Cisco 1131 VLAN Problem

Answered Question
May 28th, 2010

Hello,

I have configured my Cisco 1131 and it appeared to be working correctly until I ran into my latest issue.  From my PC's I can ping the router, the VLAN interface on the router but I can not ping anything that is connected to the wireless.  My router can ping all of the wireless endpoints, the 1130 can ping all of the wireless clients, but they can not ping each other but can ping anything that is plugged in with a wire.  Vlan 100 is my Data VLAN and I have no idea why the PC's will not talk to each other.  Anybody have any ideas?


Here is my AP config.  If you want to see the router config let me know but I dont think its the router thats causing the issue.



version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname EANET-1131

!

enable secret 5

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server tacacs+ tac_admin

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa cache profile admin_cache

all

!

!

aaa session-id common

clock timezone HAWAII -10

ip domain name wrnets.com

!

!

dot11 syslog

dot11 vlan-name DATA vlan 100

!

dot11 ssid EA Net

   vlan 100

   authentication open

   authentication key-management wpa version 2

   guest-mode

   wpa-psk ascii 7 XXXXXXX

   information-element ssidl

!

dot11 network-map

power inline negotiation prestandard source

!

crypto pki trustpoint TP-self-signed-1204562388

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1204562388

revocation-check none

rsakeypair TP-self-signed-1204562388

!

!

crypto pki certificate chain TP-self-signed-1204562388

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31323034 35363233 3838301E 170D3032 30333031 30303034

  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32303435

  36323338 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100C34B 95C450CE 6AD990BC 78FCB1D2 969880A1 23BC2F81 7C7FCF52 CEFF1B90

  86E07928 A2A0AD06 851D9955 EBBD4380 5FC01708 8579A981 BD3625DC 182EAD74

  632DA65C F1AE24B1 E3AB5430 9C872626 FEC0E941 86A7F67F 33D4BB06 BF3F0C88

  EACC1559 AF220A9A 1A96E6BB 5391BBE6 2615B18C 4DCE745E EA9FD4E6 063D8DD1

  78670203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 146F8976 7CE63940 7A4B0E96 E810021F 2BC30515 2A301D06

  03551D0E 04160414 6F89767C E639407A 4B0E96E8 10021F2B C305152A 300D0609

  2A864886 F70D0101 04050003 81810059 518047FF 5CBEE894 AA491041 A5713C07

  EA4550E7 FB0A657B 9AC759C3 DF3B020A 7C602092 6CD92632 12EE62DC 8E61F74D

  454ACB66 D3359BB4 F254940A F7E7AC38 CC5C5A21 2F9D53F0 ECE313F0 2FC5B57D

  415CD5E0 DBD92FD5 43DB0EEB C29DB8A3 3EF24443 664A5D9E 8D3BBA36 AA435FA7

  BE990CEA 08CCEDA3 7F185A64 8825C3

  quit

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm tkip

!

encryption vlan 100 mode ciphers aes-ccm tkip

!

ssid EA Net

!

speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

station-role root access-point

!

interface Dot11Radio0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm tkip

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.100

encapsulation dot1Q 100 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 172.25.1.2 255.255.255.0

no ip route-cache

!

ip default-gateway 172.25.1.1

no ip http server

ip http authentication local

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

transport output all

line vty 0 4

transport input all

transport output all

line vty 5 15

transport input all

transport output all

!

end




Thanks,

Anthony

Correct Answer by weterry about 6 years 9 months ago

Just to clarify, when you say PCs you mean wireless clients? or Wired Clients?

If this problem is only with Wireless Clients talking to other Wireless clients on the same AP, then it sounds like a PSPF issue, but I don't see it enabled.


However, unless you are in Bridge mode, I'm fairly sure this AP should have "bridge-group 1 subscriber-loop-control" under Int do0.100.

As a matter of fact, I don't think you can typically remove this command.


Now, the only symptom I'm aware of when this is missing is that broadcast/multicast won't be seen by the same clients on the same radio, but perhaps that is not the only symptom.



Please confirm if the problem is only Wireless to Wireless on the same AP, or if you have this problem between Wired/Wireless computers.  I'd also be curious how everything behaves with subscriber-loop-control put back on that interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Leo Laohoo Fri, 05/28/2010 - 19:20


but they can not ping each other

Hi Anthony,


They wouldn't be PC with their firewalls turned on would they?

abwurtele Fri, 05/28/2010 - 20:23

That was the first thing that I checked.  The funny thing is that I have the wireless and the wired connection on the laptop.  Both in the same subnet and I can ping the wired ip address but not the wireless.  Very frustrating.

Correct Answer
weterry Sat, 05/29/2010 - 22:37

Just to clarify, when you say PCs you mean wireless clients? or Wired Clients?

If this problem is only with Wireless Clients talking to other Wireless clients on the same AP, then it sounds like a PSPF issue, but I don't see it enabled.


However, unless you are in Bridge mode, I'm fairly sure this AP should have "bridge-group 1 subscriber-loop-control" under Int do0.100.

As a matter of fact, I don't think you can typically remove this command.


Now, the only symptom I'm aware of when this is missing is that broadcast/multicast won't be seen by the same clients on the same radio, but perhaps that is not the only symptom.



Please confirm if the problem is only Wireless to Wireless on the same AP, or if you have this problem between Wired/Wireless computers.  I'd also be curious how everything behaves with subscriber-loop-control put back on that interface.

abwurtele Sun, 05/30/2010 - 14:48

Thanks for helping me with my issue.   You put it better than I did and you are correct.  Wireless clients (PC's) can not talk to each other wirelessly. If a wireless client wants to connect to a WIRED client, there is no problem.  Its only wireless endpoints that follow this path PC1 (wireless) --> AP --> Router (VLAN interface) --> AP --> PC2(wireless).  That does NOT work.  Now on the other hand PC1 (wireless) --> AP --> Router (VLAN interface) --> AP --> PC3(wired) works just fine.  Very confusing.  The 1131 is in AP mode.



And you are completly correct.  Once I added in:



EANET-1131(config-if)#interface dot11Radio 0.100
EANET-1131(config-subif)#bridge-group 1 subscriber-loop-control


That fixed my issue.


Now I cant even remove it to test it again:


EANET-1131(config-subif)#no bridge-group 1 subscriber-loop-control
no bridge-group 1 subscriber-loop-control not allowed on Dot11Radio0 interface
EANET-1131(config-subif)#


Do you have any idea why that command was missing?


Thanks for all of your help!


Anthony

weterry Sun, 05/30/2010 - 20:26

Well that is interesting to know that it was preventing peer-to-peer as well, and not just broadcast/multicast.

This is the same problems addressed by "CSCtf36740    Directed Broadcasts do not go out Radio without subscriber-loop-control", however this has not yet been resolved in a release.


The workaround should be valid, as it just involves correcting the configuration that should already be in place. As you saw, you cannot even remove subscriber-loop-control.


As for how the command was missing in the first place: that is what CSCtf36740 is going to resolve. I know it can be triggered by adding/removing/adding bridge-group commands to a sub-interface (like modify what bridge-group that interface is in, after it was already put in a bridge-griup).


Anyhow, I'm glad to hear that everything may be working now.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode