What's Wrong Here? AP 1252G

Answered Question
Nov 6th, 2009
User Badges:

Trying to setup up this wireless access point, it's a 1252G. I'm setting it up as a bridge between my wired and wireless network.


The AP is plugged into a port on a 3560 that I've setup as a Trunk port.


I've got the subinterfaces setup on my AP as a part of VLAN 30 and SSID nuaWirelessN.


I have a BVI1 interface and I'm trying to set it up as a management interface, which is why there's an IP address on it, but for some reason I can't ping or access it when I try. Any ideas?



Building configuration...


Current configuration : 1965 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname WirelessN

!

enable secret 5 $1$Xlx.$p9k7g168kCt4I8SQiZS.y0

!

aaa new-model

!

!

aaa authentication login default local

!

aaa session-id common

ip domain name nua.com

!

!

ip ssh version 2

!

dot11 ssid nuaWirelessN

vlan 30

authentication open

guest-mode

!

power inline negotiation prestandard source

!

!

username cisco password 7 030752180500

username ngarciait password 7 03080B1D5503715A1D

username scurry password 7 110A0C17131D0C5456

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid nuaWirelessN

!

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.30

encapsulation dot1Q 30

no ip route-cache

bridge-group 30

bridge-group 30 subscriber-loop-control

bridge-group 30 block-unknown-source

no bridge-group 30 source-learning

no bridge-group 30 unicast-flooding

bridge-group 30 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.30

encapsulation dot1Q 30

no ip route-cache

bridge-group 30

no bridge-group 30 source-learning

bridge-group 30 spanning-disabled

!

interface BVI1

ip address 10.1.1.10 255.255.0.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag


bridge 1 route ip

!

!

banner motd ^C

*****************************************************

You Will Be Prosecuted For Unauthorized Access

*****************************************************

^C

!

line con 0

password 7 104D580A0647

line vty 0 4

password 7 020555480856

transport input ssh

!

end


Correct Answer by jeff.kish about 7 years 4 months ago

Glad it worked! And definitely not wasting my time - I clearly enjoying talking about this stuff for some reason :)


You're right on the money. A trunk is needed only if multiple SSIDs are used. You actually had the AP configured mostly correctly. The main thing that was wrong is that you had no subinterface with bridge-group 1 in use, and this is what links to BVI1.


So let's say you have VLANs 20 and 30 as your data, and management is on VLAN 10. You would:


1. Assign VLANs 20 and 30 to their respective SSIDs

2. Create VLAN 20 and 30 subinterfaces, assigning them to a common bridge-group

3. Create VLAN 10 (native) subinterfaces, assigning them to bridge-group 1


Bridge-groups are tricky to understand. They bridge the Radio and Gig interfaces together, which is easy to grasp without VLANs. However, once you add VLANs, you need a bridge-group for each VLAN. You accomplish this by creating a subinterface for each VLAN on each interface, and you assign each pair to the same bridge-group. Bridge-groups on the physical interfaces (not subinterfaces) no longer do anything, which is again why your management interface couldn't be reached.


The only other thing to understand is that BVI1 links to bridge-group 1, so bridge-group 1 needs to be assigned to the management VLAN. This VLAN doesn't need to be assigned to an SSID, but it does need its own subinterfaces. It's usually the native VLAN, but it doesn't have to be as long as it's on bridge-group 1. (Alternatively, you could create a new BVI for a different bridge-group, such as BVI30 for bridge-group 30, but no one ever does this).


Sorry for talking so much. Let me know if you could use better clarification for some of these concepts. It's good to know for troubleshooting these kinds of things!


Jeff

Correct Answer by jeff.kish about 7 years 4 months ago

Okay, so since your management VLAN is the same as your wireless VLAN, this makes things really simple. You don't need trunks, VLANs, or subinterfaces. You'll use a VLAN 30 access port, and you'll build the SSID on the AP without a VLAN designation.


Start with the switch:


switchport mode access

switchport access vlan 30


Now for the AP:


dot11 ssid nuaWirelessN

no vlan 30

no int dot0.30

no int gig0.30


Also, since you have the speed/duplex hardcoded on the switch, you should probably do that on the AP as well:


int gig0

speed 1000

duplex full


Perform all these config changes and let me know if that works for you!


Jeff


Correct Answer by jeff.kish about 7 years 4 months ago

Thanks Nelson. One more important question - what VLAN is 10.1.1.10 on? And is it really a /16 subnet?

Correct Answer by jeff.kish about 7 years 4 months ago

Your problem is that you aren't extending the VLAN to the AP. BVI1 is connected to bridge-group 1, and right now you are only using bridge-group 30. Since you're using subinterfaces, the actual physical dot0 interface doesn't use the bridge-group assigned. You need bridge-group 1 assigned to a subinterface. This should be a quick fix, but it depends on your config.


If the native VLAN is VLAN 30, you'll want to swap all instances of bridge-group 30 to bridge-group 1. You'll also need to mark VLAN 30 as the native on the subinterfaces (encapsulation dot1q 30 native).


If the native VLAN isn't VLAN 30, you'll need to create new subinterfaces for the native VLAN. It doesn't need to be attached to an SSID, but it does need to be part of bridge-group 1.


I hope that helps! If not, please post your switchport config and I'll be able to give a more certain config fix.


Jeff



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
jeff.kish Fri, 11/06/2009 - 11:16
User Badges:
  • Silver, 250 points or more

Your problem is that you aren't extending the VLAN to the AP. BVI1 is connected to bridge-group 1, and right now you are only using bridge-group 30. Since you're using subinterfaces, the actual physical dot0 interface doesn't use the bridge-group assigned. You need bridge-group 1 assigned to a subinterface. This should be a quick fix, but it depends on your config.


If the native VLAN is VLAN 30, you'll want to swap all instances of bridge-group 30 to bridge-group 1. You'll also need to mark VLAN 30 as the native on the subinterfaces (encapsulation dot1q 30 native).


If the native VLAN isn't VLAN 30, you'll need to create new subinterfaces for the native VLAN. It doesn't need to be attached to an SSID, but it does need to be part of bridge-group 1.


I hope that helps! If not, please post your switchport config and I'll be able to give a more certain config fix.


Jeff



nelson.garcia Mon, 11/09/2009 - 12:33
User Badges:

Hey Jeff, here's my switchport config.


switchport trunk encapsulation dot1q


switchport mode trunk


speed 1000


duplex full

Correct Answer
jeff.kish Mon, 11/09/2009 - 12:39
User Badges:
  • Silver, 250 points or more

Thanks Nelson. One more important question - what VLAN is 10.1.1.10 on? And is it really a /16 subnet?

nelson.garcia Mon, 11/09/2009 - 13:08
User Badges:

It's on VLAN 30, and yes it's on a /16 subnet.


We use /16 to organize network devices.


Computers on 10.1.0.x

Network Equip. on 10.1.1.x

Servers on 10.1.2.x

Correct Answer
jeff.kish Mon, 11/09/2009 - 13:59
User Badges:
  • Silver, 250 points or more

Okay, so since your management VLAN is the same as your wireless VLAN, this makes things really simple. You don't need trunks, VLANs, or subinterfaces. You'll use a VLAN 30 access port, and you'll build the SSID on the AP without a VLAN designation.


Start with the switch:


switchport mode access

switchport access vlan 30


Now for the AP:


dot11 ssid nuaWirelessN

no vlan 30

no int dot0.30

no int gig0.30


Also, since you have the speed/duplex hardcoded on the switch, you should probably do that on the AP as well:


int gig0

speed 1000

duplex full


Perform all these config changes and let me know if that works for you!


Jeff


nelson.garcia Mon, 11/09/2009 - 14:17
User Badges:

Worked Perfectly, Thank You.


A few questions if I may. Sorry if I'm wasting your time.


When would I create a trunk between the access point and the switchport? Would it be when my access point has multiple SSIDs and thus caters to more than one VLAN?


How would the config have changed if the AP was servicing 3 VLANs?


I guess what confuses me is the bridging and trunking. I'm still trying to understand your last post where you talked about my not extending the VLAN to the access point.

Correct Answer
jeff.kish Mon, 11/09/2009 - 14:31
User Badges:
  • Silver, 250 points or more

Glad it worked! And definitely not wasting my time - I clearly enjoying talking about this stuff for some reason :)


You're right on the money. A trunk is needed only if multiple SSIDs are used. You actually had the AP configured mostly correctly. The main thing that was wrong is that you had no subinterface with bridge-group 1 in use, and this is what links to BVI1.


So let's say you have VLANs 20 and 30 as your data, and management is on VLAN 10. You would:


1. Assign VLANs 20 and 30 to their respective SSIDs

2. Create VLAN 20 and 30 subinterfaces, assigning them to a common bridge-group

3. Create VLAN 10 (native) subinterfaces, assigning them to bridge-group 1


Bridge-groups are tricky to understand. They bridge the Radio and Gig interfaces together, which is easy to grasp without VLANs. However, once you add VLANs, you need a bridge-group for each VLAN. You accomplish this by creating a subinterface for each VLAN on each interface, and you assign each pair to the same bridge-group. Bridge-groups on the physical interfaces (not subinterfaces) no longer do anything, which is again why your management interface couldn't be reached.


The only other thing to understand is that BVI1 links to bridge-group 1, so bridge-group 1 needs to be assigned to the management VLAN. This VLAN doesn't need to be assigned to an SSID, but it does need its own subinterfaces. It's usually the native VLAN, but it doesn't have to be as long as it's on bridge-group 1. (Alternatively, you could create a new BVI for a different bridge-group, such as BVI30 for bridge-group 30, but no one ever does this).


Sorry for talking so much. Let me know if you could use better clarification for some of these concepts. It's good to know for troubleshooting these kinds of things!


Jeff

maxim_ratinov Tue, 11/10/2009 - 16:29
User Badges:

Hello Jeff,

I see you have experience with APs and I guess you can answer some questions about vlans and bridge on AP1300.


Generally speaking if you read here:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml


Starting from "VLANs on Bridges

Concepts on Bridges" - When you bridge, there is no need to associate a separate SSID with each VLAN!!!

- Can you comment? As I did configuration per this doc using 1 native SSID.


I had bad time trying to understand why I can not reach AP from switch and after

reading your post I think I know why )

In my case native vlan is 1 and is assotiated to bridge group 1, BUT - my management VLAN is 50.

- Should I reconfigure device like:

"interface Dot11Radio0.50

encapsulation dot1Q 50

bridge-group 1(was 50)"


and then for native vlan

"interface Dot11Radio0.1

encapsulation dot1Q 1 native

bridge-group 100(was 1)"


Thanks,

jeff.kish Wed, 11/11/2009 - 06:12
User Badges:
  • Silver, 250 points or more

Hi maxim,


You're right about the bridges - you only need one SSID to carry all VLANs, and this is because it's a 'trunking' radio connection instead of an access connection. Many people starting out in wireless (myself included) will learn how to configure APs, and when moving to bridges it seems natural that you need an SSID per VLAN. But that doesn't scale well, and when in bridging mode a Cisco AP will send all VLANs across the infrastructure SSID.


Regarding your configurations, they all look correct! Give them a try and let me know what happens. Don't forget to apply the same changes to the Ethernet subinterfaces.


Jeff

maxim_ratinov Thu, 11/12/2009 - 10:59
User Badges:

Hello Jeff.

Thanks for reply - so it makes my life easier as I do not need to configure multiple SSIDs. It seems like I see non-root AP from root bridge. (at least I see BVI1 IP of non-root...but I can not ping it)


I try all possible configs and...failed. Can not ping any ip from AP and AP is not pingable from switch (


What I did:

1) Associated bridge group 100 to native vlan 1(voip vlan in network) and bridge group 1 to management vlan 50 (config attached). Not working

2) Associated BVI1 ip with ip from native vlan range - it is funny but not working as well. (config attached)

3) Connected my notebook with ip from native vlan range - working fine.

4) Triplecheck switch configuration.


Any ideas?



Attachment: 
maxim_ratinov Thu, 11/12/2009 - 13:16
User Badges:

I found the issue - ssid was configured for vlan 1, as soon as I did reconfiguration of native vlan from 1 to 50 (which is pretty unusual) and reconfigured radio and ethernet subinterfaces to native vlan 50 - I recieved positive results!

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode