Can someone help me with a basic, yet frustrating routing issue?

For months i've been trying off and on to set up a guest wireless network at work. I have the WLC config all set, i get an ip from the dhcp pool when i connect, but i cant get to the internet.

heres the basic, which i'm sure could be done in a more efficient manner...

End user -->(Router and FW plugged into this) switch (172.22.1.241) -->Router(DG - 1.240)-->Remote Subnet (2.0) or back to Switch and out FW (1.234) to Internet

The WLC is connected to H3 on the switch and is "Tagged" as vlan5 172.22.5.3
The guest network on WLC is 172.22.5.2, DG set as 5.1 (subinterface of router)

Can ping sub interface on Router (5.1), from a workstation (1.0 or 2.0)
WLC is 5.2. Can not ping that.
Switch can ping DG, but not the 5.1 sub int
Switch can ping the WLC 5.2 and VLan 5 the 5.3
Do i need to enable routing on the procurve switch? Is it a Tagging issue?

Im so confused right now its ridiculous.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

networker050184

I can't understand your topology. Can you post a better topology and possibly some more technical config info?

Sorry.... We have 2 sites connected by an EVPL line. thats the reason for the router.

OK, the ASA FW and the Router are connected to the switch. the router is the default gateway. thats where i added the subinterface for the Guest Network. The WLC Guest network is physically connected to port H3 on the switch and configured as VLAN 5 IP 172.22.5.3

The Guest IP on the WLC is 172.22.5.2

So i guess its like this: FW(1.234)--->Switch<---Router DG (1.240 & subint 5.1)
Then the WLC is Guest (5.2 cabled into port H3)--->Switch

Is that any better? I know im not very good at this....

EDIT: Im working on a diagram right now.

Just so i've got my head round it.

Your network goes
internet>firewall>switch>router
You're adding a wlc as a subinterface and connecting that to the switch
Vlan 1 on the router and vlan 5 on the wlc

Can you tracert from the wlc. Where is it stopping?
If you drop the vlan or use 1 does traffic flow?
What can you ping the wlc from (fw/router)

Heres a diagram. Bets i could do with what i have. I'll answer your questions in a minute GAngel.

I hope this helps.

GAngel wrote: »

Just so i've got my head round it.

Your network goes
internet>firewall>switch>router
You're adding a wlc as a subinterface and connecting that to the switch
Vlan 1 on the router and vlan 5 on the wlc

Can you tracert from the wlc. Where is it stopping?
If you drop the vlan or use 1 does traffic flow?
What can you ping the wlc from (fw/router)

yes to the vlan5 top part...vlan1 is disabled.
cant remember how to do a remote tracert.

the switch (1.241) can ping 5.1 (Subint), 5.2 (Guest Int) and 5.3 (VLAN5)
The router can only ping the 5.1 subinterface

tracert from router to WLC (5.2) times out all the way through

Hi guys, is there anything i can add to this to help out? I tried adding the 5.0 route to the router (DG) but that did nothing to help.

How is the router connected to the switch over eth0/1 or eth0/2? You need to decide where your L3 address is going to be; on the router and trunk it out; or create a SVI on the switch....

xXErebuS wrote: »

How is the router connected to the switch over eth0/1 or eth0/2? You need to decide where your L3 address is going to be; on the router and trunk it out; or create a SVI on the switch....

Damn, i have the subinterface on the wrong side? I tried adding the encapsulation to teh eth 0/2 and kept getting an error.

interface eth 0/1
speed 100
encapsulation 802.1q
no shutdown
!
interface eth 0/1.5
ip address 172.22.5.1 255.255.255.0
no shutdown
interface eth 0/1.3711
vlan-id 3711
ip address 1.1.1.1 255.255.255.0
no shutdown
!
interface eth 0/2
speed 100
ip address 172.22.1.240 255.255.255.0
no shutdown
!

networker050184

Since you are putting the IP on the main interface it isn't going to allow you to set a tag. What you will want to do is either put the switchport it is attached to as an access port in the associated VLAN, or just make it another sub interface off 0/1 and allow the VLAN on the trunk.

It's still pretty hard to understand how you have things set up. I see the physical diagram, but without seeing how ports are set up it's not very easy to figure out where the problem is.

Hi networker, heres some vlan info from the switch, does that help? Im a bit confused with what you said above... could i move the 1.240 off the main in 0/2 interface, make it a subinterface and add the 5.1 with encap?

interface G16
name "To Adtran"
exit
interface H3
name "P2-WLC" <--- This is "Port 2" of WLC which is the guest network(VLan5)
exit
interface H15
name "WLC"
exit

vlan 1
name "DEFAULT_VLAN"
no untagged
A1,A3-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24,H1-H2,H4-H24,I1-I24
untagged A2
tagged H3
no ip address
exit

vlan 2
name "TCS"
untagged
A1,A3-A24,B1-B24,C1-C24,D1-D24,E1-E24,F1-F24,G1-G24,H1-H2,H4-H24,I1-I24
ip address 172.22.1.241 255.255.255.0
exit

vlan 5
name "Guest"
ip address 172.22.5.3 255.255.255.0
exit

networker050184 wrote: »

Since you are putting the IP on the main interface it isn't going to allow you to set a tag. What you will want to do is either put the switchport it is attached to as an access port in the associated VLAN, or just make it another sub interface off 0/1 and allow the VLAN on the trunk.

It's still pretty hard to understand how you have things set up. I see the physical diagram, but without seeing how ports are set up it's not very easy to figure out where the problem is.

This sums it up... One thing I see is that you do not have your WLC port tagged with VLAN 5....

Here is another thing to consider; this is NOT the correct way to setup guest wireless. It's hard to say since I don't think anyone understands your diagram but it looks like you have zero protection between guest and internal network. Once again hard to say, but looks like you also have L3 at both the router and switch so any security you may think you have in place could be by passed by setting default gateway to that switch.

Hi guys, thank you for the replies. I'll try to do a GNS3 diagram tonight. The security isnt a big issue on this because "Guest" is really just for our internal staff. I want to give them their own DHCP pool because they are using up the production ones on the other wireless lan.

I understand your setup. You haven't provided enough configs for me to pin point your exact problem, but i can tell you how it should be setup.

Your setup is or should be as follows:

UserA ip address 172.22.5.2/24 gw 172.22.5.1 is connected to a switch port, this switchport should be in vlan 5 untagged, or if the user has a nic that supports dot1q the switch port can be setup as tagged, as it will understand incoming tags. I'll assume the user is untagged and the switchport is configured as untagged.

The switch has a trunk port connected to the DG which carries vlan 5, i'm assuming this port will carry other vlans and thats why its a trunk port. I'm not sure how you are supposed to configure this as im not familiar with the switch config you posted, just know that the frames should leave the port connected to the gateway router are tagged.

The DG receives these frames on interface eth 0/1 , since they are tagged you need to config a sub interface on gi0/1 to understand the tag.

interface eth 0/1
speed 100
encapsulation 802.1q
no shutdown
!
interface eth 0/1.5
vlan-id 5
ip address 172.22.5.1 255.255.255.0
no shutdown

At this stage you should be able to ping between the DG and UserA, the reason this wouldn't work before is due to tagging misalignment.

The DG will have a default route point to the internet via next-hop ASA 172.22.1.234. Eth0/2 will be trunking? access? If access, the ip address on the physical port is ok, set the switchports connected to DG and ASA in vlan 2 and untagged and you should be good.

Remember ASA will need a route back to the 172.22.5.x network.

Working on the diagram now. If not like this, How do you guys think i should set this up? I wish i was better at this... I worked so hard earning the CCNA etc 4-5 years ago and then i get a job that i never use it. i'm doing my best and reviewing my CCNA and Wireless stuff now.

Its not the worst scenario, but my experience was on Cisco stuff and here we use Adtran routers and Procurve switches.

tdean wrote: »

Working on the diagram now. If not like this, How do you guys think i should set this up?

Did you read my post?

EdTheLad wrote: »

Did you read my post?

Im actually rereading that now.... thank you, i will respond back

Heres another diagram. Did it in GNS3 best i could, then just took a screen shot.

ED, i am going to try the things you suggested Thurs.

This diagram is just to try and clear things up.

TechEx Diag.jpg

Not exactly what i had envisioned. A description of what services and where they have to go would be nice.
Forget what i said earlier as in order to fix this i need to know what you are trying to do.Does traffic from the WLC need to go to R6?
What traffic goes through the ASA? Does lan traffic need to go to R6 and internet? Do you have security restrictions? What vlans are supposed to go where?

At the moment since i don't know where the vlan traffic is supposed to go, i don't know if you need trunking or not. Maybe your wireless traffic can use ASA as the next-hop?

Anyway, to fix your issue you need to communicate what you want to do, nobody here knows your network.
So if you can look at each component i.e. GW-R,R6,ASA,Lan PCs, WLC and give a breakdown of the vlan used, subnets, where traffic must go, include data and management traffic. Otherwise we can come up with multiple different solutions which wont meet your goal.

This must be brutal for you and i apologize. I appreciate you sticking with me.

Traffic currently goes from the WLC to the remote site (172.22.2.0/24) due to the routes i added to the routers, and the Wlan SSID works fine at both locations. i have 3 AP's in H-Reap mode over there, so they grab an IP from the Main location and go out their own internet connection.

The ASA shown is for the local Internet traffic, and that is where i would like the 172.22.5.0/24 to go. There are no security restrictions yet, thats something i'll work on as i go. There is only one vlan (vlan2) i guess they must have disabled the default vlan and gave it that single port for security reasons? I dont know, that was not set up by me and there is no documentation.

I think i would like the wireless to use ASA as next hop, but i am not communicating that correctly. The Guest SSID, vlan5 is only for Internet. The Dr's bring iPads etc in and i dont want them using the production DHCP pool because we have come close to running out of availible IP's on occasion.

I hope this helps, again, i appreciate you sticking with me on this.

phoeneous wrote: »

If this is the only issue then why not just increase pool size?

Questions:

Is the device labelled Router the default gateway for everything?
Is the ASA doing dynamic or static routing?
Does the ASA have a route to 172.22.5.0/24?
Is the switch layer 3?

I think it might be more difficult to do that. We have 3 sites, each one uses a /24. Main site is 1.0, Site 2 is 2.0 and site 3 is 3.0. I would have to reconfig all 3 sites to expand the pool so there would be no overlap, wouldnt i? The one in question is the Main site.

That router is the DG for site 1 and connects the EVPL to Site 2. Site 2 has their own DG etc. Originally they had an "E-Lan" line here and everyone from all sites connected here and ran everything off term servers and had only 1 internet connection etc.

Im not sure about the routing on the ASA, that is on the edge of the network. There are static routes added for our VPN's. The internal routing is done via static routes on the DG routers.

I tried adding the 5.0/24 to the ASA but still couldnt even ping.

Switch is not layer 3.

Can you give us a run down on exactly how you have configured your dhcp. I really don't see why you have vlan 5 and the second link between the switch and the wlc. Explain which device is the server, which pools are setup, what what gateways are being assigned, which devices act as dhcp proxys, relays and clients. This is most likely a dhcp config issue.

What is the IP on R6 FA0/1? Not sure why you are tagging VLAN 5 on Eth0/1 of "Router"
What type of WLC is this; is it Cisco?

To me it looks like you have a L2 default switch (everything is in VLAN 2 except Port A2 (in vlan 1) and H3 (tagged as VLAN 1 trunk); and you are trying to use same L3 subnets across L2 connection and you cant do that (well theoretically you can with IRB).

What I recommend is to redesign your subnets for larger DHCP pools.... if you are dead set on doing this then I would start with the fact that you are splitting your subnets across that "router"; logically you have VLAN 5 subnet on Eth0/1 and Eth0/2; except your not tagging int on Eth0/2 where your VLAN 5 is.

How was the Router Eth0/1 and R6 Fa0/1 setup before you started messing with it? You shouldn't be changing that... I am guessing you have no routing going on; looks like everything is pretty much on the same subnet with it working more than likely because "Router" has L2 connection to everything (172.22.1.0).

I'm still trying to wrap my head around this lol... I think you need specific instructions from what I am gathering

So try this...

Return "Router's" Eth0/1 configuration to the way it was before you created the vlan 5 subinterface so everything behind R6 can still get to "Router"
Create sub interface on "Router's" Eth0/2 with VLAN 5 (since it is your vlan 5 default gateway) like you did on Eth0/1

in the switch untag H3 on vlan 5 (get rid of the tag 1) (this makes it an access port in vlan 5)
in the switch tag whatever port connects to (Router) with VLAN5 & VLAN2 (this makes it a trunk port)

On Router make sure you have a default route (ip 0.0.0.0 0.0.0.0 X.X.X.X 1) to your default route (I am assuming the FW @ 1.234)

My guess is with the Q-in-Q you had only the 3711 vlan on Eth0/1 on "Router".

Thanks guys... lets see... Each site has their own dhcp pool. Sites 1,2 and 3 are 1.0/24, 2.0/24 and 3.0/24. no relays etc. Sites 1 & 2 are Windows 2008R2 DHCP and Site 3 i set up the ASA as DHCP server, its a small office. the routers have static routes allowing each site to "talk" to each other, plus 15 or so other routes for different app connectivity because we are directly connected to the hospital. The reason i wanted to use the 5.0/24 subnet is because i think it would be a huge task reconfiguring all the ip schemes, i'd have to do it on the servers as well as all the Dr's PC's beacuse they have static IP's for the SSL VPN. I also wanted to be able to quickly identify usage of the WLAN by address.

The WLC is Cisco, the IP of R6 is 172.22.2.1.
Your statement about the swicth vlan config is correct, although i dont think H3 should be in the vlan1 group... i think thats where it landed when i was just testing to see if anything would work before i gave up on this project.
I assigned it vlan5 because the WLC config makes you assign a vlan for an additional seperate wireless network.

phoeneous wrote: »

So what exactly isn't working? Is it that the wifi clients on the 5.0/24 subnet cannot access internet?

Correct. All i want to do is have a guest wlan with its own ip pool for the Dr's to access the internet. When i connect to the Guest network, i get an IP from the 5.0 range, so thats working... Just cant get to the Internet.

phoeneous wrote: »

Then you need to make sure:

1. Wifi subnet default gateway has route to asa and vice versa.
2. NAT is setup correctly.
3. DNS is able to resolve names for wifi subnet correctly.

I think we're stuck at #1.

Cant figure out the vlans or trunking.

Just create a default route on the wlc pointing to the ASA, you don't need to go to the router.

EdTheLad wrote: »

Just create a default route on the wlc pointing to the ASA, you don't need to go to the router.

Like either of these below?

0.0.0.0. 0.0.0.0 172.22.1.234
or
172.22.5.0 255.255.255.0 172.22.1.234

yup, and make sure the ASA has a route back to 172.2.5.0/24. That should be the quick and dirty solution.

EdTheLad wrote: »

yup, and make sure the ASA has a route back to 172.2.5.0/24. That should be the quick and dirty solution.

ok, so to be clear, i add those 2 routes to the WLC, then on the ASA just add the bottom one in revers?

Quick Links