H-REAP Lap Configuration Wrong Vlan Wrong Bridge Group

Unanswered Question
Aug 22nd, 2009

Hello,

I'm trying to configure our access points as H-REAP. I have gone over this document many times and I cannot figure out what I'm doing wrong. I noticed now that when I telnet into the any of the access points they are configured very wrong.

It configures the Gigabit Interface correctly but not the radio interfaces. For some reason it's always using sub interface 0.17???

And it's configuring radius and eap-fast options, when I don't have it enabled...

interface Dot11Radio0

no ip route-cache

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 254

bridge-group 254 subscriber-loop-control

bridge-group 254 block-unknown-source

no bridge-group 254 source-learning

no bridge-group 254 unicast-flooding

bridge-group 254 spanning-disabled

!

interface Dot11Radio0.17

encapsulation dot1Q 17 native

no ip route-cache

bridge-group 255

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

bridge-group 255 spanning-disabled

!

interface Dot11Radio1

no ip route-cache

!

interface Dot11Radio1.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 254

bridge-group 254 subscriber-loop-control

bridge-group 254 block-unknown-source

no bridge-group 254 source-learning

no bridge-group 254 unicast-flooding

bridge-group 254 spanning-disabled

!

interface Dot11Radio1.17

encapsulation dot1Q 17 native

no ip route-cache

bridge-group 255

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

bridge-group 255 spanning-disabled

!

interface GigabitEthernet0

ip address dhcp client-id GigabitEthernet0

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.200

encapsulation dot1Q 200

no ip route-cache

bridge-group 200

no bridge-group 200 source-learning

bridge-group 200 spanning-disabled

!

interface GigabitEthernet0.500

encapsulation dot1Q 500

no ip route-cache

bridge-group 254

no bridge-group 254 source-learning

bridge-group 254 spanning-disabled

!

interface GigabitEthernet0.1200

encapsulation dot1Q 1200 native

ip address dhcp client-id GigabitEthernet0

no ip route-cache

bridge-group 255

no bridge-group 255 source-learning

bridge-group 255 spanning-disabled

!

ip http server

logging trap errors

logging origin-id string AP:0022.bd19.8ab0

logging snmp-trap notifications

logging snmp-trap informational

logging snmp-trap debugging

logging 255.255.255.255

radius-server local

no authentication eapfast

no authentication leap

no authentication mac

eapfast authority id 436973636F0000XXXXXXXXXXXXXXXXXXX

eapfast authority info Cisco A_ID

eapfast server-key primary 7 5267636E4XXXXXXXXXXXXXXXXXXXX

nas 10.0.200.15 key 7 083544471A101618XXXXXXXXXXXXXXXX

nas 10.0.200.16 key 7 105A0110161E01040XXXXXXXXXXXXXXX

group hreap

!

!

radius-server host 10.0.200.16 auth-port 1812 acct-port 1646 key 7 xxxx

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Scott Pickles Sun, 08/30/2009 - 15:15

The whole idea of H-REAP APs is to support tagged VLAN access centrally and/or locally. This is an improvement upon the REAP 1030 APs, which only supported native VLAN traffic. This AP needs to be connected to a trunk port on the switch. Whichever WLANs you select on the controller for local switching will bridge the traffic to the switch it's connected to. I guess I haven't paid that close attention to the per-AP config, but it would make sense to me that you would see a difference in the config of the sub interface on the radios and the gigabit interface depending on which SSIDs are configured for local vs central switching. I would think that any SSIDs configured for central switching would just bridge through the native VLAN b/c they're going to be tunneled, and you therefore wouldn't see that tag added to the gigabit interface. Then you would see a tag added to the gigabit interface for any VLANs that are to be switched locally.

weterry Sun, 08/30/2009 - 18:52

What exactly is the problem? What configuration do you have for the hreap/vlan mappings?

VLAN 17 is used on the radio for the native vlan on the radio, and typically each other vlan you map will bridge to vlans 1,2,3,4,etc... up to 16 (as 16 should be the maximum number of SSIDs on a radio)

Anyhow, your do0.2 is bridged to vlan 500, and your do0.17 is bridged to the native vlan of 1200.

I guess the thing to remember is that the vlans on the Radios are different than the vlans on the ethernet interfaces.

I can't answer for the radius configuration.... nor can I answer for why you have a vlan 200 with no radio tied to it.

What version of code is this?

danletkeman Sun, 08/30/2009 - 19:38

Ok, here is the problem explained:

I have setup a new 5508 controller with the latest code and (for right now) one access point in H-Reap mode for switching on a local network. This access point is setup with one ssid which is mapped to a vlan on the local switch that is its connected to in trunk mode. What happens is if i'm using an ssid in wpa or wpa2, tkip, aes or any combination the client cannot authenticate to the ap if*** the ap has a connection to the controller. If*** the ap looses connection to the controller, as if a link between them has gone down, then the access point allows the client to authenticate.

If the ssid is set to open or wep all is well if the ap has a connection or not.

I have had tac look at it and they see no configuration problem with h-reap, vlan mappings or the switch configuration. So for right now i'm waiting on them to re-create the problem in the lab.

Ok, that make sense on how it uses different vlans on the radios. I figured out the radius configuration...i had tried creating h-reap groups...so i removed that.

Actions

This Discussion

 

 

Trending Topics - Security & Network