Re: separate wireless traffic from LAN traffic

kevin-taylor2 · ‎04-20-2024

I have some branch locations with a simple set up. A router with an access switch connected to it, then another access switch connected to that one to provide POE to IP phones. Currently all devices are in the same VLAN.

I also have an access point connected to the access switch (non-POE) which provides wireless services to our visitors and personnel. I've been trying to separate the wireless traffic to its own VLAN. The AP provides DHCP services to the users that connect to it, and when it's setup in the same VLAN as the switches everything works fine.

AP config sample:

int bvi1

ip address 192.168.2.10 255.255.255.0

Access switch sample:

int fa0/20

switchport access vlan 2

swithport mode access

int fa0/1

switch port mode trunk

switchport trunk van 1 native

Router sample:

int fa0

int fa0.1

encapsulation dot1q vlan 1 native

ip address 192.168.1.1 255.255.255.0

int fa0.2

encapsulation dot1q vlan 2

ip address 192.168.2.1 255.255.255.0

router bhp 65515

network 192.168.1.1

network 192.168.2.1

Used sample configs because I don't have the original configs on me at the timed. I must admit there are also static routes in place to facilitate use of an SDWAN circuit. A default route sends all unknown unicast traffic to the SDWAN interface, while other static routes send traffic across our MPLS WAN.

Since everything works when all devices are in the same VLAN, I'm sure something is wrong in my configuration.

When I modify the setup to accommodate the new VLAN I can connect to the AP, reach locations across the WLAN, but no internet connectivity. I know I'm missing something simple. Can I get some suggestions on where else to look?

balaji.bandi · ‎04-21-2024

How does your network diagram looks like ?

you mentioned SD-WAN, is this spoke site you trying to make changes ?

Wireless Traffic for Guest users - means you going to different SSID for Guest or BYOD setup ?

what WLC and AP model in place ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kevin-taylor2 · ‎04-22-2024

Thanks for the quick response.

With regards to SDWAN, this is a spoke site.

The access points, either Aironet 1231 or Aironet 1602, will show one SSID. Users that connect with organization provided equipment will be able to access network resources because they will be authenticated through our external identity management. Users on BYOD will get internet only traffic.

I know my previous message was a bit cryptic, but I realized that ip routes were implemented as the SDWAN interfaces were brought up. Even though the new vlan is within the BGE scopes, no outside connectivity is provided. But I can traverse the WAN and other branch offices, if I don’t apply the access list prohibiting access.

Here are sanitized configs to help. I’ve included configs relevant to creating this vlan. The vlan interface on the router is currently shut down because I had to place everything back to the previous configuration so I can still provide wireless to my end users.

Access Point:

ip dhcp excluded-address 192.168.165.1 192.168.165.49
ip dhcp excluded-address 192.168.165.201 192.168.165.255
!
ip dhcp pool inet-only
network 192.168.165.0 255.255.255.0
default-router 192.168.165.1
dns-server 10.x.y.z 10.z.y.x
lease 0 10
!

dot11 ssid wireless_guest
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii 7 XXXXXXXXXXXXXXXXXX
!

interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
!
ssid wireless_guest
!
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!

Switch:

interface FastEthernet0/1
description Router
switchport trunk native vlan 160
switchport mode trunk
switchport nonegotiate
spanning-tree bpduguard enable
!
interface FastEthernet0/20
description Wreless
switchport access vlan 165
switchport mode access
spanning-tree portfast
!

sh int trunk

Port Mode Encapsulation Status Native vlan
Fa0/1 on 802.1q trunking 160

Port Vlans allowed on trunk
Fa0/1 1-4094

Port Vlans allowed and active in management domain
Fa0/1 1,160,165

Port Vlans in spanning tree forwarding state and not pruned
Fa0/1 1,160,165

#sh int f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 160 (VLAN0160)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Router:

interface GigabitEthernet0/0/0
description Arlington LAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/0.160
encapsulation dot1Q 160 native
ip address 192.168.160.1 255.255.255.0
!
interface GigabitEthernet0/0/0.165
encapsulation dot1Q 165
ip address 192.168.165.1 255.255.255.0
ip nat inside
shutdown
!
router bgp 6aaaaa
bgp log-neighbor-changes
network 10.11.160.0 mask 255.255.255.252
network 192.168.160.0
network 192.168.165.0
timers bgp 15 45
neighbor 10.11.160.2 remote-as 1xxxx
neighbor 10.11.160.2 send-community both
neighbor 10.11.160.2 soft-reconfiguration inbound
!

ip route 0.0.0.0 0.0.0.0 12.129.140.65
ip route 10.0.0.0 255.0.0.0 10.11.160.2
ip route 10.10.10.0 255.255.255.0 10.11.160.2
ip route 172.16.0.0 255.240.0.0 10.11.160.2
ip route 172.16.20.0 255.255.255.0 10.11.160.2
ip route 192.168.0.0 255.255.0.0 10.11.160.2

Richard Burts · ‎04-22-2024

Thanks for the additional information and the partial configs. I see ip nat inside on what appears to be the wireless subinterface. I do not see any ip nat outside command and any other commands to implement nat. Those are still number one on my list of possible problems.

HTH

Rick

kevin-taylor2 · ‎04-22-2024

as this is an active circuit and I need to get approval for adding them, they are not implemented on the router yet.

Georg Pauwen · ‎04-21-2024

Hello,

I assume the router is also doing the NAT for Vlan 1 ? Have you added the access list entry for the new Vlan also, so the router knows that it has to translate 192.168.2.0/24 as well ?

Richard Burts · ‎04-22-2024

There is much that we do not know about this environment and that makes it difficult to accurately identify the issue. But based on what we know so far I agree with @Georg Pauwen that most likely the issue is that there is not address translation for the wireless traffic. If we had more information, especially the configuration of the router, we could be more confident in our suggestions.

HTH

Rick

kevin-taylor2 · ‎04-22-2024

as I just responded above, I need to get permission to apply the remaining configs for NAT. I am aware those configs are not complete.

Richard Burts · ‎04-22-2024

Seeing the incomplete production configs is not helpful to us. What would be helpful is to post what you intend the configs to look like as you make the change.

HTH

Rick

kevin-taylor2 · ‎04-22-2024

there will only be translation for vlan165 as this is the wireless vlan