WirelessCCNA 200-301

Client Connecting to Wrong SSID — No VLAN Separation

Presenting Symptom

A wireless client connects to the guest SSID instead of the corporate SSID, but the client still receives a corporate IP address and has full access to internal resources.

Network Context

A small branch office with a Cisco 9800 WLC and 9130 series APs. The WLC is configured with two SSIDs: 'Corporate' (VLAN 10) and 'Guest' (VLAN 20). Both SSIDs are broadcast on the same AP. The client is supposed to connect to 'Corporate' but mistakenly selects 'Guest'. The network uses a single flat VLAN for the guest SSID without any VLAN separation enforcement.

Diagnostic Steps

Check the client's association status on the WLC

show wireless client summary

MAC Address    AP Name     WLAN Profile  State    Protocol
AAAA.BBBB.CCCC  AP01       Guest         Run     802.11ax

The client is associated to the 'Guest' WLAN profile. If the client were on the correct SSID, the WLAN profile would show 'Corporate'.

Verify the VLAN assignment for the client

show wireless client mac-address AAAA.BBBB.CCCC detail

Client MAC Address : AAAA.BBBB.CCCC
WLAN Profile Name : Guest
VLAN Name : VLAN0020
VLAN ID : 20
IP Address : 192.168.10.100

The client is assigned to VLAN 20 (Guest) but has an IP address from the corporate subnet (192.168.10.0/24). This indicates that the VLAN assignment is not being enforced, likely because the guest VLAN is not properly separated or the DHCP scope is misconfigured.

Check the WLAN configuration for the Guest SSID

show wlan id 2

WLAN Profile Name : Guest
SSID : Guest
Status : Enabled
Interface/Interface Group : VLAN0020
Broadcast SSID : Enabled
Security : Open

The Guest WLAN is configured to use VLAN 20. However, if the client receives a corporate IP, the VLAN mapping might be overridden by a local policy or the switch port configuration.

Examine the switch port configuration for the AP

show running-config interface GigabitEthernet1/0/1

interface GigabitEthernet1/0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,20

The switch port is a trunk carrying both VLAN 10 and 20. This is normal. However, if the native VLAN is misconfigured or there is no VLAN ACL, traffic from the guest VLAN can reach corporate resources.

Check if VLAN separation is enforced via ACL or firewall

show access-lists

No access lists configured

There are no ACLs applied to VLAN 20 to restrict traffic. This confirms that the guest VLAN has no separation from the corporate VLAN, allowing the client to access internal resources even though it is on the guest SSID.

Root Cause

The Guest SSID is configured with VLAN 20, but there is no VLAN separation enforcement (no ACLs, no firewall rules, and no private VLAN). Additionally, the DHCP server is handing out corporate IP addresses (192.168.10.0/24) to clients on VLAN 20, likely because the DHCP scope for VLAN 20 is misconfigured or the DHCP relay is pointing to the wrong server. This allows the client to connect to the wrong SSID yet still obtain a corporate IP and access internal resources.

Resolution

1. Correct the DHCP scope for VLAN 20 to use a different subnet (e.g., 192.168.20.0/24). 2. Apply an ACL on VLAN 20 to restrict traffic to only Internet access (deny all internal subnets). 3. Optionally, configure a firewall rule to block inter-VLAN traffic from guest to corporate. Commands: conf t ip access-list extended GUEST-ACL deny ip any 192.168.10.0 0.0.0.255 permit ip any any interface vlan 20 ip access-group GUEST-ACL in end Also, ensure DHCP scope for VLAN 20 is correct: ip dhcp pool GUEST-POOL network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 dns-server 8.8.8.8

Verification

1. Verify the client now gets a 192.168.20.x IP address: show wireless client mac-address AAAA.BBBB.CCCC detail | include IP Address Expected: IP Address : 192.168.20.100 2. Verify the ACL is applied: show ip interface vlan 20 | include access list Expected: Inbound access list is GUEST-ACL 3. Test connectivity: From the client, ping 192.168.10.1 (corporate gateway) should fail.

Prevention

1. Always use separate VLANs and subnets for guest and corporate networks. 2. Implement ACLs or firewall rules to restrict inter-VLAN traffic from guest to internal networks. 3. Ensure DHCP scopes are correctly mapped to the appropriate VLANs and subnets.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario tests understanding of wireless LAN configuration, VLAN assignment, and security best practices. Expect multiple-choice questions asking which configuration prevents guest users from accessing corporate resources, or drag-and-drop tasks to place ACL rules correctly. Key fact: Guest SSIDs must be placed in a separate VLAN with restricted access to internal networks.

Exam Tips

Remember that simply placing a guest SSID on a different VLAN does not guarantee security; you must also apply ACLs or firewall rules to block inter-VLAN traffic.

The exam often tests the concept of 'VLAN separation' and may ask which command restricts guest traffic to Internet only.

Know the 'ip access-group' command and how to apply it to an SVI for VLAN filtering.

Commands Used in This Scenario

ip access-list extended [name]

Creates or enters an extended named access list to filter traffic based on source/destination IP, protocol, and port numbers, used for granular traffic control.

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

show wireless client summary

Displays a summary of all wireless clients currently associated with the controller, including their MAC addresses, IP addresses, SSIDs, and connection status, used for quick client monitoring and troubleshooting.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions