DHCP帮助3560-CX +阿鲁巴AP515

Question

问题

VLAN 100并不是从AP为SSID客户分配IP地址，但是阿鲁巴正在将SSID标记为VLAN 100。如何使开关分配DHCP？在交换机上，它似乎正确地设置了dhcp，但是它从来没有给无线AP分配任何正确标记到vlan 100的东西。

什么是有趣的

当我在mgmt上时，它能够看到开关和其他2个交换机，但我认为的客户ssid无法按预期访问任何东西(即使我设置了静态IP)，但无法获得DHCP。

在我的无线AP上，我有以下配置：

version 8.4.0.0-8.4.0
virtual-controller-country US
name Home-VC
virtual-controller-ip 10.10.10.11
terminal-access
ntp-server time.google.com
clock timezone Central-Time -06 00
clock summer-time CDT recurring second sunday march 02:00 first sunday november 02:00
rf-band 5.0
allow-new-aps
allowed-ap d0:15:a6:cb:0a:04
allowed-ap d0:15:a6:ca:f2:98
arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode preferred-access
channel-quality-aware-arm-disable
client-aware
scanning
client-match slb-mode 3
rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40
rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off
syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless
extended-ssid
wlan access-rule Data
index 0
rule any any match any any any permit
wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit
wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit
wlan access-rule 1008-mgmt
index 3
vlan 1
rule any any match any any any permit
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit
wlan access-rule Guest
index 4
vlan 100
rule any any match any any any permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit
rule any any match webcategory spam-urls deny
rule any any match webcategory malware-sites deny
rule any any match webcategory adult-and-pornography deny
rule any any match webcategory dating deny
rule any any match webcategory keyloggers-and-monitoring deny
rule any any match webcategory gross deny
rule any any match webcategory cheating deny
rule any any match webcategory phishing-and-other-frauds deny
rule any any match webcategory proxy-avoidance-and-anonymizers deny
rule any any match webcategory spyware-and-adware deny
rule any any match webcategory nudity deny
rule any any match webcategory bot-nets deny
rule any any match webcategory hate-and-racism deny
rule any any match webcategory violence deny
rule any any match webcategory gambling deny
wlan access-rule Any
index 5
rule any any match any any any permit
wlan ssid-profile Data
enable
index 0
type employee
essid Data
opmode wpa3-sae-aes
max-authentication-failures 0
vlan 90
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11v
wlan ssid-profile 1008-mgmt
enable
index 1
type employee
essid 1008-mgmt
opmode wpa3-sae-aes
max-authentication-failures 0
vlan 1
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11v
wlan ssid-profile Guest
enable
index 2
type employee
essid Guest
opmode opensystem
max-authentication-failures 0
vlan 100
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter none
content-filtering
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
auth-survivability cache-time-out 24
dpi
url-visibility
wlan captive-portal
background-color 16777215
banner-color 16750848
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure, and use is at your own risk"
use-policy "Please read terms and conditions before using Guest Network"
wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https
blacklist-time 3600
auth-failure-blacklist-time 3600
ids
wireless-containment none
infrastructure-detection-level high
client-detection-level high
infrastructure-protection-level low
client-protection-level low
ip dhcp Guest
server-type Centralized,L2
disable-split-tunnel
server-vlan 100
wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x
wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
auth-server InternalServer
captive-portal disable
no dot1x
enet0-port-profile default_wired_port_profile
uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180
airgroup
disable
airgroupservice airplay
disable
description AirPlay
airgroupservice airprint
disable
description AirPrint
cluster-security
allow-low-assurance-devices

On my Switch I have the following Configuration: 

Building configuration...
Current configuration : 4310 bytes
!
! Last configuration change at 02:16:14 UTC Wed Apr 7 2021 by admin
! NVRAM config last updated at 02:06:33 UTC Wed Apr 7 2021 by admin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service dhcp
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
no aaa new-model
switch 1 provision ws-c3560cx-12pd-s
system mtu routing 1500
!
!
!
!
ip routing
no ip dhcp relay information check
!
ip dhcp pool guest-0100
network 10.10.100.0 255.255.255.0
lease 0 0 1
!
ip dhcp pool mgmt-010
network 10.10.11.0 255.255.255.224
default-router 10.10.10.1
lease 0 0 1
!
!
ip igmp snooping vlan 10 last-member-query-count 2
ip igmp snooping vlan 10 last-member-query-interval 1000
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2991811840
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2991811840
revocation-check none
rsakeypair TP-self-signed-2991811840
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
lacp system-priority 1000
!
!
!
!
!
vlan configuration 100
no ip igmp snooping
vlan internal allocation policy ascending
vlan group Guest vlan-list 100
vlan group mgmt-0010 vlan-list 10
!
lldp run
!
!
!
interface Port-channel1
!
interface GigabitEthernet1/0/1
lacp port-priority 1000
channel-group 1 mode active
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
flowcontrol receive desired
spanning-tree portfast edge
!
interface GigabitEthernet1/0/12
flowcontrol receive desired
spanning-tree portfast edge
!
interface GigabitEthernet1/0/13
switchport port-security violation shutdown vlan
flowcontrol receive desired
spanning-tree portfast network
!
interface GigabitEthernet1/0/14
switchport mode trunk
ip dhcp relay information trusted
spanning-tree portfast edge
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
ip address 10.10.10.4 255.255.255.224
!
interface Vlan10
description mgmt
ip address pool mgmt-010
!
interface Vlan100
description Guest
ip dhcp relay information trusted
ip address pool guest-0100
!
ip default-gateway 10.10.10.1
ip forward-protocol nd
!
ip http server
ip http banner
ip http authentication local
ip http secure-server
ip http path flash:CCP-CATALYST
!
!
!
!
!
line con 0
line vty 0 4
login
transport input ssh
line vty 5 15
login
transport input ssh
end

Answer 1

您需要为VLAN 100 SVI分配一个IP地址作为网关地址。DHCP将根据接口地址从正确的池中自动分配已寻址接口上的DHCP。您还需要在池中有网关地址。您可能也希望在DHCP池中定义DNS服务器。

ip dhcp pool guest-0100
 network 10.10.100.0 255.255.255.0
 default-router 10.10.100.1
 dns-server 8.8.8.8            ! Example of using the Google DNS server
 lease 0 0 1
!
interface Vlan100
 description Guest
 ip address 10.10.100.1
!

此外，不要在启用路由的设备上使用ip default-gateway命令。创建默认路由：

ip route 0.0.0.0 0.0.0.0 <next hop address>

思科有一份解释差异的文档：使用IP命令配置最后一个度假村的网关：

ip默认网关命令不同于其他两个命令。仅当在Cisco路由器上禁用ip路由时，才应使用它。