Need a VLAN refresher. Let's go to school lol

lkailburn · Jul 3, 2013

Hey guys, looking to do a little refresher course on vlans. So I still remember the basics about 802.1Q, and tags and trunks. But i'm getting fuzzy around the nitty gritty details pertaining to my specific case.

My goal is to setup a vlan'ed wireless network for a local church using the following:
4 x HP MSM 410 POE Access Points (802.1Q capable)
1 x HP V1910-24G POE managed switch (802.1Q capable)
1 x Cisco 881 Router (802.1Q capable)

So the goal here is to setup dual SSID's on all 4 access points. One for staff and one for guest, that are each tagged with their own VLAN to provide guest isolation. Guest's need to be able to get internet access but nothing else. In this environment we do not need to worry about users traveling between access points.

So all of the above devices are 802.1Q capable. Where i'm a little fuzzy is how I want to setup the ports and or trunks. Since the APs will be providing traffic tagged with both VLANS I can't just do port based VLAN on the switch

On the ISP side, the church has Comcast business class which comes in to an SMC router over coax. The Ethernet line from the Comcast to the cisco would be set as a trunk port? able to handle all vlan's? Here's where i'm especially fuzzy is how the traffic gets handled past the Cisco to the SMC.
Same question for the port from switch to router, I remember from theory it needs to be setup as a trunk port able to pass all vlan traffic..but fuzzy on the details.

As you can clearly see i'm in need of a refresher

I'll be happy to provide any additional details as needed.

Thanks I really do appreciate it!

Luke

Cooky · Jul 3, 2013

Since the AP's 1Q capable, you can just connect them to the switch via trunk ports, which would carry staff, guest, and management VLAN if you choose to have it.
Again a trunk port between switch & router.
The router handles the routing, and security, where you can apply ACL to the guest VLAN/sub-interface, so that guests can't touch the staff or management subnets.

The same goal can be achieved w/ more complex way, such as VRF's, and route-target import/export, but what I said above should be the most straight forward way.

lkailburn · Jul 4, 2013

hey Cooky, that's what I was thinking about the APs since they will be tagging the packets right away, then the switch ports they access would be like trunks, handling multiple vlans.

So what i'm still gray on is the line from the cisco wan, to the Comcast SMC lan side. Any thoughts?

lif_andi · Jul 4, 2013

Cisco to WAN does not need to be trunked as far as I know. Cisco will handle the traffic forwarding to the WAN. You need trunk ports for: switch-switch and switch-router. That's it. All other ports are access ports and are assigned to VLANs.

Cooky · Jul 4, 2013

The connection to SMC needs to go through interface FastEthernet4 on Cisco 881 (labeled as something like "FE WAN" on router).
Fa4 is just a regular routed port, no special config is needed as far as access vs trunk is concerned.

881 comes w/ five ethernet ports - Fa0 - 3 are the LAN ports, and they're configured as integrated switch modules, so command syntax would be the same as if you're configuring a Cisco switch.
Fa4 is the WAN port; it's configured as a normal routed port.
The command syntax for Fa4 would be the same as any IOS router.

Is the SMC a cable modem / router combo, or is it strictly a router that Comcast gave you for free?
If it's just a router that they don't manage, I would just plug the Cisco 881 straight into the cable modem, bypassing the SMC, since it probably doesn't give you any benefits.
If the SMC is Comcast managed, then you'll need to keep it, as it may be their way of providing remote support.

alkemyst · Jul 4, 2013

Here is how you'd configure three on Cisco gear:
https://supportforums.cisco.com/docs/DOC-14496

lkailburn · Jul 4, 2013

lif_andi said:
Cisco to WAN does not need to be trunked as far as I know. Cisco will handle the traffic forwarding to the WAN. You need trunk ports for: switch-switch and switch-router. That's it. All other ports are access ports and are assigned to VLANs.

if all other ports are access ports and assigned a vlan, how will the dual SSID(vlan tagged) wireless networks pass traffic? The APs are 802.1Q capable and will be configured to broadcast both staff and guest networks at each location, and assign a vlan to each wireless network. would the ports they are on need to be a trunk port then to allow both vlans to pass

Cooky said:
The connection to SMC needs to go through interface FastEthernet4 on Cisco 881 (labeled as something like "FE WAN" on router).
Fa4 is just a regular routed port, no special config is needed as far as access vs trunk is concerned.

881 comes w/ five ethernet ports - Fa0 - 3 are the LAN ports, and they're configured as integrated switch modules, so command syntax would be the same as if you're configuring a Cisco switch.
Fa4 is the WAN port; it's configured as a normal routed port.
The command syntax for Fa4 would be the same as any IOS router.

Is the SMC a cable modem / router combo, or is it strictly a router that Comcast gave you for free?
If it's just a router that they don't manage, I would just plug the Cisco 881 straight into the cable modem, bypassing the SMC, since it probably doesn't give you any benefits.
If the SMC is Comcast managed, then you'll need to keep it, as it may be their way of providing remote support.

the SMC is a cable modem/router combo with coax in, and fast Ethernet out. I do have web login credentials to it.

again thanks to all who've chimed in!

Cooky · Jul 4, 2013

Just configure all ports as trunk (AP to switch, and switch to Cisco 881), except from router to SMC, which is a regular router port.

In certain enterprise wireless networking deployments, the AP's are centrally managed by a wireless controller.
In such cases, the AP's would connect to the switches via access port, because multiple vlan's are encapsulated inside a tunnel, at least that's the case for Cisco/Airespace.
This is probably not how yours is deployed, since there's only four AP's, so you can disregard this, but just an FYI that in some scenarios, the AP is connected via an access port, even though multiple VLAN's are supported.

lif_andi · Jul 4, 2013

Yeah sorry, access points will need to be trunked of course, towards cisco, oversight of text.

lkailburn · Jul 5, 2013

Ah ok very good to know! yes you are correct, in this scenario we are not managing the APs via a controller, just individual/standalone.

Well guys I think this has really helped me on the conceptual! now it just comes down to the individual syntax needed to set up. If I get stuck, I know where to come back for help.

Thanks again!

lkailburn · Jul 7, 2013

So I've got the HP access points setup with ssid's and vlans. currently working on the cisco router. I have FE0 setup as trunk mode.

I can't seem to figure out how to create subinterfaces, vlans and assign the ip's. Do I create the subinterfaces on FE0? If so, anytime I try to edit a subint I get a syntax error at the /. example interface fastethernet 0/0.1 gives syntax error at the /

EDIT: Scratch that. It looks like I've got the VLANS created and assigned an IP. So am I not using subinterfaces in this scenario?
I'm pasting the current sh run

FPCCisco#sh run
Building configuration...

Current configuration : 1439 bytes
!
! Last configuration change at 18:04:19 UTC Sun Jul 7 2013
! NVRAM config last updated at 18:04:25 UTC Sun Jul 7 2013
! NVRAM config last updated at 18:04:25 UTC Sun Jul 7 2013
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FPCCisco
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$tY6b$MD/gP9FbzouozLLA736M.0
enable password **********
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
no ip routing
!
!
!
!
!
no ip cef
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-K9 sn FTX170480SK
license boot module c880-data level advipservices
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
ip address 192.168.10.2 255.255.255.0
no ip route-cache
duplex half
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password **********
login
transport input all
!
end

lif_andi · Jul 7, 2013

Now, I'm doing this in packet tracer, and I don't have your router there, but to create subinterfaces you will need to type in:

R1(config)#int fa0/0.1 (the last number is whatever you want, but the number of the vlan associated with it is recommended)

That's it. Make more with other numbers, such as vlan 2: R1(config)#int fa0/0.2

the vlan interface IP address is not what you are going for, essentially it's just a way for you to connect remotely to that router, it doesn't really do anything. To create a vlan and associate it with a port you should type on your switch (this is a cisco switch I'm using, it may be different on yours):

Switch(config)#interface x/x
Switch(config-if)#switchport access vlan X (X is number of vlan you want associated with your port.)

Hope this helps.

lkailburn · Jul 7, 2013

Thanks. but that's where I get a syntax error. I go into config t, then I type:
int fa0/0.1

and it says Invalid input detected at ^ marker.(pointing to the / )

Thoughts?

lif_andi · Jul 7, 2013

Seems this is not the kinda configuration I'm used to.

I found this though, hope it helps:https://supportforums.cisco.com/thread/2124467

So to correct my previous error, according to that thread, your vlan interfaces are what you need.

alkemyst · Jul 7, 2013

lkailburn said:
Thanks. but that's where I get a syntax error. I go into config t, then I type:
int fa0/0.1

and it says Invalid input detected at ^ marker.(pointing to the / )

Thoughts?

Type it all out...

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

https://learningnetwork.cisco.com/thread/14587

lkailburn · Jul 7, 2013

ah nice! sweet that looks very nearly identical to what i'm setting up. so now I just need to work on the ACL to block vlan 2 from getting to vlan 1(after I test everything onsite

)

lkailburn · Jul 7, 2013

alkemyst said:
Type it all out...

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a00800949fd.shtml

https://learningnetwork.cisco.com/thread/14587

typing:
interface fastethernet 0/0.1

still gives the same syntax error pointing at the / symbol.

lif_andi · Jul 7, 2013

Well, the ACL is not so hard I suppose, if you need some help just give me the ip range of each vlan and we can figure it out.

Cooky · Jul 7, 2013

as I've said previously, port Fa0 - 3 are supposed to be configured as a switch, while port Fa4 is configured as a router.
So, you can NOT configure a sub-interface on Fa0, and that's why you got a syntax error.
Instead, you just configure it as a trunk port, which you already did:
"interface FastEthernet0
switchport mode trunk"

No other config is necessary on port Fa0.
===========
If the config you pasted above is the current running-config, you'll also need to:
1. un-shut SVI vlan 1.
It's in the shut-down state

2. Turn on routing & CEF.
They're disabled right now.

3. Make the WAN port, Fa4 full-duplex.
It's set to half-duplex right now, which will cause you a lot of collisions.

There are other things you can probably do to optimize your network, but the above are the minimal of what you need to get it up & running.

lkailburn · Jul 8, 2013

thanks COoky! fixed the above suggestions, and also added two DHCP scopes for my two vlans. For now the router is set as the DNS server, will it pass DNS traffic as is for both networks? The church will soon be adding a Windows server at which point will probably move dhcp and dns services(at least for the staffnetwork)

here is the updated sh run:

FPCCisco#sh run
Building configuration...

Current configuration : 1726 bytes
!
! Last configuration change at 17:04:02 UTC Mon Jul 8 2013
! NVRAM config last updated at 17:04:11 UTC Mon Jul 8 2013
! NVRAM config last updated at 17:04:11 UTC Mon Jul 8 2013
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FPCCisco
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$tY6b$MD/gP9FbzouozLLA736M.0
enable password ***********
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.29
ip dhcp excluded-address 192.168.2.1 192.168.2.29
!
ip dhcp pool StaffNetwork
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
lease 8
!
ip dhcp pool GuestNetwork
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.1
lease 8
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-K9 sn FTX170480SK
license boot module c880-data level advipservices
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
ip address 192.168.10.2 255.255.255.0
duplex full
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password **********
login
transport input all
!
end

Cooky · Jul 8, 2013

-DHCP/DNS
I've never used a Cisco router as DNS server before, so not 100% sure on this, but I believe you'll need more than what you have for the router to act as DNS server.
A quicker way is simply pass the DNS server info that's provided by your ISP.
But this would require your 881 being a DHCP client on port Fa4, instead of static IP.
===
-NAT
If the SMC NAT's all RFC1918 subnets, then you should be all set.
However, if the SMC only NAT's 192.168.10.0/24, then you'll need to have the 881 NAT the two client subnets as well, otherwise the clients won't be able to traverse to the Internet.
This involves "ip nat" commands - look it up.
===
-interface
Fa4 should be set to auto/auto for duplex/speed.
If you desire to hard-code, do it for both speed & duplex, but not just one.

lkailburn · Jul 8, 2013

Cooky said:
-DHCP/DNS
I've never used a Cisco router as DNS server before, so not 100% sure on this, but I believe you'll need more than what you have for the router to act as DNS server.
A quicker way is simply pass the DNS server info that's provided by your ISP.
But this would require your 881 being a DHCP client on port Fa4, instead of static IP.
===
-NAT
If the SMC NAT's all RFC1918 subnets, then you should be all set.
However, if the SMC only NAT's 192.168.10.0/24, then you'll need to have the 881 NAT the two client subnets as well, otherwise the clients won't be able to traverse to the Internet.
This involves "ip nat" commands - look it up.
===
-interface
Fa4 should be set to auto/auto for duplex/speed.
If you desire to hard-code, do it for both speed & duplex, but not just one.

Thanks again cook. In the current environment the SMC is the DHCP server handling 192.168.1.x with ISP dns servers. i'll just add those to the cisco router lan side to use.
SMC should be good for all subnets, the 192.168.10.x is just what I plan on changing the smc lan side. Currently the SMC lan side is 192.168.1.x, but the church wants to maintain that scheme for the lan, this side of the cisco.

Thanks again for all the help!! Been tremendous

lkailburn · Jul 11, 2013

Ok we got them up and running the other day. I had to add the following in order to get traffic flowing from the Lan to the Wan side of the cisco:

ip nat outside ( on int FA4)
ip nat inside (on both VLAN2 and VLAN 2 interfaces)
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255

Admittingly I'm not sure if all of them were needed, I was in a hurry to get traffic flowing for the church. For now things are wide open, I have no other ACLs.
Right now, VLan1 is working great and everyone is getting IPs from the pool both wired and wireless, but if I test the guestwireless(vlan2) i'm unable to get an IP. I'm guessing it has something to do with my port configuration on the HP switch that is in between the AP and the router. I have the AP's on trunk ports on the HP switch but still doesn't seem to want to go.

So in theory is a trunk port an untagged or tagged member of any vlans?

Thanks!

alkemyst · Jul 11, 2013

You could try adding

switchport access vlan 2

on your trunk ports and see if that changes. I am not familiar with HP switches though.

If you are doing DCHP you can plug in a client and see if you are getting VLAN 1 or 2 IP ranges.

lif_andi · Jul 11, 2013

Have you tried using a cable for the guest network? Might have something to do with dhcp configuration, in which case wired would not work either.

Need a VLAN refresher. Let's go to school lol

Senior member

Golden Member

Senior member

Member

Golden Member

No Lifer

Senior member

Golden Member

Member

Senior member

Senior member

Member

Senior member

Member

No Lifer

Senior member

Senior member

Member

Golden Member

Senior member

Golden Member

Senior member

Senior member

No Lifer

Member