Need a VLAN refresher. Let's go to school lol

[lkailburn]

You could try adding

switchport access vlan 2

on your trunk ports and see if that changes. I am not familiar with HP switches though.

If you are doing DCHP you can plug in a client and see if you are getting VLAN 1 or 2 IP ranges.

Thanks. Yeah the HP web interface is not super intuitive to me at this point. I have some screen captures I can sure if we need.
At the moment I have no wired vlan2 needs, only wireless. The ap seems to be doing it's job tagging, as when I connect to the staff wifi tagged with vlan 1 I get a DHCP ip from the appropriate range.

I'll see if I can read some more helpful guides on the HP equip other than the HP manual

 

[lkailburn]

I need to bump this up for a little extra help. I thought I understood how I need to set up this switch but now i'm not so sure.

Again I have vlan 1 for staff wired and wireless ssid and vlan 2 for guest wireless only
I have a dhcp scope setup on the router for both vlans
Everything on the staff side is working fine including wireless
guest wireless gets no dhcp, and a static doesn't get me anywhere either

On the HP switch I have all access point ports set as trunk ports with vlan 1 untagged, and vlan 2 tagged.

On these trunk ports do I need to tag both vlan1 and vlan2 and leave nothing as untagged?

If the issue isn't at the HP switch I need to revisit my 881 config and make sure that is setup correctly but it looks identical between the two dhcp I setup.

EDIT: the switch doesn't actually let me set the trunk ports as tagged for vlan 1 and 2. when I issue the commans, the ports remain untagged for vlan1 and tagged for vlan 2

 

[alkemyst]

Sounds like the IP's for VLAN2 are not routing properly across the network.

Can you post your current configs?

 

[lkailburn]

Keep in mind the end goal is to not allow the vlans to talk to each other, and to only allow vlan2 internet access, but yes something isn't getting across.

here is the current config on the cisco 881 router. It is acting as the DHCP and gateway.

FPCCisco#sh run
Building configuration...

Current configuration : 2061 bytes
!
! Last configuration change at 22:37:05 UTC Tue Jul 9 2013
! NVRAM config last updated at 22:25:10 UTC Tue Jul 9 2013
! NVRAM config last updated at 22:25:10 UTC Tue Jul 9 2013
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FPCCisco
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$tY6b$MD/gP9FbzouozLLA736M.0
enable password *********
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.29
ip dhcp excluded-address 192.168.2.1 192.168.2.29
ip dhcp excluded-address 192.168.1.125
ip dhcp excluded-address 192.168.1.120
ip dhcp excluded-address 192.168.1.115
!
ip dhcp pool StaffNetwork
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 75.75.76.76
lease 8
!
ip dhcp pool GuestNetwork
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 75.75.76.76
lease 8
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-K9 sn FTX170480SK
license boot module c880-data level advipservices
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
ip address 192.168.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password *******
login
transport input all
!
end



I'm not sure if there is a way to pull the config from the HP switch.
To sum it up

Ports 1-19 are for staff only and are set as "untagged" for vlan1
Ports 20-23 are for the HP access points which are broadcasting both staff and guest networks, tagging them with vlan 1 or vlan 2
Port 24 is the uplink to the cisco 881

Ports 20-24 are set as trunk ports and are "untagged" for vlan1 and "tagged" for vlan 2.

The switch has a vlan interface of 192.168.1.15 and 192.168.2.15

 

[alkemyst]

I'd get rid of all the access lists until you have connectivity. check your ip routing table to see if you have all destinations.

You can try a simple

router rip
default-information originate
no auto-summarize
network 192.168.10.0
network 192.168.1.0
network 192.168.2.0


I would also add the excluded-addressed for your vlan interfaces and devices statically assigned addresses in the 192.168.1.x and 192.168.2.x space under the ip dchp pool commands.

domain-name may be needed for each of the pools as well.

 

[Cooky]

can't get rid of the ACL's - they're required for NAT.
Try:
Assign interface fa1 to vlan 2, and see if you can get DHCP lease & connect, if you plug a host there.

vlan 1 is native vlan by default on Cisco devices; chances are it's the same on HP, which is why it's not tagged.

 

[alkemyst]

can't get rid of the ACL's - they're required for NAT.
Try:
Assign interface fa1 to vlan 2, and see if you can get DHCP lease & connect, if you plug a host there.

vlan 1 is native vlan by default on Cisco devices; chances are it's the same on HP, which is why it's not tagged.

Good idea...

OP

int fa1
switchport mode access
switchport access vlan 2
no shut

plug in direct.

 

[lkailburn]

A little update. If I static a .2 network while connected to the guest network, I can ping 192.168.2.15 which is the vlan int assigned at the switch. I cannot ping the 192.168.2.1 of the router though.

edit: just saw the updated posts. Good idea, I wouldn't have thought of that. so basically setting port fastethernet 1 to the vlan2 and seeing if I get anything

BIG TIME EDIT UPDATE:
haha

so i'm typing along to your suggestion cooky, and your notes alke and I get to "switchport access vlan 2"
and it spits out
"Access VLAN does not exist. Creating vlan 2"

I reread it like 5 times going wtf? lol soo.. I checked my laptop, connected to guest network and boom it's got an address and can ping the router! whoop whoop
So I guess I now realize simply by creating the Vlan interfaces, it did not create the vlan 2 on the router? I checked the running config and besides the config direct on fa1 I see no mention of the newly created vlan 2

 

[alkemyst]

A little update. If I static a .2 network while connected to the guest network, I can ping 192.168.2.15 which is the vlan int assigned at the switch. I cannot ping the 192.168.2.1 of the router though.

edit: just saw the updated posts. Good idea though I wouldn't have thought of that. so basically setting port fastethernet 1 to the vlan2 and seeing if I get anything

That is sort of normal since you are directly connected. The switch may not be getting routed to the router still.