VLAN & DHCP Issue

Uberseehandel
Kind of a big deal

VLAN & DHCP Issue

Hi

I am re-configuring my test network and an unexpected error has occurred. I am in the first stage of moving devices to appropriate VLANs. The VLANs  used by the two SSIDs are circled in the screenshot below - 

Screen2.png

The phone attaches either of the SSIDs as selected - 

Screen1.png

 

However, the Access Point is reporting an error - 

Screen3.png

Doubtless, I've done something silly, but I am a little surprised at the mention of VLAN 0.

 

Any suggestions greatly welcomed.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
20 REPLIES 20
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you tried getting the phone to release and renew its DHCP address?  It may be holding onto its last lease assignment.

Philip

 

Thanks for your interest. 

 

I just tried getting the phone to forget both networks so it was unattached and then re-attached to VLAN 111 Analytics ( via the Enigma SSID. I still get the same error message and the orange status on the AP.

 

The default is VLAN 1 not 0. The switch and the AP are on the management VLAN 11. Eventually, I intend removing VLAN 1 and I do not see that I need VLAN 0 (is that a normal VLAN), if everything is specifically assigned?

 

 

 

I'm a bit puzzled.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

My assumptions are that the error message is for the AP not the phone. How's the AP configured, is it configured to receive an IP address via DHCP? Make sure there is no VLAN tagging set on the AP's DHCP configuration as I assume it's already being tagged at the Switch port? (Double tagging could cause this error message)

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@MilesMeraki

 

Thanks for your suggestion - the screenshot below shows how the AP is configured - 

Screen4.png

Both the SSIDs function as expected. The AP is getting its IP address from the correct VLAN DHCP server. I am not sure where to go looking for more causes . . .

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Try checking the config on the local status page.  Particularly the VLAN assigned there.

 

If it all still looks correct perhaps give the AP a power cycle.

 

 

To me, everything looks configured correctly.

You mention a switch.

 

So you have an MX, and on LAN1 it connects to a switch?  And then the AP plugs into that switch?

@PhilipDAth
LAN1 port on MX plugs into the MS220-8P port 10
Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

@PhilipDAth

 

I've accessed the local pages for the switch (MS220-8P) and the AP, everything appears to be Healthy.

 

However, I check the entry on the switch port page and it shows that that the port the switch is connected to has 

 

Native VLAN - 11

Allowed VLAN - 11, 111, 1001

 

(11 Management, 111 Analytics, 1001 Isolated Guests)

- is this correct?

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

You have two choices:

1. Configure the native VLAN configured as "1".  Nothing will use it, as you have everything configured to use other VLANs.

2. Leave the native VLAN as 11 but change the AP backup to using VLAN1 - which will actually end up on VLAN11.

Sorry this is between the switch and the MX.

 

I would make the native VLAN "1", and configure the switch to use VLAN11 as its management VLAN via the local status page on the switch.

Double tagging is the issue here. As @PhilipDAth has stated, the Native VLAN is 11 and the AP is using VLAN 11 for it's DHCP requests when the Native VLAN is already VLAN 11.

 

As @PhilipDAth has mentioned, change the Native VLAN back to 1 and this will resolve the issue. 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@MilesMeraki

@PhilipDAth

 

Thanks for your help guys, it is much appreciated.

 

As you both predicted, changing the native VLAN for the AP(s) back to 1 solved the problem.

 

Because of my background, I'd prefer it if there was not a default VLAN, and to avoid using VLAN 1, because both 0 and 1 are predictable and often default values.

 

I'm trying to develop a core architecture that can act as a template for future deployments, rather than configure on a one-off basis.

 

I am not a network engineer, so what is obvious to everybody else is not always obvious to me. As I said before, your assistance is much appreciated.

 

Robin

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

You can choose a non-existent VLAN to be the default if you want, like 123.  But you must configure it as the native VLAN on each side of a trunk link.

No problem @Uberseehandel, glad that we could be of assistance. As @PhilipDAth has stated above, if you believe keeping VLAN 1 as the default Native VLAN as being insecure/vulnerable, change it to another unused VLAN number in your design, just ensure that you change the Native VLAN on all other links to reflect it.

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@MilesMeraki

@PhilipDAth

 

I've found a lot of information on the Cisco education site so I'll take it on board (hopefully weeding out the misleading stuff), and I'll re-organise the VLAN numbering scheme accordingly. I'm tempted by (room) 101 for the unused VLAN.

 

 

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

If you want the AP to be on VLAN 11 and the switch port to use VLAN 11 as it's native (or untagged) VLAN, here's what you should try.

 

Set the AP to DHCP and leave the VLAN tag blank.

Then set the switch port to native VLAN 11.

Then bounce the port.

 

If the AP's configured management VLAN matches the native VLAN on the switch port you will get this error.

 

The AP doesn't have a way of knowing what native VLAN the switch is configured for. In this case, it just knows that it's configured to use DHCP on a VLAN that it never gets traffic with the expected VLAN tag from the switch.

 

Uberseehandel
Kind of a big deal

@Zilla

 

Thanks for your suggestions.

 

I now have the VLANs configured pretty well the way I want them to work.

 

My next issues are to do with isolating "risky" devices into their own VLAN yet still be able to access their services, eg Bonjour or Chromecast.

 

Virtually all the "smart" devices I have seen are woeful from a security viewpoint, so should be kept away from the rest of the network, yet some are quite convenient. Whether it is at home or work, I cannot see us having fewer smart devices in the future. So we have to be able to find a way of being able to live with them, securely.

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
PhilipDAth
Kind of a big deal
Kind of a big deal

Reading this again I missed this was an AP issue.

 

I would think by "VLAN0" it means the native or untagged VLAN.

 

The switch port that that the AP plugs into, I assume it is a trunk port.  Is the native VLAN - VLAN1, or a different native VLAN?


@PhilipDAth wrote:

Reading this again I missed this was an AP issue.

 

I would think by "VLAN0" it means the native or untagged VLAN.

 

The switch port that that the AP plugs into, I assume it is a trunk port.  Is the native VLAN - VLAN1, or a different native VLAN?


At present he "default" VLAN is VLAN 1. At present all the switch ports are trunk ports.

 My aim is to use VLAN 11 as the management VLAN and avoid using any defaults.

 

Its after 2235 here I'll get back to this in the morning (my time), thank you for your assistance. 

 

Do I need to do anything on the switches other than set which VLANs each port will pass? Do I need to set up the ports to also pass the management VLAN when a client device is directly attached?

 

laters . . 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Since the AP is configured to use VLAN11, the port it plugs into on the switch should be a trunk port, and it can use a native VLAN of 1 (make sure the switch is not using a native vlan of 11).  Make sure the switch port that connects to the MX is also a trunk port.  Is this a Meraki switch?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels