+ Reply to Thread
Page 1 of 2 1 2 Last
Results 1 to 25 of 37
  1. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #1

    Unhappy Can someone help me with a basic, yet frustrating routing issue?

    For months i've been trying off and on to set up a guest wireless network at work. I have the WLC config all set, i get an ip from the dhcp pool when i connect, but i cant get to the internet.

    heres the basic, which i'm sure could be done in a more efficient manner...

    End user -->(Router and FW plugged into this) switch (172.22.1.241) -->Router(DG - 1.240)-->Remote Subnet (2.0) or back to Switch and out FW (1.234) to Internet

    The WLC is connected to H3 on the switch and is "Tagged" as vlan5 172.22.5.3
    The guest network on WLC is 172.22.5.2, DG set as 5.1 (subinterface of router)

    Can ping sub interface on Router (5.1), from a workstation (1.0 or 2.0)
    WLC is 5.2. Can not ping that.
    Switch can ping DG, but not the 5.1 sub int
    Switch can ping the WLC 5.2 and VLan 5 the 5.3
    Do i need to enable routing on the procurve switch? Is it a Tagging issue?

    Im so confused right now its ridiculous.
    Reply With Quote Quote  

  2. SS
  3. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,789

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #2
    I can't understand your topology. Can you post a better topology and possibly some more technical config info?
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  4. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #3
    Sorry.... We have 2 sites connected by an EVPL line. thats the reason for the router.

    OK, the ASA FW and the Router are connected to the switch. the router is the default gateway. thats where i added the subinterface for the Guest Network. The WLC Guest network is physically connected to port H3 on the switch and configured as VLAN 5 IP 172.22.5.3

    The Guest IP on the WLC is 172.22.5.2

    So i guess its like this: FW(1.234)--->Switch<---Router DG (1.240 & subint 5.1)
    Then the WLC is Guest (5.2 cabled into port H3)--->Switch

    Is that any better? I know im not very good at this....

    EDIT: Im working on a diagram right now.
    Last edited by tdean; 11-26-2013 at 07:17 PM.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jun 2009
    Location
    Canada
    Posts
    702

    Certifications
    Most Recent: CISSP & CCDA
    #4
    Just so i've got my head round it.

    Your network goes
    internet>firewall>switch>router
    You're adding a wlc as a subinterface and connecting that to the switch
    Vlan 1 on the router and vlan 5 on the wlc

    Can you tracert from the wlc. Where is it stopping?
    If you drop the vlan or use 1 does traffic flow?
    What can you ping the wlc from (fw/router)
    Reply With Quote Quote  

  6. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #5
    Heres a diagram. Bets i could do with what i have. I'll answer your questions in a minute GAngel.

    I hope this helps.
    Attached Images Attached Images
    Reply With Quote Quote  

  7. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #6
    Quote Originally Posted by GAngel View Post
    Just so i've got my head round it.

    Your network goes
    internet>firewall>switch>router
    You're adding a wlc as a subinterface and connecting that to the switch
    Vlan 1 on the router and vlan 5 on the wlc

    Can you tracert from the wlc. Where is it stopping?
    If you drop the vlan or use 1 does traffic flow?
    What can you ping the wlc from (fw/router)
    yes to the vlan5 top part...vlan1 is disabled.
    cant remember how to do a remote tracert.

    the switch (1.241) can ping 5.1 (Subint), 5.2 (Guest Int) and 5.3 (VLAN5)
    The router can only ping the 5.1 subinterface

    tracert from router to WLC (5.2) times out all the way through
    Reply With Quote Quote  

  8. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #7
    Hi guys, is there anything i can add to this to help out? I tried adding the 5.0 route to the router (DG) but that did nothing to help.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Apr 2012
    Posts
    222
    #8
    How is the router connected to the switch over eth0/1 or eth0/2? You need to decide where your L3 address is going to be; on the router and trunk it out; or create a SVI on the switch....
    Reply With Quote Quote  

  10. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #9
    Quote Originally Posted by xXErebuS View Post
    How is the router connected to the switch over eth0/1 or eth0/2? You need to decide where your L3 address is going to be; on the router and trunk it out; or create a SVI on the switch....
    Damn, i have the subinterface on the wrong side? I tried adding the encapsulation to teh eth 0/2 and kept getting an error.

    interface eth 0/1
    speed 100
    encapsulation 802.1q
    no shutdown
    !
    interface eth 0/1.5
    ip address 172.22.5.1 255.255.255.0
    no shutdown
    interface eth 0/1.3711
    vlan-id 3711
    ip address 1.1.1.1 255.255.255.0
    no shutdown
    !
    interface eth 0/2
    speed 100
    ip address 172.22.1.240 255.255.255.0
    no shutdown
    !
    Reply With Quote Quote  

  11. Went to the dark side.... Moderator networker050184's Avatar
    Join Date
    Jul 2007
    Posts
    11,789

    Certifications
    CCNA, CCNP, CCIP, JNCIA-JUNOS, JNCIS-SP, JNCIP-SP, MCA200
    #10
    Since you are putting the IP on the main interface it isn't going to allow you to set a tag. What you will want to do is either put the switchport it is attached to as an access port in the associated VLAN, or just make it another sub interface off 0/1 and allow the VLAN on the trunk.

    It's still pretty hard to understand how you have things set up. I see the physical diagram, but without seeing how ports are set up it's not very easy to figure out where the problem is.
    An expert is a man who has made all the mistakes which can be made.
    Reply With Quote Quote  

  12. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #11
    Hi networker, heres some vlan info from the switch, does that help? Im a bit confused with what you said above... could i move the 1.240 off the main in 0/2 interface, make it a subinterface and add the 5.1 with encap?


    interface G16
    name "To Adtran"
    exit
    interface H3
    name "P2-WLC" <--- This is "Port 2" of WLC which is the guest network(VLan5)
    exit
    interface H15
    name "WLC"
    exit

    vlan 1
    name "DEFAULT_VLAN"
    no untagged
    A1,A3-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24,H1-H2,H4-H24,I1-I24
    untagged A2
    tagged H3
    no ip address
    exit

    vlan 2
    name "TCS"
    untagged
    A1,A3-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24,H1-H2,H4-H24,I1-I24
    ip address 172.22.1.241 255.255.255.0
    exit

    vlan 5
    name "Guest"
    ip address 172.22.5.3 255.255.255.0
    exit
    Reply With Quote Quote  

  13. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Command line
    Posts
    2,317

    Certifications
    Pimp status
    #12
    Can you draw a diagram in gns3 and label the ports?
    How far do your traceroutes go?
    What is handling dns?
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Apr 2012
    Posts
    222
    #13
    Quote Originally Posted by networker050184 View Post
    Since you are putting the IP on the main interface it isn't going to allow you to set a tag. What you will want to do is either put the switchport it is attached to as an access port in the associated VLAN, or just make it another sub interface off 0/1 and allow the VLAN on the trunk.

    It's still pretty hard to understand how you have things set up. I see the physical diagram, but without seeing how ports are set up it's not very easy to figure out where the problem is.
    This sums it up... One thing I see is that you do not have your WLC port tagged with VLAN 5....

    Here is another thing to consider; this is NOT the correct way to setup guest wireless. It's hard to say since I don't think anyone understands your diagram but it looks like you have zero protection between guest and internal network. Once again hard to say, but looks like you also have L3 at both the router and switch so any security you may think you have in place could be by passed by setting default gateway to that switch.
    Reply With Quote Quote  

  15. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #14
    Hi guys, thank you for the replies. I'll try to do a GNS3 diagram tonight. The security isnt a big issue on this because "Guest" is really just for our internal staff. I want to give them their own DHCP pool because they are using up the production ones on the other wireless lan.
    Reply With Quote Quote  

  16. Resident Underachiever EdTheLad's Avatar
    Join Date
    May 2005
    Location
    Globe trotter, nfa
    Posts
    2,118

    Certifications
    CCNP/CCIP/IE Written
    #15
    I understand your setup. You haven't provided enough configs for me to pin point your exact problem, but i can tell you how it should be setup.


    Your setup is or should be as follows:

    UserA ip address 172.22.5.2/24 gw 172.22.5.1 is connected to a switch port, this switchport should be in vlan 5 untagged, or if the user has a nic that supports dot1q the switch port can be setup as tagged, as it will understand incoming tags. I'll assume the user is untagged and the switchport is configured as untagged.

    The switch has a trunk port connected to the DG which carries vlan 5, i'm assuming this port will carry other vlans and thats why its a trunk port. I'm not sure how you are supposed to configure this as im not familiar with the switch config you posted, just know that the frames should leave the port connected to the gateway router are tagged.

    The DG receives these frames on interface eth 0/1 , since they are tagged you need to config a sub interface on gi0/1 to understand the tag.

    interface eth 0/1
    speed 100
    encapsulation 802.1q
    no shutdown
    !
    interface eth 0/1.5
    vlan-id 5
    ip address 172.22.5.1 255.255.255.0
    no shutdown


    At this stage you should be able to ping between the DG and UserA, the reason this wouldn't work before is due to tagging misalignment.

    The DG will have a default route point to the internet via next-hop ASA 172.22.1.234. Eth0/2 will be trunking? access? If access, the ip address on the physical port is ok, set the switchports connected to DG and ASA in vlan 2 and untagged and you should be good.

    Remember ASA will need a route back to the 172.22.5.x network.
    Reply With Quote Quote  

  17. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Command line
    Posts
    2,317

    Certifications
    Pimp status
    #16
    Quote Originally Posted by tdean View Post
    HThe security isnt a big issue on this because "Guest" is really just for our internal staff.
    More than 60% of attacks come from the inside. Trust no one.
    Reply With Quote Quote  

  18. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #17
    Working on the diagram now. If not like this, How do you guys think i should set this up? I wish i was better at this... I worked so hard earning the CCNA etc 4-5 years ago and then i get a job that i never use it. i'm doing my best and reviewing my CCNA and Wireless stuff now.

    Its not the worst scenario, but my experience was on Cisco stuff and here we use Adtran routers and Procurve switches.
    Reply With Quote Quote  

  19. Resident Underachiever EdTheLad's Avatar
    Join Date
    May 2005
    Location
    Globe trotter, nfa
    Posts
    2,118

    Certifications
    CCNP/CCIP/IE Written
    #18
    Quote Originally Posted by tdean View Post
    Working on the diagram now. If not like this, How do you guys think i should set this up?
    Did you read my post?
    Reply With Quote Quote  

  20. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #19
    Quote Originally Posted by EdTheLad View Post
    Did you read my post?
    Im actually rereading that now.... thank you, i will respond back
    Reply With Quote Quote  

  21. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #20
    Heres another diagram. Did it in GNS3 best i could, then just took a screen shot.

    ED, i am going to try the things you suggested Thurs.

    This diagram is just to try and clear things up.TechEx Diag.jpg
    Reply With Quote Quote  

  22. Resident Underachiever EdTheLad's Avatar
    Join Date
    May 2005
    Location
    Globe trotter, nfa
    Posts
    2,118

    Certifications
    CCNP/CCIP/IE Written
    #21
    Not exactly what i had envisioned. A description of what services and where they have to go would be nice.
    Forget what i said earlier as in order to fix this i need to know what you are trying to do.Does traffic from the WLC need to go to R6?
    What traffic goes through the ASA? Does lan traffic need to go to R6 and internet? Do you have security restrictions? What vlans are supposed to go where?

    At the moment since i don't know where the vlan traffic is supposed to go, i don't know if you need trunking or not. Maybe your wireless traffic can use ASA as the next-hop?

    Anyway, to fix your issue you need to communicate what you want to do, nobody here knows your network.
    So if you can look at each component i.e. GW-R,R6,ASA,Lan PCs, WLC and give a breakdown of the vlan used, subnets, where traffic must go, include data and management traffic. Otherwise we can come up with multiple different solutions which wont meet your goal.
    Reply With Quote Quote  

  23. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #22
    This must be brutal for you and i apologize. I appreciate you sticking with me.

    Traffic currently goes from the WLC to the remote site (172.22.2.0/24) due to the routes i added to the routers, and the Wlan SSID works fine at both locations. i have 3 AP's in H-Reap mode over there, so they grab an IP from the Main location and go out their own internet connection.

    The ASA shown is for the local Internet traffic, and that is where i would like the 172.22.5.0/24 to go. There are no security restrictions yet, thats something i'll work on as i go. There is only one vlan (vlan2) i guess they must have disabled the default vlan and gave it that single port for security reasons? I dont know, that was not set up by me and there is no documentation.

    I think i would like the wireless to use ASA as next hop, but i am not communicating that correctly. The Guest SSID, vlan5 is only for Internet. The Dr's bring iPads etc in and i dont want them using the production DHCP pool because we have come close to running out of availible IP's on occasion.

    I hope this helps, again, i appreciate you sticking with me on this.
    Last edited by tdean; 12-05-2013 at 04:12 PM.
    Reply With Quote Quote  

  24. Go ping yourself... phoeneous's Avatar
    Join Date
    Dec 2008
    Location
    Command line
    Posts
    2,317

    Certifications
    Pimp status
    #23
    Quote Originally Posted by tdean View Post
    i dont want them using the production DHCP pool because we have come close to running out of availible IP's on occasion.
    If this is the only issue then why not just increase pool size?

    Questions:

    Is the device labelled Router the default gateway for everything?
    Is the ASA doing dynamic or static routing?
    Does the ASA have a route to 172.22.5.0/24?
    Is the switch layer 3?
    Reply With Quote Quote  

  25. Senior Member tdean's Avatar
    Join Date
    Mar 2009
    Posts
    522
    #24
    Quote Originally Posted by phoeneous View Post
    If this is the only issue then why not just increase pool size?

    Questions:

    Is the device labelled Router the default gateway for everything?
    Is the ASA doing dynamic or static routing?
    Does the ASA have a route to 172.22.5.0/24?
    Is the switch layer 3?
    I think it might be more difficult to do that. We have 3 sites, each one uses a /24. Main site is 1.0, Site 2 is 2.0 and site 3 is 3.0. I would have to reconfig all 3 sites to expand the pool so there would be no overlap, wouldnt i? The one in question is the Main site.

    That router is the DG for site 1 and connects the EVPL to Site 2. Site 2 has their own DG etc. Originally they had an "E-Lan" line here and everyone from all sites connected here and ran everything off term servers and had only 1 internet connection etc.

    Im not sure about the routing on the ASA, that is on the edge of the network. There are static routes added for our VPN's. The internal routing is done via static routes on the DG routers.

    I tried adding the 5.0/24 to the ASA but still couldnt even ping.

    Switch is not layer 3.
    Last edited by tdean; 12-06-2013 at 07:01 PM.
    Reply With Quote Quote  

  26. Resident Underachiever EdTheLad's Avatar
    Join Date
    May 2005
    Location
    Globe trotter, nfa
    Posts
    2,118

    Certifications
    CCNP/CCIP/IE Written
    #25
    Can you give us a run down on exactly how you have configured your dhcp. I really don't see why you have vlan 5 and the second link between the switch and the wlc. Explain which device is the server, which pools are setup, what what gateways are being assigned, which devices act as dhcp proxys, relays and clients. This is most likely a dhcp config issue.
    Reply With Quote Quote  

+ Reply to Thread
Page 1 of 2 1 2 Last

Social Networking & Bookmarks