VLAN connectivity issue

BigD1108

Limp Gawd
Joined
Nov 6, 2008
Messages
165
I'm trying to set up a Guest VLAN for wireless at a client site, and I feel like I'm missing something small in the configuration, since I can't ping any of the VLAN interfaces from my laptop when the address is statically set to something in the 172.20.100.x range.

I've pasted the configs for the ASA 5505 and the 6 switches below for convenience. Near as I can tell, all should be well. The ports are in trunking mode, the "show cdp neighbors" command returns the proper information, VLAN 100 exists on all the switches, etc.

Hoping someone smarter than I can show me where I went wrong.

ASA:

Code:
ASA Version 7.2(4)
!
hostname ASA
domain-name xxxx.local
enable password Cj3LF.ehxXN3xVkxWcxd encrypted
passwd Cj3LF.ehxXN3xVkWcxd encrypted
names
name 172.20.0.7 xxxxx
name 172.20.0.3 xxxxx
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.20.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxx 255.255.255.248
!
interface Vlan3
 no nameif
 no security-level
 no ip address
!
interface Vlan100
 nameif GUEST
 security-level 10
 ip address 172.20.100.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport trunk allowed vlan 1,100
 switchport trunk native vlan 1
 switchport mode trunk
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxxx.local
access-list inbound extended permit tcp any any eq https
access-list inbound extended permit tcp any any eq 3389
access-list inbound extended permit tcp any any eq www
access-list inbound extended permit tcp any host x eq 709
access-list inbound extended permit udp any host x eq isakmp
access-list inbound extended permit udp any host x eq 4500
access-list inbound extended permit esp any host x
access-list inbound extended permit icmp any host x
access-list inbound extended permit gre any host x
access-list inbound extended permit tcp any host x eq 709
access-list inbound extended permit udp any host x eq isakmp
access-list inbound extended permit udp any host x eq 4500
access-list inbound extended permit esp any host x
access-list inbound extended permit icmp any host x
access-list inbound extended permit tcp any host x eq 709
access-list inbound extended permit udp any host x eq isakmp
access-list inbound extended permit udp any host x eq 4500
access-list inbound extended permit esp any host x
access-list inbound extended permit icmp any host x
access-list inbound extended permit tcp any any eq 5900
access-list inbound extended permit gre any host x
access-list inbound extended permit tcp any host x eq 9964
access-list inbound extended permit tcp any host x eq 9964
access-list inbound extended permit tcp any host x eq 9964
access-list inbound extended permit tcp host x host x eq l
ap
access-list inbound extended permit tcp host x host x eq l
aps
access-list inbound extended permit tcp host x host x eq 3
37
access-list inbound extended permit tcp host x host x eq
3437
access-list inbound extended permit tcp host x any eq smtp
access-list inbound extended permit tcp host x any eq ldap
access-list vpn-acl extended permit ip 192.168.100.0 255.255.255.0 172.20.0.0 2
5.255.255.0
access-list vpn-acl extended permit ip 172.20.0.0 255.255.255.0 192.168.100.0 2
5.255.255.0
pager lines 24
logging enable
logging trap notifications
logging asdm informational
logging host inside server
mtu inside 1500
mtu outside 1500
mtu GUEST 1500
ip local pool clientpool 192.168.100.1-192.168.100.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn-acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (GUEST) 1 172.20.100.0 255.255.255.0
static (inside,outside) tcp interface ldap misys ldap netmask 255.255.255.255
static (inside,outside) tcp interface smtp server smtp netmask 255.255.255.255
static (inside,outside) tcp interface https server https netmask 255.255.255.25

static (inside,outside) tcp interface www server www netmask 255.255.255.255
static (inside,outside) tcp interface 3437 server ldap netmask 255.255.255.255
static (inside,outside) xxxxxx 172.20.0.49 netmask 255.255.255.255
static (inside,outside) xxxxxxxx 172.20.0.37 netmask 255.255.255.255
static (inside,outside) xxxxxxxxxxxx 172.20.0.145 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 xxxxxxxxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server vpn protocol radius
aaa-server vpn (inside) host server
 key cisco11
http server enable
http 172.20.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 172.20.0.0 255.255.255.0 inside
telnet 172.20.0.0 255.255.255.255 inside
telnet timeout 5
ssh sssssss 255.255.255.255 outside
ssh xxxxxxxxxxxx 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.20.100.100-172.20.100.199 GUEST
dhcpd dns 4.2.2.2 8.8.8.8 interface GUEST
dhcpd enable GUEST
!

group-policy ssss internal
group-policysssss attributes
 wins-server value 172.20.0.3
 dns-server value 172.20.0.3
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn-acl
 default-domain value sssss.local
 split-dns value ssss.local
 nem enable
tunnel-group sssvpn type ipsec-ra
tunnel-group sssvpn general-attributes
 address-pool clientpool
 authentication-server-group vpn
 default-group-policyssssvpn
tunnel-group sssvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c721a056be2a89ba04e72e5cc644b3dd
: end


Switch #1:

Code:
Current configuration : 5030 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xx-xxx-Switch1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$29wsC$rxYVgLdspQRV.J18yjFYYe.
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-24ps-l
!
!
!
!
crypto pki trustpoint TP-self-signed-114779136
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-114779136
 revocation-check none
 rsakeypair TP-self-signed-114779136
!
!
crypto pki certificate chain TP-self-signed-114779136
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313437 37393133 36301E17 0D393330 33303130 30303233
  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3131 34373739
  31333630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  BCCD20B8 0EC58A7B 06DE89F8 5DD69260 299F80D8 56ED0E8A 545E2B94 D1ABF1E8
  8F2BD193 56EF3FEB 7686D2B5 D744F272 3A2D6C3C 93E92F81 2995E78F E411A70A
  A63CB96E 5E49D4F3 426AA707 770E531F 3176BD47 4F919A41 2DDA1478 16FD7BF5
  DA54BBB5 907E6009 D1AC0B96 D572C003 083D2A33 18995AC4 00417D7E 8E6D44E9
  02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
  11041630 14821243 502D4365 6E746572 2D537769 74636831 2E301F06 03551D23
  04183016 80140FE3 0EDB89A8 58E0D98C 596AB844 E228598B F767301D 0603551D
  0E041604 140FE30E DB89A858 E0D98C59 6AB844E2 28598BF7 67300D06 092A8648
  86F70D01 01040500 03818100 19A28842 4F7C8D2C 75CECDB0 CE0CC913 56408BC2
  D698AA8B ADFC8A3C D814C590 75EE1372 BF83763E 7A446CCE 1D399782 907DBA3E
  DF04EFF4 E48D6D8C 7DDC852F 16534FD4 75FB713B EC0088DB 2C351BF8 F342A0D0
  C0998CDB 53803208 4AC5E4AE DD945993 D3057570 039A0F25 49920153 785EB3BD
  9DBDFE12 B6DE5C18 362B4A1A
  quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/3
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/4
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/5
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/6
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/7
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/8
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/9
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/10
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/11
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/12
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/13
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/14
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/15
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/16
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/17
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/18
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/19
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/20
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/21
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/22
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/23
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/24
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 172.20.0.64 255.255.255.0
!
interface Vlan100
 ip address 172.20.100.2 255.255.255.0
!
ip default-gateway 172.20.0.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
banner motd ^C
******************************************
Unauthorized access prohibited!
******************************************
^C
!
line con 0
 password 7 04783sB050sssA2F581sD3B58
 login
line vty 0 4
 password 7 04783B050Assss2F581Ds3B58
 login
line vty 5 15
 password 7 05283ss60C24425sA5A2B44
 login
!
end

Switch #2:

Code:
Current configuration : 5435 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ss-ssss-Switch2
!
enable secret 5 $1$wOusN$M2rkLms0/Pf0Jdw7sfbAf320
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable
!
interface FastEthernet0/2
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/3
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/4
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/5
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/6
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/7
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/8
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/9
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/10
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/11
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/12
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/13
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/14
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/15
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/16
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/17
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/18
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/19
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/20
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/21
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/22
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/23
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/24
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/25
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/26
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/27
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/28
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/29
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/30
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/31
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/32
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/33
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/34
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/35
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/36
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/37
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/38
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/39
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/40
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/41
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/42
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/43
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/44
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/45
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/46
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/47
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/48
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet0/1
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface Vlan1
 ip address 172.20.0.40 255.255.255.0
 no ip route-cache
!
interface Vlan100
 ip address 172.20.100.3 255.255.255.0
 no ip route-cache
!
ip default-gateway 172.20.0.1
ip http server
logging 172.20.0.2
!
control-plane
!
!
line con 0
line vty 0 4
 password 7 0027230F0Af58585558
 login
line vty 5 15
 password 7 15313B050sA29f78777F
 login
!
end

Switch #3:


Code:
Current configuration : 5601 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ss-sss-Switch3
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-24ps-l
!
!
!
!
crypto pki trustpoint TP-self-signed-3885847552
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3885847552
 revocation-check none
 rsakeypair TP-self-signed-3885847552
!
!
crypto pki certificate chain TP-self-signed-3885847552
 certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383835 38343735 3532301E 170D3933 30333031 30303032
  33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383538
  34373535 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C4DC B1CEABF9 D9E4E4DF ACF2DAF1 EF519967 F8F82B6A E301C200 C7DF0057
  7A46BD94 557AC07B D0589FA1 EB69CEA9 A43AA670 EB672A9D 70F9301A 6E33AE88
  EEB0A8B0 504C9795 3A2EF8CF 52B1983E 4624A32C 80C7C72C 61F42DBC A748455B
  8DEB12D3 525F8543 61BBF5DA BCF1F245 36938CAD 9EF9D8D8 1EEB1DD6 F0518AB6
  620B0203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
  551D1104 16301482 1243502D 43656E74 65722D53 77697463 68332E30 1F060355
  1D230418 30168014 E2D5CF8E 8C1AB427 A2A2BC7E 6DECE7C4 1D5BCE17 301D0603
  551D0E04 160414E2 D5CF8E8C 1AB427A2 A2BC7E6D ECE7C41D 5BCE1730 0D06092A
  864886F7 0D010104 05000381 81007FF0 9BC11ADD 2149B90A EDA5A6F4 C9BCA309
  D3DFC64F ECA4E9B3 3D7276CE C8580CD3 CE7CC19D BC17829B A0BBC023 7103EB37
  FE02F7CC 7C6B79BE 2D659398 3C35D802 0195D0FC EEE99535 D6AC84C5 CC4E503C
  D59951C3 0D9D7C2F 3B059F3A 739C2620 C69C7E38 AAEA7A7C 9E58F02F 3585B9A1
  9136D70A 8EAC84FF A0D2358A 5E3A
  quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/10
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/14
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/15
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/16
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/17
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/22
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/23
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/24
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/25
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/26
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/27
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/28
 switchport mode access
 spanning-tree portfast
!
interface Vlan1
 ip address 172.20.0.41 255.255.255.0
!
interface Vlan100
 ip address 172.20.100.4 255.255.255.0
!
ip http server
ip http secure-server
ip sla enable reaction-alerts
!
line con 0
 password 7 112A2906121Cf1F5F366B
 logging synchronous
 login
line vty 0 4
 password 7 112A290f6121C1F5F366B
 logging synchronous
 login
line vty 5 15
 password 7 123A351417f051857186A
 logging synchronous
 login
!
end


Switch #4:

Code:
Current configuration : 5631 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xx-xxx-Switch4
!
boot-start-marker
boot-end-marker
!
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-24ps-l
!
!
!
!
crypto pki trustpoint TP-self-signed-3882734208
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3882734208
 revocation-check none
 rsakeypair TP-self-signed-3882734208
!
!
crypto pki certificate chain TP-self-signed-3882734208
 certificate self-signed 01
  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383832 37333432 3038301E 170D3933 30333031 30303032
  33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383237
  33343230 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CB5E 6EF7838B 4B3E6AC8 3B956DE2 34C44609 802A7A35 94FE532F 5E008EF7
  DF7CF1FD 196FC713 D40605C2 6644B5EE FBD1B207 8DF0E64A 13F78EE8 829D4C68
  AD6CFEE1 ABFD864E 62C4E76B 899A0DA2 3935689A A05B7615 FF7BF4A9 11048357
  799C26B7 796B79C7 0A35BD07 85A9AB2F CBDF6760 718E93B7 E2EDE437 7FC48971
  84A50203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
  551D1104 16301482 1243502D 43656E74 65722D53 77697463 68342E30 1F060355
  1D230418 30168014 9C124FFC FBDF845A 14E92A47 952D3DA8 A3D03A6B 301D0603
  551D0E04 1604149C 124FFCFB DF845A14 E92A4795 2D3DA8A3 D03A6B30 0D06092A
  864886F7 0D010104 05000381 81007643 E3E1CD92 8BA1C53C 07030397 B38990D0
  B26EC403 85794FEF 871DFD95 7D714AAF 84718417 0EDC4834 483B89BA DC7DFE1B
  D869806B 5D544D14 0D074721 CDA60786 B44C94DA 4DD3036E 22A42DA1 21F8A071
  6A590C75 FF80F1C6 A3E4FA9C 4C17EE14 EA2EF129 8385EF86 DD3638DE 4C3AD58C
  9ACEEBAE 8C53BD5E 2C619C47 FC25
  quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/2
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/3
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/4
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/5
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/6
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/7
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/8
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/9
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/10
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/11
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/12
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/13
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/14
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/15
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/16
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/17
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/18
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/19
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/20
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/21
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/22
 switchport trunk allowed vlan 1,100
 switchport mode trunk
 spanning-tree portfast
!
interface GigabitEthernet1/0/23
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/24
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/25
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/26
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/27
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet1/0/28
 switchport mode access
 spanning-tree portfast
!
interface Vlan1
 ip address 172.20.0.42 255.255.255.0
!
interface Vlan100
 ip address 172.20.100.5 255.255.255.0
!
ip default-gateway 172.20.0.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
!
line con 0
 password 7 1434220x809x0A3E781669
 logging synchronous
 login
line vty 0 4
 password 7 1x43x22080x90A3E781669
 logging synchronous
 login
line vty 5 15
 password 7 096F7E0xA1C0B0341394D
 logging synchronous
 login
!
end


Switch #5:


Code:
Current configuration : 5002 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xx-xxx-Switch5
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$wIWz$D/HRx4KGpnzJKyYh3K3Cvk.
!
!
!
no aaa new-model
switch 1 provision ws-c2960s-24ps-l
!
!
!
!
crypto pki trustpoint TP-self-signed-114781056
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-114781056
 revocation-check none
 rsakeypair TP-self-signed-114781056
!
!
crypto pki certificate chain TP-self-signed-114781056
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313437 38313035 36301E17 0D393330 33303130 30303233
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3131 34373831
  30353630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  CFD43D12 82FC4240 6CE4658A 9A6E9619 FE5BCE49 6B7A720B F09F6E44 BC35983B
  9804B2E8 2EBDED0A FECA623D 60B8EFB9 F291A1FF A0E5DB9A 24E8E1B1 D38FE6CF
  2F9B85A6 F218C2F2 5C00EFDD 73D32292 C3D9D70F E26A30D7 25DD191D DCA903F9
  882F2DD2 3D16BAA5 3EE9311A B1ED92D4 0D2BF370 B6120534 B806D706 B85AFE0D
  02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
  11041630 14821243 502D4365 6E746572 2D537769 74636832 2E301F06 03551D23
  04183016 80140FA3 4E9B0AE9 140D2637 CBE87E3A 4A06A40B 0AA7301D 0603551D
  0E041604 140FA34E 9B0AE914 0D2637CB E87E3A4A 06A40B0A A7300D06 092A8648
  86F70D01 01040500 03818100 8F8EBBFB 15642BF5 96F2869E 95A67420 5BD866C9
  8A5E2DC3 2473C2F9 00E1D0E5 24EBC70E A481CBDA 7569FA98 F197A3EE 6BC552B2
  CCDDFDEF 042699E5 0BFAB84A 7AE6F0CE 42181B36 8A4BD2DB 0A3F2FB2 79C9490F
  E50CBF46 5F996367 B213844B 50530A0A 26786166 FE981E52 4E60DEF6 149C57B5
  7758994C F152A53E 9E131EA1
  quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
interface FastEthernet0
 no ip address
!
interface GigabitEthernet1/0/1
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/3
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/4
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/5
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/6
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/7
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/8
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/9
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/10
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/11
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/12
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/13
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/14
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/15
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/16
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/17
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/18
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/19
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/20
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/21
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/22
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/23
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/24
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 172.20.0.43 255.255.255.0
!
interface Vlan100
 ip address 172.20.100.6 255.255.255.0
!
ip default-gateway 172.20.0.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
banner motd ^C
*********************************
Unauthorized Access Prohibited!
*********************************
^C
!
line con 0
 password 7 080x27C4D0C17x1144204A
 login
line vty 0 4
 password 7 080x27C4xD0C171144204A
 login
line vty 5 15
 password 7 112Ax29061x21C1F5F366B
 login
!
end


Switch #6


Code:
Current configuration : 5167 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xx-xxx-Switch6
!
enable secret 5 $1$NDTK$Epo/raKWvbuxetqp2cku541
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/2
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/3
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/4
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/5
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/6
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/7
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/8
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/9
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/10
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/11
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/12
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/13
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/14
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/15
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/16
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/17
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/18
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/19
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/20
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/21
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/22
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/23
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/24
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/25
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/26
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/27
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/28
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/29
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/30
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/31
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/32
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/33
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/34
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/35
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/36
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/37
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/38
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/39
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/40
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/41
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/42
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/43
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/44
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/45
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/46
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/47
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface FastEthernet0/48
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet0/1
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport trunk allowed vlan 1,100
 switchport mode trunk
!
interface Vlan1
 ip address 172.20.0.44 255.255.255.0
 no ip route-cache
!
interface Vlan100
 ip address 172.20.100.7 255.255.255.0
 no ip route-cache
!
ip default-gateway 172.20.0.1
ip http server
logging 172.20.0.2
!
control-plane
!
!
line con 0
line vty 0 4
 password 
 login
line vty 5 15
 password 
 login
!
end
 
Last edited:
Why are all the ports set to trunk ports?

Are the switches L3 or is the ASA doing the routing?
 
Why are all the ports set to trunk ports?

Yes, why are you trunking all of the switch ports? Most of them should be set to switchport mode access, except for the actual ports that uplink to other switches or to the ASA.
 
I don't know much about the ASA, does it do routing?? I see you have some entries for 192.168.100.1 /24 not sure if that is a mistake.

One thing I will say is that you don't need IP addresses for this guest VLAN on each switch - it means there is a potential for someone on that network to find and connect to the switch. Depends on if you need it or not though.
 
Wouldn't the ports that the APs are connected to also need to be trunk ports since they'll carry traffic from VLAN 1 and 100?

What is the reason that you wouldn't want all the ports to be trunk ports?

Yeah, the ASA will do routing (this particular ASA has the Security Plus license, so no licensing restrictions are in place).

192.168.100.0 /24 is the subnet of the VPN client pool.
 
Yes the APs would need to be on a trunk port, you are correct.

Do the clients on the guest VLAN get a DHCP address?

You have "no shut" the interfaces as well?

Also your printers have the default passwords so I would change that if I where you ;) and lock down who can connect.
 
Last edited:
Holy old version of ASA batman.

The only ports that should be trunk ports are uplinks between switches, uplinks to APs, and the uplink the ASA. All other ports should be switchports. The reason you can't ping anything is probably because it's a trunk port and you NIC needs to be able to support VLANs in order for that to work right. (Most NICs don't support VLANs unless they are a server-type NIC)
 
Do the clients on the guest VLAN get a DHCP address?

They do not.

You have "no shut" the interfaces as well?

The VLAN interfaces show "up up" when looking at the output of the "sh ip int br" command

Also your printers have the default passwords so I would change that if I where you and lock down who can connect.

SSH is locked down to only allow specific IPs/subnets. Can you be more specific?
 
I can access one of the printers http page and change all the setting, I can also remote print to it.
 
I didn't see any icmp permit statements on the ASA, might be another reason why you can't ping the interfaces.

icmp permit 172.20.100.0 255.255.255.0 inside
icmp permit 172.20.100.0 255.255.255.0 outside
icmp permit 172.20.100.0 255.255.255.0 guest
 
You dont need to put an ip address on vlan for the layer 2 switch, unless you have set for layer 3. do a "show vlan" and make sure the vlans are defined on the layer 3 device. Also do a show ip route and sh etherc sum"
 
A "sh sw vlan" command on the ASA outputs the following, which appears correct:

Code:
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    inside                           up        Et0/1, Et0/2, Et0/3, Et0/4
                                                Et0/5, Et0/6, Et0/7
2    outside                          up        Et0/0
3    -                                down
100  GUEST                            up        Et0/5

"sh etherc sum" does not appear to be a valid command on an ASA 5505.
 
Configure the switchports as access ports. The reason your laptop cannot ping when you connect with a 172.20.100.X address is because the trunk ports are going to place all untagged traffic into vlan 1 since vlan 1 is the native vlan in your config.

This means that those frames will still make it to the destination traveling across VLAN 1 but the acknowledgement frames will not since the ASA will try to send them out of its E0/5 interface to reach an endpoint on VLAN 100 that doesn't exist since the endpoint actually exists on VLAN 1 with this configuration.

Also it is recommended to configure your switchports as static access for security.


I don't have any ASA experience because my employer uses different firewall hardware so I can't really tell if there are any problems with the ASA, please post back with updates.
 
Adding the "icmp permit" statements allowed me to ping from switch to switch and from switch to firewall on the VLAN 100 interfaces.

The reason your laptop cannot ping when you connect with a 172.20.100.X address is because the trunk ports are going to place all untagged traffic into vlan 1 since vlan 1 is the native vlan in your config
I guess it's not really necessary to have ping connectivity to the VLAN interfaces on the switches from a wireless client - it was just something that I wanted to do for troubleshooting purposes. As long as the public wireless works, I don't much care about ICMP traffic.

Would the switchports being configured as trunks impact the ability of wireless clients to receive a DHCP address? When I connect to the "Public" network, I just get an 169.254.x.x address.

The initial reason I set all the ports as trunks is because the wiring is really messy and the cables for the APs and the switch uplinks are quite hard to trace - just laziness basically. If that's the only way to make it work though, I guess I'll have to figure it out.
 
Would the switchports being configured as trunks impact the ability of wireless clients to receive a DHCP address? When I connect to the "Public" network, I just get an 169.254.x.x address.

You need an ip helper-address under the vlan 100 gateway interface. Your DHCP server looks to be on another network, and DHCP request broadcasts are being dropped before getting there. Didn't read through all your configs but did not see one in there with a quick glance.
 
And defnitely don't leave all those as trunks. Just what you need as trunks, the rest access.
 
You need an ip helper-address under the vlan 100 gateway interface.

The ASA is handling the DHCP on the guest interface.

Code:
dhcpd address 172.20.100.100-172.20.100.199 GUEST
dhcpd dns 4.2.2.2 8.8.8.8 interface GUEST
dhcpd enable GUEST

And defnitely don't leave all those as trunks. Just what you need as trunks, the rest access.

I can do this after I get this working - from my understanding, it won't actually impact the functionality of the configuration, it's just not following Cisco's security best practices....correct?
 
You need to hire me to come in and I will set your entire network up correctly. hahah

Your config is an absolute disaster, no offense.

You do NOT want to have all your ports set to trunk mode except the ones that are trunking. Period. Its not that it's not a best practice, it is that it is an idiot practice. Sorry for the lack of sensible wording.

Your main switch which appears to be a stackable switch so it will have a higher power processor and that is what you want to be your core switch in this case.

Convert every single port on that switcht to access .... use

conf t
inter range gig1/0/1 - 24
no switchport trunk allowed vlan 1,100
switchport mode access
spanning tree-port fast (if you desire)
end

now config your (desired trunk port) for example your last physical switch port 1/0/24

conf t
int g1/0/24
switchport encapsulation dot1q or switchport mode trunk depending on the model of switch
switchport trunk allowed vlan 1,100
no spanning tree-portfast
shut
no shut (to reset the interface, not required but I like to do this)
end

show interface status (for a brief overview of your switch ports and their modes etc...)

Now connect the port 1/0/24 to your ASA's trunk port which I am sure others will help you setup and if they havent I will come back and help later.

The rest of your switches will ALL need to be converted from trunk ports to access ports same as the example above. THERE IS NO EXCUSE ON EARTH to have every switch port be a trunk to connect a PC.

You will need to have a trunk to the ASA from sw1.
A trunk to sw 2 from sw1
A trunk to sw 3 from sw 2
etc... until the last switch

Do not use VTP, forget it exist. Do this manually because you are only using 2 vlans. Once we get all of this hammered out we can then beat your configs into the dirt some more and start hammering out security issues because you are chock full of a few.

See what you are failing to understand is that the operating system on your layer 3 switch will do the brain work. A trunk port is just a special mode with a check in the box that says "Oh I am allowed to pass frames of data from vlan 1 and 100 to the next device which is the ASA or another switch". The operating system will also know to only pass frames to and from switch ports that are members of a specific vlan. For instance all of your switch ports on all of your switches (DEFAULT TO VLAN 1 from CISCO) you do not need to worry about vlan 100 being recieved by these ports. The OS will simply not allow the passage of those frames to any port that is not specifically a member of VLAN 100..

Here is an example

Conf t
int gig 1/0/1
switchport mode access
switchport access vlan 100

The above commands will tell the switch that port 1/0/1 is a member of vlan 100 and therefore it will have full access to the entire vlan 100 system wide. But it will NOT see vlan 1 any more.

Same goes for any switchport. You can elect a sw port to be in any vlan you desire using simple commands.

There is absolutely no need to trunk a sw port that is going to be for a PC, Printer, Playstation, etc.... they do not even know what the hell the dot1q protocol is anyways. All they care about is being heard on the networking and hearing other traffic. They are going to process whatever they see and nothing more.

Additionally there is no need to have an IP assigned to a VLAN on a layer 3 switch unless it is going to be a gateway, i.e. intervlan routing.

So basically lets say you have a PC plugged into your layer 3 sw on port 1 and the l3 vlan 100 has an IP of 1.1.1.2.

Your ASA also has an address of 1.1.1.1 for interface vlan 100 on that device.

If you tell your PC to use gateway 1.1.1.1 it is going to flow all the way through the network to the ASA and use it as a gateway to the internet.

If you tell your PC to use gateway 1.1.1.2 it is going to flow all the way through the network to the l3 switch and use it as a gateway to the internet, but the l3 switch will have to intervlan route your traffic to the ASA in order to get out. If you are planning to add more VLANs later (which is off topic) it will be faster to use your l3 switch as the gateway for all devices on all your vlans that will be allowed to communicate with one another (intervlan routing) as it has a much faster processor. The ASA is 100% fucking suck when it comes to intervlan routing throughput.
 
Last edited:
Back
Top