3750 VLAN routing problem and Access Point 1131 AG multiple SSID?

[Kockalone]

PROBLEM 1:
We have two Layer3 stacked switches acting as “Inter Vlan Routing” device together with multiple Layer2 switches acting as access switches. ASA 5530 firewall will be delivered soon but till then we need routing between all VLANs. Here is part of the configuration:
Cisco 3750 L3 switch:
- created VLANs with appropriate addresses
- its acting as VTP Server and propagates VLANs to others 2960 VTP clients
- configured as a DHCP server for some VLANs
- STP globaly enabled because there are redundant links
- Ip routing enabled and on show ip route all Vlans are (C) directly connected
- Interfaces are in trunk mode with allowed all VLANs
ip routing
ip dhcp pool AccessPool
network 10.1.103.0 255.255.255.0
default-router 10.1.103.1
ip dhcp pool Computers
network 10.1.101.0 255.255.255.0
default-router 10.1.101.1
spanning-tree mode pvst
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface Vlan101
description Computers
ip address 10.1.101.1 255.255.255.0
interface Vlan102
description Cameras
ip address 10.1.102.1 255.255.255.0
interface Vlan103
description AccessPoints
ip address 10.1.103.1 255.255.255.0
ip classless

Cisco 2960 switch:
- as VTP client
- STP globaly enabled because there are redundant links
- Two Interfaces are in trunk mode with allowed all VLANs
interface FastEthernet0/2
switchport access vlan 101
switchport mode access
interface FastEthernet0/13
switchport access vlan 103
switchport mode access
interface GigabitEthernet0/1
switchport mode trunk
Everything is working fine: VTP propagates VLANs, DHCP is assigning addresses (no dns for now) but routing between VLANs doesn’t working. For example I can’t access from PC in vlan101 to Access Points in vlan 103, or any other vlan. From L3 switch I can ping all clients in all subnets, but from L2 switch where are for example vlan 101,102 I can’t ping clients on other L2 switch where is only vlan 103. All links to L3 switch are in trunk mode allowing all vlans. HELP?
PROBLEM 2:
On L2 switches in some access ports (vlan 103-dhcp server is on L3 switch ) we have connected 1131 AG AccessPoints. We didn't assigned vlan on SSID because it is working without it and wireless clients get addresses. For now only one SSID is broadcasting, but we want two SSIDs in two vlans (for example 103 and 107 both created in L3 switch with dhcp parameters) to broadcast. Question is: do I have to put ports on L2 switch attached to AP in trunk mode allowing vlan 103 and 107, and how to manage on AP to broadcast two visible SSIDs (one for guests and one for employes). HELP?

 

[unclerico]

from L2 switch where are for example vlan 101,102 I can't ping clients on other L2 switch where is only vlan 103

I'm assuming you have an SVI configured on the 2960's for management along with ip default-gateway set??

do I have to put ports on L2 switch attached to AP in trunk mode allowing vlan 103 and 107

yes

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Kockalone]

On all 2960's I have configured SVI like:
interface Vlan1
ip address 10.1.100.X 255.255.255.0
no ip route-cache
What I have to add (ip default-gateway)? You mean on all L2 switches to add default-gateway 10.1.100.1 for int VLAN1? And what about other VLANS?
On 3750 who is routing VLAN1 is on 10.1.100.1 for management.
From PC in vlan 101 I can access any switch in 10.1.100.0 subnet, but not any other device in other VLANs. All vlans are propagated from VTP server. I am little confused right now?

 

[unclerico]

since the 2960's can only have a single active SVI you'll assign the default gateway to be the gateway for the subnet of that VLAN. so if the 3750 SVI has an address of 10.1.100.1 then that is the gateway you'll use for the 2960's. when any remote device needs to communicate with that switch, you'll communicate via the VLAN1 SVI. go around to each device and make sure that the gateways are assigned properly; this includes PC's, AP's, switches, etc.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Viconsul]

Problem 1

I can't access from PC in vlan101 to Access Points in vlan 103, or any other vlan. From L3 switch I can ping all clients in all subnets, but from L2 switch where are for example vlan 101,102 I can't ping clients on other L2 switch where is only vlan 103. All links to L3 switch are in trunk mode allowing all vlans. HELP?

Your trunks are not working correctly, the encapsulation has not been set on you L2 switches(2960 switch) add switchport trunk encapsulation dot1q to your int gi0/1

Problem 2
Yes, you will need to put the ports your APs are connected to, in a trunk mode. However the best practice is to put your APs and Switchs in a management vlan which is different from your data or voice vlans.
On your APs create your ssid(s) and map each different ssid to a specific vlan

 

[Kockalone]

Thanks very much, I will try to use all of this. See you soon.

 

[Kockalone]

Viconsul: I just remembered - In 2960 series only dot1q is supported so the "switchport trunk encapsulation dot1q" command is not supported. Also I have enabled all vlans for trunking "switchport trunk allowed vlan all"; that's why it does not show in running config.

 

[Viconsul]

Post a show int gi0/1 switchport of your L2 switch trunk.