07-24-2007 11:48 AM - edited 07-03-2021 02:23 PM
AP: 1131 12.3(7)JA3
Four VLANS, three mapped to SSIDs all on B/G radio only, A radio shutdown.
170 native, no SSID
110 guest internet only SSID w/DHCP from BBSM. Open Auth
180 secure intranet SSID w/DHCP. WPA2
810 another secure separate intranet SSID, no DHCP. Client IPs managed manually. WPA2
This is the first time I've tried setting up an SSID to a VLAN with no DHCP.
When users connect to the 810 SSID, "show dot11 assoc all" shows them connected to vlan 180, not 810.
This happens both when they use static IP assignments and DHCP.
When I remove vlan/SSID 180 from the B/G radio and move it to the A radio, 810 users show up on vlan 810 as they should.
FWIW, VLAN 810 gets mapped to bridge group 255, unlike all the oter SSIDs which get mapped to bridge groups of the same number, eg. vlan 180 - bridge-group 180.
Anybody seen this or have any idea why this happens?
Thanks,
Mark
07-24-2007 01:10 PM
Hello Mark,
While I have no personal experience working with bridge groups, the first thing that came to my head was that '255' is the max number possible for the bridge groups.
If you can, try changing the VLAN number to something lower than 255 and see if that works.
Cheers,
Jeff
07-24-2007 01:21 PM
Thanks Jeff,
I'm pretty much stuck with vlan 810. It's defined VTP wide for this particular group of users. The administrator of the subnet assigned to this vlan is going to setup a DHCP server to see of that won't clear up some of the issues.
I believe bridge-group 255 should work. I've just never seen it appear in a config before. Of course I've never used a vlan number higher than 255 on an AP before.
07-24-2007 08:39 PM
Hi Mark,
Just as Jeff wrote, you need to verify if your AP supports VLAN Ids greater than 255. If not, you will need to change it from 810 to something lower than 255. It might be the AP model or the firmware, I suggest you check both.
Regards,
MAG
07-25-2007 07:21 AM
MAG,
Thanks. The on-line help for IOS release 12.3(07)JA "Configuring/Enabling VLAN with SSID" accessed through this AP's GUI specifically says:
"3. In the VLAN ID text field, set a unique VLAN ID number by entering a number between 1 and 4095."
... then select if its to be native, which radio to associate it with and then define the SSID...then the encryption.
I knew I'd seen it somewhere before. Just took me a while to find it again.
I'll probably start cycling through IOSs, one at a time.
Mark
07-26-2007 06:35 PM
When you see clients associated to the 180 SSID even though they connect to 810, do they actually go in VLAN 180 or VLAN 810 (based on their IP address)? Are they able to communicate on through this connection?
How similar are your security settings on the two SSIDs, 180 and 810? Moreover, which is the BSSID?
Are you using MBSSID? If yes, I have observed strange behaviour and seen clients autmatically connect to one of the available SSIDs if not able to connect to the one they want to.
07-27-2007 07:43 AM
>When you see clients associated to the 180 SSID even though they connect to 810, do they actually go in VLAN 180 or VLAN 810 (based on their IP address)? Are they able to communicate on through this connection?
The clients are configured to go onto the vlan 810 SSID. In "show dot11 assoc all" they show up on vlan 180. When the client is configured for DHCP it gets a vlan 180 IP.
When the IP is configured manually it has a vlan 810 IP but still shows up as associated to vlan 180. They are able to communicate somewhat with either IP.
>How similar are your security settings on the two SSIDs, 180 and 810?
Identical. Authentication is handled by ACS which queries AD. There may be a vlan setting in the ACS group mapping influencing this too. I need to dig into that further too.
>which is the BSSID?
BSSID is probably 180, as that's our standard internal SSID and I configured it first.
>Are you using MBSSID?
I have not configured MBSSID and have been wondering if I need to. I don't know enough about how it works yet. I don't want either of these SSIDs broadcast.
Good questions.
Thanks,
Mark
08-02-2007 10:59 AM
Never mind...
There was a vlan specific setting in the ACS group policy I overlooked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide