Puzzling SSID/VLAN behavior

mscherting · ‎07-24-2007

AP: 1131 12.3(7)JA3

Four VLANS, three mapped to SSIDs all on B/G radio only, A radio shutdown.

170 native, no SSID

110 guest internet only SSID w/DHCP from BBSM. Open Auth

180 secure intranet SSID w/DHCP. WPA2

810 another secure separate intranet SSID, no DHCP. Client IPs managed manually. WPA2

This is the first time I've tried setting up an SSID to a VLAN with no DHCP.

When users connect to the 810 SSID, "show dot11 assoc all" shows them connected to vlan 180, not 810.

This happens both when they use static IP assignments and DHCP.

When I remove vlan/SSID 180 from the B/G radio and move it to the A radio, 810 users show up on vlan 810 as they should.

FWIW, VLAN 810 gets mapped to bridge group 255, unlike all the oter SSIDs which get mapped to bridge groups of the same number, eg. vlan 180 - bridge-group 180.

Anybody seen this or have any idea why this happens?

Thanks,

Mark

jpeterson6 · ‎07-24-2007

Hello Mark,

While I have no personal experience working with bridge groups, the first thing that came to my head was that '255' is the max number possible for the bridge groups.

If you can, try changing the VLAN number to something lower than 255 and see if that works.

Cheers,

Jeff

mscherting · ‎07-24-2007

Thanks Jeff,

I'm pretty much stuck with vlan 810. It's defined VTP wide for this particular group of users. The administrator of the subnet assigned to this vlan is going to setup a DHCP server to see of that won't clear up some of the issues.

I believe bridge-group 255 should work. I've just never seen it appear in a config before. Of course I've never used a vlan number higher than 255 on an AP before.

magurwara · ‎07-24-2007

Hi Mark,

Just as Jeff wrote, you need to verify if your AP supports VLAN Ids greater than 255. If not, you will need to change it from 810 to something lower than 255. It might be the AP model or the firmware, I suggest you check both.

Regards,

MAG

mscherting · ‎07-25-2007

MAG,

Thanks. The on-line help for IOS release 12.3(07)JA "Configuring/Enabling VLAN with SSID" accessed through this AP's GUI specifically says:

"3. In the VLAN ID text field, set a unique VLAN ID number by entering a number between 1 and 4095."

... then select if its to be native, which radio to associate it with and then define the SSID...then the encryption.

I knew I'd seen it somewhere before. Just took me a while to find it again.

I'll probably start cycling through IOSs, one at a time.

Mark

magurwara · ‎07-26-2007

When you see clients associated to the 180 SSID even though they connect to 810, do they actually go in VLAN 180 or VLAN 810 (based on their IP address)? Are they able to communicate on through this connection?

How similar are your security settings on the two SSIDs, 180 and 810? Moreover, which is the BSSID?

Are you using MBSSID? If yes, I have observed strange behaviour and seen clients autmatically connect to one of the available SSIDs if not able to connect to the one they want to.

mscherting · ‎07-27-2007

>When you see clients associated to the 180 SSID even though they connect to 810, do they actually go in VLAN 180 or VLAN 810 (based on their IP address)? Are they able to communicate on through this connection?

The clients are configured to go onto the vlan 810 SSID. In "show dot11 assoc all" they show up on vlan 180. When the client is configured for DHCP it gets a vlan 180 IP.

When the IP is configured manually it has a vlan 810 IP but still shows up as associated to vlan 180. They are able to communicate somewhat with either IP.

>How similar are your security settings on the two SSIDs, 180 and 810?

Identical. Authentication is handled by ACS which queries AD. There may be a vlan setting in the ACS group mapping influencing this too. I need to dig into that further too.

>which is the BSSID?

BSSID is probably 180, as that's our standard internal SSID and I configured it first.

>Are you using MBSSID?

I have not configured MBSSID and have been wondering if I need to. I don't know enough about how it works yet. I don't want either of these SSIDs broadcast.

Good questions.

Thanks,

Mark

mscherting · ‎08-02-2007

Never mind...

There was a vlan specific setting in the ACS group policy I overlooked.