Security

I have a 620 controller and I have created to Vlans (one for internal use and the other for guest).  The internal Vlan works as it should.  It provides me acces to everything on the network.  The guest Vlan does work properly at all.  

My network configuration consists of a Ubiquity EdgeMax router with DHCP for each Vlan.  This feeds into a Netgear switch that provides power to each of my AP125/AP124.  Port 27 on the netgear is connected to the controller.  Before connecting the controller to the Vlans I tested the Vlan trunk between the Ubiquity and the Netgear and that worked just fine.  I received DHCP address and had access to the internet on my internal subnet.  What would become my guest subnet work just fine by isolating it to the internet only.

I do not know what I did wrong but I need to find a way to make this work.  Can anybody help?  Can this be done through the GUI or do I need to use the CLI?

Can you ping the guest vlan gateway from the controller ?

Do you have all those VLANs trunk to the controller ? and if so if that VLAN defined on your controller and trusted ?

I can provide a manual address and I can ping 192.168.2.33.  All Vlans are trunked at the controller.  And yes I believe they are defined as trusted.

It looks like it is configured in access mode:

Configure the interface to be a trunk:

conf t

int gig1/0

switchport mode trunk

switchport trunk allowed vlans <internal VLAN, Guest VLAN>

trusted

trusted vlan <internal VLAN, Guest VLAN>

 !

Define the VLAN:

conf t

vlan <guest VLAN>

interface vlan <Guest VLAN>

!

ip address x.x.x.x x.x.x.x

ip helper address <DHCP Server Address>

Please forgive my ignorance.  Before I did any this I was a software developer on a mainframe.  Some of your terminology such as Conf t is a mystery to me.  Could you please translate the steps you have indicated into the GUI steps necessary.  Again I appreciate all of the help but I am a bit new at this game and will get better as time goes by.

Thanks

This what I havd done so far and it does not work properly.

Here is some additional information I have made to my interface.

Try this , you need to add the Native VLAN which I am guessing it is VLAN 1 right ?

Also disable Spanning Tree

Thanks but it still does not work.

You need to add the native VLAN there too.

You also need to add the ip helper address (DHCP Server IP address)

Tried it and still does not work.

What's your default gateway on the controller ?

Try to ping the next hop 

It is basically Vlan 1.

Can you ping 192.168.2.1 ?

If I plug a cable into my netgerar switch that contains the trunk I can ping 192.168.2.1.  Keep in mind that the 620 is allowed to accept a DHCP address for the guest vlan and it does pick one up. What seems to be happening is that the AP's do not seem to be passing vlan 2 (guest) addresses out to those who are trying to logon as a guest.  

I am providing you three screen shots of my configuration.  When I try to access the guest lan the ap responds but I am getting no DHCP address passed down through the guest.

Can you share the following :

Would it be possible to get SSH access to the controller ?

You can use putty

I am a Mac user and I have Zoc which is a SSH client but I am not sure where this all going at this point?  You have helped a great deal at this time but I am not sure what else can be done.  The controller is running software 6.1 at the moment but I am not sure that should make a difference.  I am using a pair of AP125's and I will be increasing that to an additional pair of AP124's in the future.  

It turned out that I was missing a policy that would permit access.  That was all that I needed.  I did need a helper IP or a DHCP server which was handled by my router.