Cisco 887VA VLANs

[AbsV]

Hi All

I am pretty new to Using Cisco Equipment, So i am hoping someone can assist.

I currently have I have a Cisco 887VA ISR with C800 Software (C800-UNIVERSALK9-M), Version 15.3(3)M6 and a Ubiquiti UniFi Wifi Access Point.


The AP is capable of broadcasting up to 4 WLAN's which can be tagged with individual vlan ID's.


I would like to connect the AP to the Cisco 887VA eg port FastEthernet0 and route the traffic from each of the VLAN's separately on the 887VA.


What I would like to do is keep the traffic on each WLAN separate from each other Public and Private LAN's, but have both of them be able to share access to the Internet via the ADSL connection on the 887VA.


I have been able to work out how to assign VLAN's to separate ports, The AP has a static IP on VLAN 1, i have setup VLAN 2 but i don't know how to assign a DHCP server to that VLAN to automatically give out addresses.

Can provide current config if this helps

Apologies if this does not make sense. If any further info is required I am happy to provide.


Thanks in Advance.


AbsV

 

[bill001g]

You will need to define the port between the 2 device as a 802.1q trunk. I think the ports in your router are a switch. You would define it a 802.1q trunk by default cisco allows all vlans. On the AP you would define vlan 1 as untagged and other vlans as tagged

Then on the router your would define vlan interfaces for each vlan you want to use and assign ip. You would then define a DHCP pool for each and the router is smart enough to assign from the correct pool

 

[AbsV]

You will need to define the port between the 2 device as a 802.1q trunk. I think the ports in your router are a switch. You would define it a 802.1q trunk by default cisco allows all vlans. On the AP you would define vlan 1 as untagged and other vlans as tagged

Then on the router your would define vlan interfaces for each vlan you want to use and assign ip. You would then define a DHCP pool for each and the router is smart enough to assign from the correct pool

Hi bill001g,

and thanks for your response, So i am pretty sure i have done the as you have advised but i have provided a copy of my current config HERE hopefully this will help.

On the wireless AP i have setup two networks:

VLAN 1 - Untagged
VLAN 2 - Tagged

I can connect to the "private WLAN" (vlan 1) and get a DHCP address and access resources and the Internet, when i try and connect to the "public WLAN" (vlan 2) but cannot get an address assigned.

new to all this Cisco stuff and appreciate your patience, If you could take a look at the config and see if there is something i am missing i would be really grateful.

Again Thanks for you help

 

[bill001g]

Your config looks correct but maybe it is not something obvious. I would try to manually assign a IP and make sure you can ping the gateway and get out to the internet (your nat needs to be fixed)

I would try the debug ip dhcp server and see if you see any thing interesting. You can with care also try debug ip packet detail or debug ip udp. You may get excessive stuff doing that so be ready with "u all"

 

[AbsV]

Your config looks correct but maybe it is not something obvious. I would try to manually assign a IP and make sure you can ping the gateway and get out to the internet (your nat needs to be fixed)

I would try the debug ip dhcp server and see if you see any thing interesting. You can with care also try debug ip packet detail or debug ip udp. You may get excessive stuff doing that so be ready with "u all"

Thanks for taking a look at the config, I have started the debug process hopefully this will give me some info or a direction at least to finding a solution.

I did try and setup a device with static IP (192.168.151.250) on vlan 2 but i cannot get it to ping the default gateway (192.168.151.254) so far no debug info which is useful.

But will continue to try and get it working, Thanks again for your assistance.

AbsV

 

[bill001g]

If the static ip does not work then it is not the DHCP it is something likely related to the vlan tagging maybe. The cisco config look right these routers with the small internal switches are a little strange sometimes though.

Maybe as a test assign a second port as a access port on vlan 2. Plug a pc directly into that port and make sure the second vlan works properly.

 

[AbsV]

If the static ip does not work then it is not the DHCP it is something likely related to the vlan tagging maybe. The cisco config look right these routers with the small internal switches are a little strange sometimes though.

Maybe as a test assign a second port as a access port on vlan 2. Plug a pc directly into that port and make sure the second vlan works properly.

I have now assigned fa3 to vlan 2 and plugged in a laptop to get address via dhcp, and good news it did (192.168.151.2), which confirms the DHCP pool for vlan 2 is working as it should, via the port assigned to it.

I can ping the Default Gateway (192.168.151.254) also but cannot get out o the internet on vlan 2. so now need to figure out why, and also why the TRUNK port Fa1 cannot assign addresses to vlan 2.

I am just in the process of ensuring that the Ubiquiti AP is configured correctly.

Thanks

AbsV

 

[bill001g]

The reason you can not get to the internet is your access list on the nat is wrong you need to change the subnet mask to map over both networks or add a second permit for the second network.

It has to be something strange with the tagging. I guess you could try to delete the switchport mode trunk allowed. Cisco by default allows all vlans and set vlan 1 as untagged. Still this should be a simplistic config.

The only thing I can think of is if the ubiquiti is doing something strange. It is unfortunate that it is extremely difficult to actually see vlan tags....you can mirror ports but the pc will strip the tags off when you run a sniffer on it.

 

[AbsV]

The reason you can not get to the internet is your access list on the nat is wrong you need to change the subnet mask to map over both networks or add a second permit for the second network.

It has to be something strange with the tagging. I guess you could try to delete the switchport mode trunk allowed. Cisco by default allows all vlans and set vlan 1 as untagged. Still this should be a simplistic config.

The only thing I can think of is if the ubiquiti is doing something strange. It is unfortunate that it is extremely difficult to actually see vlan tags....you can mirror ports but the pc will strip the tags off when you run a sniffer on it.

Good news , I deleted the trunk port allowed and changed to default trunk and now the vlans are giving out addreses as i would expect them, I amended the ACL by adding seconde PERMIT rule for vlan 2 and all vlans are able to get to the outside world.

In summary everything is working as wanted it to.

Thanks so much for your help bill001g