Cisco VLAN – Setting Up 2 VLANs with Cisco Router 1100 Series and Aironet 1300

ciscocisco-iosrouter

I am struggling and I don't really know what I need to setup my network.

I have a Cisco router C1111-8p (8 switch ports) and a wifi AP C1832.


                         +---------------+
    +----------+         |               | trunk port             +--------------+
    |          |         |               |                        |              |
    |ISP modem +-------->+0/0/0          +------------------------+  WIFI AP     |
    |          |         |             0/1/0                      |  SSID10      |
    +----------+         |               +------------------------+  SSID20      |
                         |               |   VLAN 10 for SSID10   |              |
                         |  0/1/1        |   VLAN 20 for SSID20   |              |
                         +---------------+                        +--------------+
                             |
                             |
                       +------------------+
                       |      SERVER      |
                       +------------------+

0/1/* are the 8 switch ports
GigabitEthernet 0/0/0 is the WAN port

I'd like a different subnet for each VLAN for each SSID:

SSID10 on VLAN 10 with 10.10.10.0/24
SSID20 on VLAN 20 with 10.10.20.0/24
Everything else on 10.10.1.0/24

Everybody should access the Internet.

Here is my current configuration:

# Setup ISP internet connection
configure terminal
interface GigabitEthernet 0/0/0
ip address 219.a.b.c 255.255.255.252
no shutdown
ip route 0.0.0.0 0.0.0.0 219.a.b.d

#Setup the trunk port for the Wifi AP
configure terminal
interface GigabitEthernet 0/1/0
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan add 1,10,20
switchport nonegotiate
no shutdown

# Setup the switch port for the server that will host RADIUS and SQUID
configure terminal
interface GigabitEthernet 0/1/1
switchport mode access
ip address 10.10.1.1 255.255.255.0

# Configure VLANs
configure terminal
vlan 10
vlan 20
interface vlan 10
ip address 10.10.10.1 255.255.255.0
no shutdown
vlan 20
interface vlan 20
ip address 10.10.20.1 255.255.255.0
no shutdown

Question 1:

Do I need to setup a DHCP for each VLAN? A single DHCP server? What's the difference with a DHCP pool?
- Should I exclude subnet of VLANs? ip dhcp excluded-address
- Should I create a different pool for each VLAN subnet?

Question 2:

How the AP is working with all the VLANs and native VLAN?
- I set the native VLAN at 1 in both router and AP.

Question 3:

Will the AP be able to access the RADIUS/SQUID server in a different subnet 10.10.1.0/24?

Best Answer

If interface GigabitEthernet 0/1/1 is a switch interface, you will not be able to assign an IP address to it. You need to assign the address to the SVI the way you did for the other VLANs. The default VLAN is VLAN 1, and it is the native VLAN by default.

You do need a DHCP pool for each VLAN. If the DHCP server is not the one in the router, you must use DHCP relay (ip helper-address) on the SVIs for the VLANs to which the DHCP server is not connected; this is not necessary if you use the router DHCP server. You exclude any addresses in the DHCP pool for each VLAN that are statically configured on devices. If you use the router DHCP server, you do not need to do that for the router interface because the router will automatically do that for you.

The WAP will get its management address from the native VLAN. You could use DHCP, but you would normally want to statically assign that address (exclude from the DHCP pool). You then configure each SSID to one of the tagged VLANs on the trunk between the switch interface and the WAP.

The WAP and the server will be on the same VLAN (VLAN 1), so, yes, the WAP and server can directly communicate through the switch because they will be addressed on the same network and VLAN.

Edit for the new question about NAT:

You make any interfaces, including SVIs, that need to use NAT as either inside or outside interfaces, depending on your needs. If you want the VLANs with Private addresses to be able to use the public Internet, then the interface connected to the Internet should be an outside interface, and the VLAN SVIs should be inside interfaces, and the NAT ACL should include those networks.

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Cisco – Configure Cisco Aironet 1600 AP with RADIUS and multiple VLANs

One way to solve this problem is to change the AP connection to a layer 2 trunk with both VLANs on the trunk. You can have two different SSIDs (one for users, one for guests) and each SSID is associated with a VLAN. When a client connects to the Guest SSID, her data goes on VL 200; a regular user's data goes on VL 100.

You will need separate DHCP scopes for each VLAN, either on the AP or a central DHCP server.

Best Answer

Related Solutions

Cisco ASA Routing Issue

Your ASA configuration:

ASA static routing example:

Your Cisco Router's configuration:

Router static routing example:

Cisco – Configure Cisco Aironet 1600 AP with RADIUS and multiple VLANs

Related Topic