I have a AP541N connected to a UC560. We are currently configured for Wireless Voice and Data. We have added a Guest VLAN, but don't see where in CCA to secure the VLAN from accessing the other other two default VLANs.
Additional Info: AP541N-K9-1.7(2)UC560 15.0(1)XA2, RELEASE SOFTWARE (fc2)CCA 3.0
I currently have two AP541N access points. Both are configured for internal access and one unit is configured with a Guest VAP. I want to configure the Guest VAP to redirect to an authentication page so that the user connecting has to log in to get internet access. I'm fairly certain the AP541N doesn't offer this out of the box. I know I can redirect, but what is needed to force a user to authenticate to gain internet access. I want to find out what additional hardware/software I will need in order to create Guest Services of this VAP.
View 1 Replies View RelatedI have a client that has 3 AP541N's and they want to enable guest wireless access. However, their VOIP provider has their managed switches locked down so we can't add VLANs, etc.So I cannot touch the switch or router config on this LAN.
Looking into AP541N documentation I see VAPs mentioned, can I enable those and have secure guest wireless access with the same private IPs that the rest of the LAN use right now? (That is, the employees are 192.168.2.x and the guest wireless users would also be 192.168.2.x.)
Or do I need to do something else to properly enable guest wireless? Like add another piece of equipment? I did try to add a Cisco RVS4000 to the mix but it wouldn't pass the VLAN across the switches that I setup for the guest wireless SSID. goal is to leave the switch and router in place, and work with the AP541N's that I have and get secure guest wireless.
I have 2 APs, Cisco Aironet 1040, and 2504 WLC.Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?
View 4 Replies View RelatedI have an existing setup consisting of:
Windows Server - doing DHCP for private wired/wireless
Cisco 1141 Autonomous WAP with only private wireless access.
ASA 5505 (with very basic licensing)
HP switch
The customer wants to have guest WiFi.
The guest WiFi is going out to the internet via a seperate VLAN/interface on the ASA. Can the 1141 do DHCP for the guest WiFi? Or do I need to do it via the ASA?
I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.I found this link on Cisco's site: [URL]That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q
EZVPN_Remote(config-if)#dot1
[code]....
Does Cisco have an official number of how many AP541s are supported directly by a UC560? these are standalones and I know they are configured in a max of 10 to a cluster, but how many clusters can you have? We are looking at a hospital installation with one UC560 and 25 AP541s.
View 2 Replies View RelatedMy company has an RV180W Router, a SGE-2000 Managed Switch, and a WAP321 Wireless Access Point. I have about 12 users on a Windows 2003 Server Standard, completely updated. My Win box is my DHCP Server. Now I am running two VLANS, Vlan 1 (default) the main vlan is where the Win box is on. Vlan 5 (guest Vlan) uses the RV180W as the DHCP server.
-Vlan1 is 192.168.1.1-254 - Issued by Win box
-Vlan5 is 192.168.2.100-254 - Issued by RV180W
I have currently Ciso4404 WLC installed which is in vlan4001 with the 172.16.10.0/24 subnet
I have bought Cisco 5508 WLC recently as AP count is increased... Can I install it in same vlan and subnet? If yes what would be the setting for APs to join... If no how can I configure it with other vlan and subnet..
I am running a /24 network in Active Directory with my ASA acting as gateway and firewall. Standard interfaces (Ethernet 0/0 as outside, Ethernet 0/1 as inside)
As of now I have no VLans set up, but I need to setup wireless Internet access for guests... I need directions on how to setup a Vlan with its on DHCP for these aguests... I can then make sure that my APs can be pointed to the same VLAN... I am not familiar with CLI, have generally used ASDM. I am currently running ASDM 6.3(1) on an ASA with version 8.3(1).
This is something I need to do quickly as we are expecting 20-40 "guests" shortly, and I don't want them to use our internal DHCP server addresses.
I recently bought a Cisco SRP527W and I'm trying to setup a second wireless network for guests.
I created a "guest" VLAN and I assigned the "guest" SSID which I have created.
I created a "guest" DHCP server and assigned it to the "guest" VLAN.
The "guest" SSID is set to broadcast and has WPA2 Personal (TKIP+AES) authentication. These are exactly the same settings I have for the "non-guest" WiFi.
However, I can't get my clients to connect to the network. The "guest" WiFi is visible and clients are prompted to enter the password but after that they end up with an APIPA address. When I move the "guest" SSID to VLAN1 (along with all the other networks) then it works absolutely fine.
I was just wondering if I'm simply missing something in the configuration ..
The device is running the latest firmware (1.01.24 (003) September 7, 2011)
DHCP server has DNS Proxy setting enabled and WAN Interface configured as "Default Route" (have basically replicated the same settings as VLAN1)
Any issue creating a guest vlan to use the WIFI on an 891W router? The IOS is version 15.1. I have created discreet Vlan's and setup subinterfaces on both the WLAN_AP0 and GigaEthernet 0 interfaces with dot1q encapsulation. The client will receive an IP from the pool but cannot ping or connect beyond the default gateway.
The external interface is using Nat overload and all wired clients are successful in connecting to outside addresses. I have insert a permit any statement in the acl which affects the external port but still no success.
Hardware: Cisco 3750 switch and Cisco autonomous access point (AIR-AP1142N-E-K9).Requirement: A single broadcast SSID; use dot1x to assign vlan 98 to authenticated clients (computer certificate); assign vlan 3 (guest) if the authentication fails.I can achieve assigning a guest vlan on authentication failure when using a wired connection by using the following command on the interface:authentication event fail action authorize vlan 3 I'm after a way to achieve the above using the wireless access point. The main point is that internal users cannot access vlan 3 as they have a valid certificate and that guests do not have to authenticate.
View 2 Replies View RelatedIn our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
SSID Name - guest
Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
Mobility Group: Same configs at both ends
SSID Anchor : Anchor SSID on local and local SSID on Anchor.
AP: CAPWAP 3502 Management Subnet
[code]....
Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
We are trying to setup a WAP4410N with 2 SSID's. One SSID for our private network and the other for guest internet access. On the VLAN and QoS page there is a setting for priority. What would be the suggested values for this setting? We obviously want our private network to receive priority over our guest network.Also, does VLAN Tag setting need to be on Tagged to determine private from guest traffic?
View 2 Replies View RelatedHave deployed a few of these - and am truly frustrated that I cannot see then in the topolgy, let alone actually manage them. Why such a ubiquitous switch is not supported.
Even the SmartPort utility is useless - CCA (3.3.1 and earlier) gives an error saying a port is incorrectly configured (I pluggged it into an exp port on the UC560 as I gave up trying to get a working uplink to an ESW-540-24P).
The Smartport port function wants the exp port (on the UC560) to be configured as a "Phone/Desktop" - if I try to change it to a "switch", it refuses to accept it saying the "Macro is unsuitable - or similar"
I have a 2960 SI lan lite switch that I am configuring for admin and guest access. I have wireless AP's plugged into trunked ports 2 and 3. I am using two vlan's (in addition to the native VLAN). Vlan 5 for Admin and Vlan 10 for guest access. I have ACL configured on the router preventing guest users from accessing the Admin network. I want to prevent those on the guest network from seeing other hosts in the vlan however the lan lite software does not support port ACL's. Any way to accomplish this with this switch.
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
[Code]...
I am trying to create a VPN between a SRP521W (only point-to-point VPN) and a UC560 (VPN server) and it seems it doesn't works (SRP doesn't create the tunnel).
View 4 Replies View RelatedI am primarely enquiring whether the setup I have explained below is actually possible, and if so then how I can set this up. I know it isn't the easiest configuration and I need to set this up without purchasing any more equipment if at all possible.I have a Cisco SG 300-28 setup with three VLAN's. [code] Default Gateway is 192.168.10.1 (Netgear Router)I have a Wireless network setup (Netgear WMS and 2 WAP's) configured with the TWO VLAN's (1 and 3). These go into ports on the Cisco SG 300-28 which are tagged on both VLAN's. The Business wireless worked fine but the guest network didn't reout out to the internet.After some troubleshooting I realised the reason the guest wasn't working was because there was no route back from the internet to the router.
The router I have isn't really ideal, it is a Netgear DGN2200, but I managed to create a static route to 192.168.30.1 with a metric of 2, with 192,168,10.254 being the hop. Success, the connection worked, the only problem is that now my guest network can see my business network because the business network is using the static route on my router to route back over to the guest network (due to the limitations of this device I can't do anything about that)Guest network can connect to Business VLAN via switch. I am assuming this is because the router is on the Business VLAN and the default gateway is the router. As they are on the same network the Guest network can inevetably see the business server and network.The Business network can get back to the Guest network via the router using my static route I created. The static route is really basic and I can't create a firewall rule on the router to prevent the Business network speaking to guest network because it only has a LAN - WAN firewall and this connection is LAN - LAN.
What I need is...to somehow stop any traffic from the 192.168.30.0 network routing to anything on the 192.168.10.0 network, appart from the router on 192.168.10.1.Is this possible? I have this setup on a number of different site, the only difference is I have a CIsco Security Router on these with the VLAN's configured so I don't have this problem. Because I have a rather limited Netgear DGN2200 I am unable to setup the VLAN's correctly and as such I need to see if I can do this on the switch in any way.
is it possible to set the dot1x guest-vlan on a Catalyst Switch via ACS 5.2 dynamicly. I want to make MAB with known Devices (FAT-Clients, Notebooks, Desktops, Printers) and unknown Devices.I will set the VLAN dynamicly with dot1x per ACS. For known FAT-Clients, Notebooks etc. it's running well.But for Printers it's more difficult because I have about 500 Printers in several IP-Segments on several Switches and I will not make to much Rules in ACS for Grouping, Mapping and Authority-Rules.My Idea is to set the Guest-VLAN on every Switch, read them with ACS and use this for my Printers.The Problem is that Guest-VLAN is set on more than 100 Switch and this guest-vlan is different on any Switch.Can I read the Geust-VLAN Value so that I can set this via ACS ?
View 4 Replies View RelatedI know "Guest Vlan" aren't available on SG200, only SG300 have that feature.Problem is i only have a SG200 on hand and no extra budget.
We have multiple vlan:
vlan10: LAN
vlan20: Voice
vlan30: Guest
vlan50: Servers
vlan100: Lab1
vlan200: Lab2
Since it's a small business and lot of people moving around, doing test, etc.... most port are tag with all vlan. Our Wireless AP have multiple SSID one with vlan10 and one with vlan30 for guest.
Is there any way without the "Guest vlan" feature that i could have with my equipment any equipment without a vlan configuration be set on vlan30 ?
I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status. The server is Juniper IC4500.
View 2 Replies View RelatedI've configured an ACS 5.3 system and all my groups etc fucniton corrcetly both for Network Access and for Device Administration.
However I'm stuck trying to allow clients to authenticate against the router's web-page i.e. Web-Authenticaiton, using TACACS+ between the router and the ACS5.3.
I've looked into this and I need to configure a custom-attribute of "service" with type Outbound and link this to an Authorization policy.
Scenario: I have a vmserver w four virtual servers all in configured w in different subnets. What's the best way to configure a 3750-x switch to route traffic from the virtual servers to their vlans?
View 2 Replies View Relatedgetting a SF300 to properly route IP between 2 VLANs. I've watched the demo video and performed everything it showed, but I get the most bizarre half-way results. I haven't done anything on Cisco routers in about 15 years, so I'm a little rusty.
We have an office LAN with a cable modem/router for Internet access where the modem/router has IP address 192.168.1.1. We have the usual 24 bit prefix net mask. The SF 300 is connected to this network on port 1.
I have configured port 1 to VLAN 1, interface in Access mode, assigned a static IP address of 192.168.1.36, which is a free address on our office LAN. I have configured port 2 to VLAN 2, interface in Access mode, assigned a static IP address of 192.168.3.1 I put a static route in the modem/router, pointing 192.168.3.0/24 to 192.168.1.36.
I have a PC on 192.168.3.10 attached to port 2.
The SF300 can ping 192.168.3.1, but not 192.168.3.10. 192.168.3.10 can ping 192.168.3.1. It can also ping 192.168.1.1, and can pull up an HTTP router admin page from 192.168.1.1. 192.168.3.1 can be pinged from anywhere on 192.168.1.x, but 192.168.3.10 cannot be pinged from 192.168.1.x. Finally, 192.168.3.10 cannot ping any other addresses on 192.168.1.x except 192.168.1.1, and cannot reach the Internet.
Here's my configuration:
switch6d919d#show runconfig-file-headerswitch6d919dv1.3.0.59 / R750_NIK_1_3_647_260CLI v1.0set system mode router
file SSD indicator encrypted@ssd-control-startssd configssd file passphrase control
[Code].....
I just procured Cisco 3560V2- 48PS-S i would like to know how to set it up from scratch:
1. configuring passwords: enable and privilege
2. Creat Vlan , such that systems connected to the Vlan can connect to internet.
3. enable routing protocols
4. How do i use the switch as a default gateway for the systems on the vlan
5. how do i make sure the desktops connected to the switch are browsing the internet.
I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
I am trying to configure the interface using the following commands: [code] similar result is obtained while trying to configure a auth-fail vlan. the full configuration file is attached.
I have some Cisco 1240 Access Points which are not centrally managed. I want to add 802.1Q trunking so as to be able to provision a guest VLAN. But a trick is that these APs are in some very high ceilings. I would like to provision the new trunking and guest VLAN without having to remove them from the ceiling. Someone suggested I just make the native VLAN save as existing and make the port to which attaches a trunked port. But when I did this I lost connectivity to the Access Point. Access came back as soon as I made the switch port an access port. how I can add the trunking and guest VLAN without having to get into the ceilings to remove them and configure them via console or other?
View 2 Replies View RelatedI have a 2232 dual homed to 2 5548's via a port-channel/ vpc. I have one 5548A and configure the port for the 2232 with a vlan, plug into that port and it doesn't come up (inactive). I go to 5548b (Primary) and configure the port and it comes up.
View 3 Replies View RelatedI have registered here to clarify some things about VLAN's. There are so many (different) names and mentions that i found tat my vision gets blurry looking through all the info.I have a setup at a client where the Guest WiFi access needs to be separated from the normal LAN where all the normal devices are attached to. The guests are not allowed to reach the IP camera's and printer etc. etc. . I am trying to visualize how the traffic should flow but the Tagged, Untagged, PVID, Trunks and other names that i found make it difficult for me to see how it works together.
View 8 Replies View RelatedI am configuring 802.1X in a 3560 Switch, my Radius server is a Microsoft IAS, when I connect a station of a guest user, the guest-vlan is not assigned in the port, and I have these logs:
May 8 21:23:02: dot1x-ev:Received an EAP Timeout on FastEthernet0/8 for mac 0000.0000.0000
May 8 21:23:02: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not
[Code].....
I currently have two Nexus 5548UP switches in my environment running the latest code (n5000-uk9.5.1.3.N1.1a.bin). Both of these switches are connected via a VPC Peer Link (two ports on each switch in an Ether Channel) and a VPC-Keep Alive Link (a dedicated port). Hosts connect to each switch via a VPC for both IPV4 and FCOE.
As of right now, everything works. I currently have a stack of two 3750 switches that each Nexus is connected to. This stack is doing all the Intra-VLAN Layer 3 Routing for the Nexus Switches. However, I plan to get rid of the 3750s, and move the Layer 3 Routing the Nexus 5548's, so the backplane is 10 Gig instead of 1 Gig.. I have the Layer 3 Daughter Card installed in both switches, as well as the LAN_BASE license.
So, at the moment, I am trying to find the best way to accomplish Layer 3 Routing on these two switches. Since the Nexus switches are not stacked, and the FCOE portion of HA is taking care of by the Multipathing agent on each host, I believe am just concerned with providing Intra-VLAN routing in an HA build where if one switch goes down, VLANs still route through the other switch.
Again, since the Nexus switches are not stacked, I am guessing the best way to handle this is with HSRP, but my experience with that has always been with routers that have a switch in the middle. Can I make HSRP work without having a switch between the Nexus switches? Can I track the VPC peer link, or how do I do it? I guess I am looking for a sample config.
Let's pretend I had two VLANs:
VLAN 20:
10.20.20.254 - GW and 10.20.20.0/24
VLAN 40
10.40.40.254 - GW and 10.40.40.0/24
And I wanted the Nexus switches to route these VLANs regardless of which switch was up / down..
I am configuring DHCP pool for voice vlan on cisco 2921 router.
Here is the setup.
2921 router -> 3750 -> 2960 PoE -> 7942 IP Phone
Router Config
ip dhcp excluded-address 10.146.54.1 10.146.89.50
!
ip dhcp pool VoiceVlan
network 10.146.54.0 255.255.255.0
subnet prefix-length 24
dns-server 10.144.68.32 10.144.68.33
option 150 ip 10.146.68.36
default-router 10.146.54.1
netbios-name-server 10.144.68.32 10.144.68.33
netbios-node-type h-node
[code]....
