0

I am attempting to setup a test environment for a guest WiFi network. My aim is to use a separate SSID on a completely different subnet and keep it totally isolated from the management subnet.

So far, I have a Cisco Aironet 1602 broadcasting two different SSID's as follows:

management-wifi - 192.168.0.x guest-wifi - 172.16.0.x

The Aironet is controlled by a Cisco 2505 Wireless Controller which has the following interfaces:

management - 192.168.0.240 guest - 172.16.0.240

Between the wireless clients and the internet sits a Cisco Catalyst WS-C2960 switch, a Cisco ASA 5505 and a Cisco 887VA router.

I have both 192.168.0.x and 172.16.0.x interfaces configured on the ASA but so far I am only able to reach out to the internet if I am connected to the 192.168.0.x network. When I have an IP address on the 172.16.0.x network I cannot see any devices locally or the internet. Can anyone assist me configuring this as I suspect I need to do something with the VLAN's at the switch level?

This is my switch config:

Current configuration : 5782 bytes
!
! Last configuration change at 01:39:12 gmt Sun Apr 11 1993 by administrator
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ms-testswitch
!
boot-start-marker
boot-end-marker
!
no logging console
!
username administrator privilege 15 secret 5 $1$GyJu$uqo9yOnAb4vy8Tg2RoJrf.
username ccpuser privilege 15 secret 5 $1$Zmgi$TDnFyiE5YpS8KV46KvThW/
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
system mtu routing 1500
vtp mode transparent
!
!
ip domain-name test.local
!
!
crypto pki trustpoint TP-self-signed-1865058432
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1865058432
 revocation-check none
 rsakeypair TP-self-signed-1865058432
!
!
crypto pki certificate chain TP-self-signed-1865058432
 certificate self-signed 01
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 172,192
!
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport trunk allowed vlan 172,192
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport mode trunk
!
interface FastEthernet0/8
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/9
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/11
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/13
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/14
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/15
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/16
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/17
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/18
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/19
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/20
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/21
 switchport access vlan 192
!
interface FastEthernet0/22
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/23
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/24
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1
 switchport access vlan 192
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 172
 switchport mode access
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan172
 ip address 172.16.0.252 255.255.255.0
 no ip route-cache
!
interface Vlan192
 ip address 192.168.0.252 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.0.250
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
snmp-server community switches RO
snmp-server location Project Room
snmp-server contact IT
snmp-server chassis-id ms
!
!
!
!
line con 0
 privilege level 15
line vty 0 4
 exec-timeout 0 0
 privilege level 15
line vty 5 15
 exec-timeout 0 0
 privilege level 15
!
end

If anyone could help me I would really appreciate any suggestions. Merry Christmas!

Becky
  • 41
  • 1
  • 8

1 Answers1

0

When you are using a WLC, you only need the Wi-Fi management VLAN going to the WAP. The WLC doesn't need to be on the same network, and it probably shouldn't be (a WLC can be in a completely different location than the WAPs).

The WAP management VLAN really has nothing to do with the Wi-Fi user networks; it is used for the CAPWAP tunnel back to the WLC, and each WAP can be on the same or different Wi-Fi management VLANs.

The switch to which the WLC is connected needs to trunk the Wi-Fi user VLANs to the WLC. The management and use traffic will use the CAPWAP tunnel from the WAP to the WLC, and it will enter the correct VLAN at the WLC.

Ron Maupin
  • 3,158
  • 1
  • 11
  • 16
  • Hi @Ron You have lost me a little there. Once I have this setup in our test lab, the goal is to integrate it into our live network which has over 50 different subnets, all of which will have WAP's on different subnets. So for each live subnet, I will need to create a guest subnet also to keep it totally isolated. Would you be able to clarify and expand on the part where you said that the switch needs to trunk the WiFi user's vlan? How can I do this? – Becky Jan 05 '17 at 15:40
  • For example, the wireless user VLANs (not the same as the wired user VLANs) are trunked between the WLC and the switch to which it is connected. The user switches will have a VLAN for the WAPs connected to the user switches. That VLAN is the wireless management VLAN. All the traffic from the WAPs will use that VLAN, and the wireless user VLANs are tunneled through that VLAN using CAPWAP to the WLC, where they are split out to the wireless user VLANs. – Ron Maupin Jan 05 '17 at 15:48