I have a Cisco Catalyst 2970 switch with a Firewalla firewall on switch port 13 and Linksys MX4000 V2 WiFi running OpenWRT on switch ports 3 and 5.
I would like my Cisco to provide trunks to these to ports for VLANs 1 (default) and 99 (guest).
If I connect my WiFi directly to my firewall, traffic from my guest SSID is correctly given the VLAN99 IP address and firewall rules. But when I go through my Cisco, all clients, regardless of SSID, receive the default network address and firewall rules.
What do I need to change in my switch configuration to get the desired behavior?
Switch#show int Gi0/3 trunk
Port Mode Encapsulation Status Native vlan
Gi0/3 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/3 1-4094
Port Vlans allowed and active in management domain
Gi0/3 1,99
Port Vlans in spanning tree forwarding state and not pruned
Gi0/3 1,99
Switch#show int trunk
Port Mode Encapsulation Status Native vlan
Gi0/3 on 802.1q trunking 1
Gi0/5 on 802.1q trunking 1
Gi0/13 on 802.1q trunking 1
Port Vlans allowed on trunk
Gi0/3 1-4094
Gi0/5 1-4094
Gi0/13 1-4094
Port Vlans allowed and active in management domain
Gi0/3 1,99
Gi0/5 1,99
Gi0/13 1,99
Port Vlans in spanning tree forwarding state and not pruned
Gi0/3 1,99
Gi0/5 1,99
Gi0/13 1,99
Switch#show int vlan99
Vlan99 is up, line protocol is up
Hardware is EtherSVI, address is 0015.fa04.b441 (bia 0015.fa04.b441)
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:03, output never, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
56128 packets input, 18114955 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Switch#show int vlan1
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0015.fa04.b440 (bia 0015.fa04.b440)
Internet address is 192.168.173.254/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of “show interface” counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
432366 packets input, 52744175 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
35452 packets output, 2358921 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
EDIT 1 add output of show running-config
Switch#show running-config
Building configuration…
Current configuration : 1934 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5 REDACTED
!
no aaa new-model
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface Port-channel3
!
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
switchport access vlan 99
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface Vlan1
ip address 192.168.173.254 255.255.255.0
no ip route-cache
!
interface Vlan99
no ip address
no ip route-cache
!
ip default-gateway 192.168.173.1
ip http server
!
control-plane
!
!
line con 0
line vty 0 4
password REDACTED
login
line vty 5 15
password REDACTED
login
!
!
end
