Help with VLAN configuration - please

  • 1
  • Question
  • Updated 1 year ago
  • Answered

After many days and weekends fighting with the ZoneDirector and the Access Points I need some help and here's my first post!

We have the following:

Zone Director ZD1112 - 9.8.2.0 build 15

Connecting to Cisco Nexus 3048 Switches.


We have Office A and Office B.   The ZoneDirector is in Office A with local access points.   Office B also has access points.

Office A and Office B are connected via an Ethernet link.

We have created VLAN 31 and this works when wireless devices connect to a standard WLAN.    However, the problem that we have is that we want the ZoneDirector to distribute the wpad.dat file to clients from the ZoneDirector which isn't working.


I believe this isn't working because we don't have two way communication between the ZoneDirector and Access points at Office B.


We DO HAVE communication on this network/VLAN between offices.   Office B devices on this VLAN and network range can see the Office A devices and vice versa. 


The problem we have is that the WIFI Controller cannot ping the other Access Points when it is placed in the WIFI VLAN (31) or native VLAN 1.   The Access Points still connect to the Zone Director.


This is where we need some guidance and here's the confusing part (for me):   On the WIFI Controller configuration page it requires a VLAN setting for its IPv4 Ethernet address.      Why is there a VLAN requirement here and why not let the Ethernet switch port tag the frame?


We have adjusted switch ports’ “access mode” to “port” and “trunk” and allowed VLAN 31 etc, etc, but the results are the same in that:

When the Access VLAN is set the native vlan 1 on the ZD the results are:

  • A Office B Access Point CAN ping the Office A controller

  • The Office A ZD cannot ping an Office B Access Point but it can ping its local Access Points.

  • The Office A ZD is pingable from the switch that is connected to.

     

    When the Access VLAN is set to 31 on the ZD the results are: 

  • The Office A ZD cannot ping any Access Points in Office A or Office B

  • The Office B Access Point CAN still ping the ZD.

  • The Office A ZD is NOT pingable from the switch that is connected to but as you can see in the last point other Access Points can still ping it.

The problem appears to be a combination of the native VLAN (1) across the link and VLAN 31.  


I appreciate there's a lot to take in but any pointers or guidance really would be appreciated.  I have produced a network diagram if that would help.

Tolan



Photo of Tolan Collins

Tolan Collins

  • 2 Posts
  • 1 Reply Like

Posted 1 year ago

  • 1
Photo of Eizens Putnins

Eizens Putnins

  • 107 Posts
  • 42 Reply Likes
Hi, there is complete mess with your description of problem, so it is quit difficult to see what is wrong.
 
1. Settings on AP and ZD for management network normally must be not changed from default 1. Normally you connect ZD to access port in management VLAN (so need untugged - 1), but AP you connect to trunk with management VLAN as native (also untagged - so again 1). So check that setting is proper and ZD and AP have management interfaces in the same VLAN.
2. If you can ping ZD from office B APs, than you obviously have bi-directional communication between them - as ping is request and answer. Also, if AP are connected to ZD, there is a communication too.  If you can't ping in the opposite direction, reason may be using wrong interface on ZD  for ping,  firewall access list, wrong routing / network mask setting, small MTU, any other reasons on a network.
From what I see, it looks that you want to have all APs and ZD management on VLAN 1, but clients on VLAN 31, and there is some routing between them (which makes understandable why office B APs can ping when you change management VLAN on ZD to 31. It also proves that you have ZD connected to trunk, not to access port.

Anyway, what you must clarify before doing something else:
1  VLANs  used for AP management in offices A and B and which is used for Wireless clients connection in both office 1 and 2 (probably you want same in both offices, but check it).
2 To which VLAN ZD have to be connected. Most probably you want to have same VLAN on APs and ZD, than it must be the same  and ZD must be connected to access port in this VLAN, APs - to trunk with this VLAN as untagged (native). If different VLANs are used, routing and proper gateways must be configured  on APs and ZD.
3. Check IP adrressing - it must be proper (addresses, mask, gateway on all devices.

By the way, management VLAN for APs doesn't need to be 1, you can use any VLAN, just make it untagged (native) on APs and ZD ports. It may help by the way, as in some cases Cisco switches have some limitations for VLAN 1.

After everything else works, for wpad.dat download, clients must have access to ZD when connecting to VLAN, and it needs proper routing + access-list configuration.
If still have problems, post port/VLAN inofrmation, we'll see what else can be done.
 
Hope it helps,
Eizens
Photo of Tolan Collins

Tolan Collins

  • 2 Posts
  • 1 Reply Like

Hi Eizens

Thank you for the detailed response, really appreciated.

I have "stepped back" from this installation and we're going to start again and take the following action.   We have moved the ZD to the same office as the DNS/DHCP and Internet servers to avoid additional routing issues.

We are putting the ZD and AP's into a VLAN that we know has clear communication between offices.  This hopes to avoid VLAN1 which (I think) has been "disabled" in various ways by previous engineers to improve security.

I will let you know how we get on.

Tolan

Photo of Eizens Putnins

Eizens Putnins

  • 107 Posts
  • 42 Reply Likes
This sounds to be the reason of your problems. I expect this will work with proper VLAN configuration without any issues -- we do it routinely.