New VLAN across multiple Cisco switches
I have setup a new VLAN on my corporate network for use for guests only. I am trying to setup a guest WiFi service and keep all of the traffic separate from the business traffic. So far I have created a 172.16.0.0/24 subnet using VLAN 172 for guests. This is separate from my 10.11.0.0 network but still is travelling through the same Cisco hardware to get from the Cisco Aironet out to the internet. The aim is to get the traffic from the guests device to travel through multiple hops as follows: Guest device > Cisco Aironet 1600 > Cisco WLC 2504 > Cisco Catalyst 3560 - All on 10.11.23.0 subnet in one physical location, then it passes to the 10.11.1.0 subnet and uses a Cisco WS-C2960G > Cisco 1941 router > Internet, which is in another physical location. My switches on the 10.11.23.0 subnet can all see all of the route hops on the 172 VLAN but not outside of its physical location, e.g they cannot see the next hops that reside in the other physical location and the same for the 10.11.1.0 subnet. So there is a big gap in the middle where VLAN 172 is missing the connection which joins the two physical locations together. I am pretty sure that the switchports that are responsible for joining these two locations together are not trunked. I think this is the answer but the rest of my live network relies on these ports. If I enable trunk mode to test this, am I likely to disconnect everything else that is currently working?
Since both end of link must be setup the same way, yes changing a link from access mode to trunk mode will cause a disruption, at least a few seconds.
If you access the management of one of those switch through the link you are changing, then you need to first change the configuration on this switch, then on the other one.
It’s better to have console access on both, so you don’t loose the management and can quickly correct any misconfiguration.
If you are filtering VLAN, enter first the
switchport trunk allowed vlan *your vlan list*
and, if needed,
switchport trunk encapsulation dot1q (not all switches require it)
the you can issue simultaneously
switchport mode trunkon both switches
Yes, this is essentially what we do as well.
guest device > Cisco AP > Cisco WLC > core router > guest FW > cable Internet.
Best to setup the 172 VLAN on the core switch, without an interface VLAN, and then trunk that traffic over to your 2960 and then setup an interface or sub-interface on your router.
I would suggest that you use a separate Internet service for your guest traffic. We use to use our primary Internet circuit back in the day for guest Internet, but once you get blacklisted for email spamming or illegal content, you’ll wish you did.
The Ethernet frames on VLAN 172 should get tunneled to the WLC 2504, where the security/routing is configured. So, you must enable your network (switches) to allow VLAN 172 to reach the WLC 2504. The interface between the WLC 2504 and the switch must be a trunk interface.
Our Awesome Free Tools
- Check your IP Address precisely
- Online JSON Formatter with Syntax Highlight
- Online CSS Minifier Compressor
- Online MD5 Hash Generator
- Online SHA-1, SHA-256, SHA-512 Generator
- Online Base64 Encoder/Decoder
- Online CRC-32 Calculator
- Online Triple DES Encryptor/Decryptor
- Best World Clocks
- Database Administration Tutorials
- Programming Tutorials & IT News
- Linux & DevOps World
- Entertainment & General News
- All the Free, Online Tools you need