the customers pulling new IPs. I wanted to gather more information before deploying this for across the board to our other types of wireless set-ups. I'm not using FlexConnect. I've moved most of our 1552e APs over to local mode recently, which have wired connections to the LAN.

• Wireless vlan on Dell powerswitch 5448 to ASA5510

  I am trying to create a wireless vlan on a Dell 5448 which uplinks to a subinterface on an ASA5510.  My issue is I can't seem to get the switchport to trunk correctly between the vendor devices.  Essentially I am trying to "fix" our wireless network that is bouncing since a new neighbor moved in with powerful RF signals in an already polluted space.  Any suggestions would be appreciated.
  Thanks!

  I have built an interface of the 2106 for VLAN5 and the interfaces for the 2106 and the bridges are built as trunks and all vlans are allowed. If I plug in a laptop on the 3560 in the new building, and the port is assigned to VLAN5, I get an address and can surf out just fine. I will scrub the 2106 & 3750 configs and try and upload them. To further test I moved the DHCP scope onto the 2106 and my wireless client is able to get an address from the 2106, I can ping the interface on the 2106 (192.168.5.2) I just cant connect to the 3750 switch.

• Wireless VLANs and Layer2/3 VLANs

  Dear,
  The vlans created for the mapping of SSID in embedded AP on cisco 1941 can be connected/communicated to the VLAN created on Layer2/3 switch.
  Lets say i have created 3 vlans (say 200,201,202) for 3 ssid and the vlan created on switch (say 200,201,202) can be communicated?
  Or these wireless vlan are purely for the mapping of ssid?. Thanks

  yes that should be a trunk.. the below link is the configuration guide..
  https://www.cisco.com/en/US/docs/routers/access/1900/software/configuration/guide/Software_Configuration.html
  http://www.cisco.com/en/US/docs/routers/access/1900/software/configuration/guide/wlan.html
  Regards
  Surendra

• Wireless VLANs and WLC

  Hello,
  Designing a configuration for a Wireless solution. Have a 2951 with SRE-WLC and 4 port switch module. The documentation at
  http://www.cisco.com/en/US/docs/wireless/controller/controller_modules/sre/installation/guide/wlcsreinst.html#wp1072942 arised couple of questions. Exact part of diagram from documentation is attached.
  The question is that VLANs configured on SRE-WLC and ones configured on local switched belong to different subnets. Why? For example on SRE-WLC VLAN 20 - 55.20.0.0/24, but on switch - VLAN 20 - 20.1.1.0/24. Why?
  Thanks!

  Hi George,
  Today i tried implementing APs on different VLAN than MGMT. Here is what I got:
  1. New out-of-box APs didnt join to WLC once placed directly to APs VLAN. However they were able to join the WLC once I put them back to MGMT Vlan. They upgraded their IOS from WLC, joined compeletely. After that I moved them back to APs VLAN and they started to join. So, here is the procedure - Open new AP from box, connect it to MGMT VLAN, wait for joining to WLC and then move them to APs VLAN. This is a little bit strange. Also I noticed that they were unable to join teh WLC even on MGMT vlan if MGMT vlan is tagged on WLC and that tagged vlan is allowed on trunk. I have WLC on SRE, MGF trunk, VLANS and DHCP pools with option 43 configured. Will continue to investigate tomorrow.
  2. What was the most difficult and problematic issue is that the LED was disabled on all APs after joining the WLC. I have been thinking that there is an error but only then found that APs by default turned off LED after joining the WLC. Issuing config ap led-status enable all on wlc solved the problem.
  3. Also I regularly have been receiving
  %PARSER-4-BADCFG: Unexpected end of configuration file.
  during the AP joining to WLC. Dont know why. My APs are LAP1041n.
  ANyways, will continue digging tomorrow, hopefully will find a stable solution. My ideal solution will be:
  1. WLC Management is on MGMT VLAN - tagged vlan 20, static IP assignments.
  2. APs on separate AP VLAN - tagged vlan 15 - dynamic IP assignments from DHCP pool on ISR with option 43.
  3. Clients are on separate USERS VLAN - tagged vlan 10
  The native VLAN will be other VLAN - VLAN 25.

• SonicWALL = Guest Wireless, VLANs, and DHCP

  All,I'm going to attempt to set up corporate and guest WIFI using Ubiquiti UniFi APs. I'm new to VLANs in general but understand that this is the likely approach. The equipment that I will be using is below- SonicWALL TZ-400 configured for PTP VPN to a SonicWALL E6500.- Ubiquiti toughswitch just for the APs- 4 Ubiquiti APsThe SonicWALL E6500 (central location) does DHCP over VPN to all of the remote offices such as where this TZ-400 will be. I'm struggling with how to handle DHCP. If I set up VLANs say VLAN 10 for corporate to pull DHCP as normal and VLAN 20 for guest WIFI. How can I tell VLAN 20 to get a different range of IPs so that I can restrict from the corporate network range? The toughswitch would be using its own interface on the TZ400. Does what I'm trying to accomplish make sense and is it possible?
  This topic first appeared in the Spiceworks Community

  Setup:Sonicwall TZ205Created a sub-interface – X0:V100 with an IP address of10.45.1.1.Created a DHCP scope for said IP ranged associated withX0:V100 within Sonicwall.Three Netgear switches:A.24 Port + 4 SFPB.24 Port + 4 SFPC.48 Port + 4 SFP1.Sonic wall connected to switch C on port 12.Switch C connected to switch B using port 473.Switch B connected to switch C using port 234.Switch B connected to switch A using port 25 –(GB SFP over fiber)5.Switch A connected to switch B using port 25 –(GB SFP over fiber)6.Ubiquiti AP connected to switch A on port 2VLAN 1 – default·All ports on all switches are untagged fordefault VLAN 1VLAN 100 – meant for wireless guests·Ports 2 and 25 are Tagged for V100 on switch A –all other ports are blank for V100·Ports 23 and 25 are Tagged for V100 on switch B– all other ports are blank for V100·Ports 1 and 47...
  This topic first appeared in the Spiceworks Community

• How to interconnect wireless VLAN client and wired VLAN with Cisco 800

  Hello
  PLease send a sample config in order to interconnect one Wireless PC (@IP 10.0.0.1/24) that belongs to VLAN 1 (thru Cisco 837) to an external Internet Router that is connected to port Fastethernet 4 of the Cisco 837 (@IP 172.18.124.111/16).
  PS:
  My Cisco 837 config works fine when connecting 2 Wireless PC in 2 different VLAN
  Warm Regards

  Configure a default static route on 837 router pointing to the External router[ip route 0.0.0.0 0.0.0.0 . Make sure the Nating is done for PC on VLAN 1.

• Wireless VLANs

  I have a question about the 800 16 wireless LAN you can make you that both 2.4GHz and 5GHz on?

  pcfreak49 wrote:I have a question about the 800 16 wireless LAN you can make you that both 2.4GHz and 5GHz on?
  A single AP can only broadcast a max of 16 SSIDs. You can however make many more SSIDs and VLANS but this would require AP groups. 
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Cisco ACL for Wireless VLAN's

  Hi all and Merry Christmas to you.
  So I have been off work for a few days now playing in my lab, I have configured a number of VLAN’s to separate Data, Voice, Servers, Games Consoles and Guest on my Cisco 1142, I know it may be a bit of an over kill but it’s just me doing a bit of lab work and learning
  What I’m after doing now is setting up ACL’s to deny the Guest and Games Console VLAN from accessing my LAN and I’m not sure where to start, I want to consoles only to be able to connect to PSN and Xbox networks as well as my DHCP server, and the guest network to connect to the web but again not my LAN, this is for users who come round with phones and tablets.
  My lab look like this:-
  Broadband > Cisco RVS4000 (soon to be ASA) > WS-C3560 > 1142 AP.
  My DHCP server is on VLAN 6 with an IP address of 192.168.6.241
  VLANs are: -
  interface Vlan5
  description *****DATA VLAN*****
  ip address 192.168.5.253 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan6
  description *****Servers*****
  ip address 192.168.6.254 255.255.255.240
  interface Vlan7
  description *****VOICE*****
  ip address 192.168.7.254 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan8
  description *****VOICE WIFI*****
  ip address 192.168.8.254 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan9
  description *****WIFI CONSOLES*****
  ip address 192.168.9.254 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan10
  description *****WiFi Home*****
  ip address 192.168.10.254 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan11
  description *****WiFi Guest*****
  ip address 192.168.11.254 255.255.255.240
  ip helper-address 192.168.6.241
  interface Vlan12
  description *****Management*****
  ip address 192.168.12.254 255.255.255.240
  The AP config looks like:
  dot11 ssid Console
     vlan 9
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 094F4107170A051103
  dot11 ssid Home
     vlan 10
     authentication open eap eap_methods
     authentication network-eap eap_methods
     guest-mode
     mbssid guest-mode
  interface Dot11Radio0.9
  encapsulation dot1Q 9
  ip helper-address 192.168.6.241
  no ip route-cache
  bridge-group 9
  bridge-group 9 subscriber-loop-control
  bridge-group 9 block-unknown-source
  no bridge-group 9 source-learning
  no bridge-group 9 unicast-flooding
  bridge-group 9 spanning-disabled
  interface Dot11Radio0.10
  encapsulation dot1Q 10
  ip helper-address 192.168.6.241
  no ip route-cache
  bridge-group 10
  bridge-group 10 subscriber-loop-control
  bridge-group 10 block-unknown-source
  no bridge-group 10 source-learning
  no bridge-group 10 unicast-flooding
  bridge-group 10 spanning-disabled
  interface Dot11Radio0.12
  encapsulation dot1Q 12 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  At the minutes I’m just trying to stop Console getting to the Home network before I move onto the rest
  I have not got a clue where to start or where to place the ACL’s, would they be on the Switch or the AP itself?
  Hope you can help me out.
  Happy new year
  Martyn

  Here is a suport document in regards to autonomous ACL:
  https://supportforums.cisco.com/docs/DOC-13768
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Wireless vlan security help

  I set up a second ssid and vlan for guests. The native and original vlan is in place and requires WEP. I set the second vlan to broadcast the SSID and have no encryption. I have clients connect, and almost have everything done. The only thing I cant figure out is how to isolate the traffic from the second vlan to the first. I have the second vlan set up so that the users cannot see anything on the native vlan, but I can ping the servers by IP address and if I try to connect from the second vlan to the first, it lets me with a valid username and password. This tells me that if a guest comes in, and has a virus, that computer can maybe infect computers on the native vlan. How can i truly isolate the traffic from one vlan and have it access only the default gateway?

  I need to route the guest vlan to the default gateway. I have multiple access points, so i need to route the guest vlan on the L3 interfaces. I have the route statement added for the guest vlan network addresses pointing to the default gateway, but if i try to connect using the native vlan IP address, i can get to stuff.

• Wireless VLAN and Native VLAN

  OK, I’m a bit confused about what to do with the native VLAN. I know that for QoS/CoS, I should not use VLAN1 as the native VLAN. I also know that I should use a separate VLAN as the management VLAN. So I’m left thinking, do I need a native VLAN? If I do, can I just make a dumb VLAN that goes nowhere and use that as the native VLAN? Or am I just completely missing something. Thanks

  The native VLAN must also be your management VLAN for Cisco APs.
  The Native VLAN can be any number, as long as you configure it accordingly.
  Also keep in mind that the local RADIUS server, and DHCP will only deliver to the native VLAN. If you intend to use either of those services on the non-native VLAN/SSID, you'll need to have a layer three device on the line to forward that traffic.
  Good Luck
  Scott

• Separate vlan for wireless voice

  Hi all, I'm about to embark on reconfiguring my home lab, at present I have just 2 vlans which are for VoIP and data, I'm going to split my network so I have the following:
  Data VLAN for our home PC's
  Voice VLAN for phones
  1 wireless VLAN for home laptops
  1 wireless VLAN for games consoles
  1 wireless guest access so I don't have to give out my own ssid credentials
  1 Management VLAN
  My question is do I have a separate VLAN for wireless VOIP or do I just use the same Voice VLAN?
  Regards
  Martyn
  Sent from Cisco Technical Support iPad App

  Martyn:
  Both solutions are valid. You can use the current voice VLAN or create a new VLAN.
  If you create a new VLAN you need to apply needed QoS to wired side as well.
  If your current Voice VLAN is already configured for QoS then using it for wirelss voice is easier.
  So the preffered option is to use your current voice VLAN for wireless voice as well.
  HTH
  Amjad

• RV110W - trying to set up 2 VLANS - are there docs / help for this?

  I am trying to set up an RV110W router with 2 VLANs - 1 for guests to the office to just have internet access via wireless and another for employees to be able to access the LAN and internet wirelessly. I have not done anything with VLANs before, so please bear with me.
  I thought this would be simple, but banging my head against the wall with all the terms in the docs:
  http://www.cisco.com/en/US/docs/routers/csbr/rv110w/administration/guide/rv110w_admin.pdf
  port 1 is connected to a wired LAN / unmanaged switch with office PCs. So these machines / nothing on this subnet tag the packets before they get to the router.  This subnet is using 10.10.1.0/24
  Port 2 is connected to an Engenius EAP 300, a wireless access point that can broadcast SSIDs and tie each SSID to a different VLAN.
  SSID1 is called Private and is set to be VLAN 1. There's encryption on this SSID - only office staff would be able to log on.
  SSID2 is called public and is set to be VLAN 10.  There's no encryption on this SSID.
  I know - the router also does this, but where the router is vs. where the wireless is needed, we need to have the Engenius at that remote location.
  I have the RV110W set to give out 10.10.1.0/24 IPs when you connect to the SSID1 / VLAN1
  And it gives out 10.10.10.0/24 IPs when you connect to the public SSID / VLAN10.
  Both get on the internet fine.  The only issue is how to set the VLAN membership for each port / and any other settings so that the wireless devices on VLAN 1 can get to the LAN devices on Port 1.  (and the public / vlan 10 devices on the wireless network to NOT get to the devices on port 1, but i think that's working.
  I played with tagged / untagged / excluded, for the port membership, but either the wireless VLAN 1 devices get blocked from even the web (when port 2 is set to untagged, since they ARE tagged VLAN1) or they can't get to port 1 when set to tagged, since the port 1 devices are all untagged and the reply packets get blocked?
  the doc for this unit talks about inter-vlan routing but doesn't explain what that is.  THe wireless isolation should be turned on for vlan 10, right? We don't want guests to be able to access other guest's machines?
  I saw on page 71 on how to set up the guest network, but that's using the wireless built into the box, not a wireless access point.
  Overall, what I want is:
  VLAN 1: port 2 (with tagged VLAN1 packets) and port 1 (with untagged packets) can pass data between each other and access the internet
  VLAN10: port 2 with tagged VLAN10 packets can only get to the internet.
  Is that doable?
  How?

  thanks.  Still not working
  For the vlan membership page
  when set like this:
             port1         port 2
  vlan1     untagged    untagged
  vlan10  excluded     tagged
  connecting to the vlan1 wireless SSID on port 2, I can't even get an IP address from the router (the dhcp request can't even come through port 2 because it's saying vlan1 packets have to be untagged?
  connecting to the vlan 10 wireless SSID on port 2 gets a DHCP address and can only get to the web, so that's good.
  If I change the membership to:
                    port1 port 2
  vlan1 untagged  tagged
  vlan10 excluded tagged
  connecting to both SSIDs on port 2 will get you a dhcp address, and vlan1 devices can get into port 1, but trying to admin the wireless access device on port 2 or even pinging it, now fails -  'cause the router gatekeeper says if you want to come through port 2, your packets have to be tagged? and the packets from port 1 to port 2 are untagged?
  If I change the membership to:
              port1 port 2
  vlan1   tagged tagged
  vlan10 excluded tagged
  connecting to both SSIDs on port 2 will get you a dhcp address, but replies from the wired PC on port 1 / vlan1  vlan1 can't get back out of port 1 'cause the router gatekeeper says if you want to leave  through port 1, your packets have to be tagged? and the ping reply is coming form a device with untagged packets?  although the devices on vlan1 / port 1 CAN get on the web with their untagged packets.
  the wireless device says it supports 802.1q
  http://www.engeniustech.com/resources/EAP300_DataSheet_v2.1.pdf
  when they say port 2 / vlan 1 tagged, is it saying packets coming in FROM devices on that port have to be tagged? Or packets going TO devices on that port have to be tagged?  or both directions?
  Any advice?

• Getting Wireless Users onto LAN

  Hello All,
  We currently purchased 2 AP's and a 2106 WLC and I am having some trouble getting the wireless users to communicate to the network on the other side of the WLC. Here is a very simple diagram on how this is all connected.
  3750X L3 Switch --> 2106 WLC --> AP
  LAN Network - 10.10.0.0/16           Wireless Users Network - 10.100.21.0/24
  So with a laptop, I can get a DHCP reservation from the WLC to the 10.100.21.0/24 network. From there though, I cannot ping anything in the 10.10.0.0/16 network. I know that I am talking across two different networks so by default they shouldnt be able to communicate, but I feel like I am missing a setting on the WLC that will allow the two networks to communicate.
  Management Interface:
  IP Address: 10.10.20.100
  Netmask: 255.255.0.0
  Gateway: 10.10.0.1
  DHCP Info: 10.10.20.100
  Here is the config for my test interface (which may be the problem):
  IP Address: 10.100.21.2
  Netmask: 255.255.255.0
  Gateway: 10.100.21.1
  DHCP Info: 10.10.20.100
  Thanks in advance for taking a look.

  Hello George,
  Thanks for the reply. I believe I have routes that allow both these networks to talk, currently we are redesigning our network so bear with me as the setup is a little goofy.
  The way our devices are connected in terms of the wireless configuration:
  Internet <-> ASA <-> 3750 switch <-> WLC <-> AP <-> Laptop
                                        |
                                    My PC    
  So, currently our default gateway for our LAN (10.10.0.1) is the inside interface of the ASA (like i said, working on changing this). On the ASA I also have a static route configured so any traffic destined for 10.100.21.0/24 send to 10.10.20.2 which is our 3750 Switch.
  On the 3750 switch I set a default gateway for our wireless network of 10.100.21.1. I also configured the trunk from the post above so there is a trunk between the 3750 and the WLC allowing the LAN VLAN and Wireless VLAN to send data across it.
  On our WLC I have this configured:
  Management Interface:
  IP Address: 10.10.20.100
  Netmask: 255.255.0.0
  Gateway: 10.10.0.1
  DHCP Info: 10.10.20.100
  Here is the config for my test interface (which may be the problem):
  IP Address: 10.100.21.2
  Netmask: 255.255.255.0
  Gateway: 10.100.21.1
  DHCP Info: 10.10.20.100
  From my LAN I can ping 10.100.21.1
  Our host on the wireless can get an IP, but when it attempts to ping anything (even its gateway) i get no replies.
  Going back to your question of if we have routes for both networks to talk, I believe we do, unless I am missing something.
  Thanks again for your reply and taking the time to look at this.