Howto connect from internal AP to outside world?

Answered Question
Aug 17th, 2010

Hello experts,

I have a Cisco 881w router, which has a built-in WLAN access point. This AP works like a separate module, I therefore have to bridge both VLANs (normal LAN and WLAN). Basically this works fine:

  • NAT to the Internet works from both subnets (LAN and WLAN)
  • pinging works from clients in WLAN to clients in LAN
  • pinging works from clients in LAN to clients in WLAN
  • pinging works from clients in WLAN to any interrace on router
  • pinging works from clients in LAN to any interface on router

The only problem now is that when I am connected via command line interface (CLI) directly to the AP (in order to upgrade the firmware), I can't access any host outside and inside the router -- I even can't ping the router's internal interfaces or their IP addresses.

Any ideas what I am missing here?

I have attached both configs (router and internal AP module) to this message.

Thanks in advance for your help!

Kind regards, Matthias

I have this problem too.
0 votes
Correct Answer by leejohns about 3 years 8 months ago

Matthias,

The AP would look like this:

!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10

!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
!
interface BVI1
ip address 192.168.0.253 255.255.255.0
no ip route-cache
!

To clean things up, you can also remove all the 'encryption vlan 1' from under the radio interface.  The other bridge-group statements that are there now will automatically be added when you configure the bridge group under the sub interfaces.

Also, remember to change the native vlan on the trunk interface on the router side.

Thanks,

Lee

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
leejohns Tue, 08/17/2010 - 06:58

Matthias,

The reason this fails is b/c you have the native vlan on the AP as vlan 10, but the ip address on the AP is actually vlan 1.

AP:

interface BVI1
ip address 192.168.0.253 255.255.255.0
no ip route-cache

router:

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0

So if you want the AP on vlan 1 and the clients on vlan 10, you need to make vlan 1 native on the AP, make sure they are bridge-group 1, add the .10 subinterface to bridge-group 10 for example, etc, change the native vlan on the router  wlan-gig0 interface to 1.

Thanks,

Lee

MatthiasGTW Tue, 08/17/2010 - 07:23

Hello Lee,

thanks for your reply. Unfortunately I am no expert with VLAN bridging and that stuff.

Would you be so kind and give me an example of how I could change the config according your suggestion?

Many thanks in advance!

Kind regards, Matthias

Correct Answer
leejohns Tue, 08/17/2010 - 10:54

Matthias,

The AP would look like this:

!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10

!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
!
interface BVI1
ip address 192.168.0.253 255.255.255.0
no ip route-cache
!

To clean things up, you can also remove all the 'encryption vlan 1' from under the radio interface.  The other bridge-group statements that are there now will automatically be added when you configure the bridge group under the sub interfaces.

Also, remember to change the native vlan on the trunk interface on the router side.

Thanks,

Lee

MatthiasGTW Thu, 08/19/2010 - 00:54

Hello Lee,

many hankst for your help. I have now changed the AP config according to your instruction, that seems to be ok (NAT from WLAN client still work into the Internet). The only thing is that I still can't reach any host when I am logged into the CLI of the internal AP. You have written I should change the native vlan on the trunk interface on the router side.

Unfortunately this does not work. I issue the following commands within the "enable" mode of the router (not the AP):

router# conf t

router# interface Wlan-GigabitEthernet0

router# switchport trunk native vlan 1
router# exit

router# exit

But this setting is not changed for the interface, "show run" shows the following for this interface now:

!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!

No more vlan mentioned here.

But I can add it again with vlan 10, but not with vlan 1.

Any ideas what I am doing wrong here?

Thanks in advance for your help!

Kind regards, Matthias

leejohns Thu, 08/19/2010 - 05:04

Matthias,

The default native vlan for any trunk interface on a Cisco device is 1. So the router took the command, you just don't see it because it is the default setting for the interface.

Thanks,

Lee

MatthiasGTW Thu, 08/19/2010 - 06:49

ok, that makes sense. Unfortunately it still does not work -- I can connect to the internet from a LAN or WLAN client. But I still can't connect to any host or even an interface of the router from the AP. I have double-checked that the vlan for the trunk interface of the router is 1 and that the AP config is correct (I have copied and pasted it).

Any ideas left?

leejohns Thu, 08/19/2010 - 07:25

Post the latest show run from the AP and the router and I will take a look.

Lee

leejohns Thu, 08/19/2010 - 07:49

Are you able to ping the AP's IP from the router? Can you ping the router VLAN1 IP from the AP? I don't see anything that would explain why you cannot access the AP by its BVI interface IP address.

Does the output of 'show ip arp | inc 192.168.0.253' on the router show the right MAC address for the AP?

Perhaps there is an ACL or something else on the network that is blocking access to that IP address? Do you have another VLAN 1 IP you could try?

Lee

MatthiasGTW Thu, 08/19/2010 - 08:15

Hi Lee,

*) I can ping from router to the BVI address (192.168.0.253) --> OK

*) I can ping from the AP to the router's VLAN1 address (192.168.0.254) --> OK

*) I can NOT ping from the AP to the router's VLAN10 address (192.168.1.1) --> NOT ok

*) I can ping from the AP to the BVI address (192.168.0.253) -- OK

From the router:

cisco#show ip arp | include 192.168.0.253
Internet  192.168.0.253           5   5475.d01a.81b4  ARPA   Vlan1

From the AP:

ap-gtw-wlan#show interfaces
BVI1 is up, line protocol is up
  Hardware is BVI, address is 5475.d01a.81b4 (bia c47d.4f9e.8c60)
  Internet address is 192.168.0.253/24

From my local client PC ("arp -a"):

Interface: 192.168.0.100 --- 0xe

  Internet Address      Physical Address      Type

  192.168.0.253         54-75-d0-1a-81-b4     dynamic

All ACLs I have set you can see in the config.

Since this router is not connected to our LAN I doubt there is another device with IP 192.168.0.253 (BVI interface).

So, in short words, I can only ping the following addresses from the AP: 192.168.0.254, 192.168.0.253 (both VLAN1).

Kind regards, Matthias

leejohns Thu, 08/19/2010 - 09:03

Try adding the following command to the AP config 'ip default-gateway 192.168.0.254' and see if you still have this problem.

If so, can you ping between vlan1 and vlan 10 on the router? You would need to do an advanced ping with the extended commands in order to ping VLAN 10 sourced from VLAN 1. If you are not familiar with that, just issue 'ping ip' and then go from there. For example:

Router#ping ip

Target IP address: 192.168.1.1 <--WLAN 10 IP

Repeat count :

Datagram size :

Timeout in seconds :

Extended commands : y <--Make sure you enter'y'

Source address or interface: vlan1

Type of service :

Set DF bit in IP header? :

Validate reply data? :

Data pattern :

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes :

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

Thanks,

Lee

MatthiasGTW Fri, 08/20/2010 - 01:49

Thanks for your help Lee, I managed to get it working!

Kind regards, Matthias

leejohns Fri, 08/20/2010 - 04:57

Matthias,

I am glad to hear that. Have a great weekend!

Lee

Actions

Login or Register to take actions

This Discussion

Posted August 17, 2010 at 4:06 AM
Stats:
Replies:13 Avg. Rating:5
Views:1665 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard