Wirless Vlans and DHCP

Answered Question
Aug 23rd, 2010
User Badges:

I am trying to configure my Aironet 1121G acess points with several vlans, got the vlans all working fine with wired devices, but the wirless devices don't get DHCP.


Basically, I have the BVI on my managment vlan and two other vlans that pass through, trying to have the public WiFi on 1 vlan and two corporate vlans with seperate wifi. can't get IPs on any of them though.


Vlnas are routed by a catlayst 3550 with helper addresses configured on all the vlan interfaces.


DHCP comes from 2 windows server 2003 boxes on a further vlan


any Ideas?

Correct Answer by vinodjad1234 about 6 years 9 months ago

Hi,



As i understood , you have connected your AP to your one of the L2 switch. I would suggest you to configure your L3 ( gateway switch ) with dhcp pool to get the ip address for respective vlan first.



To configure dhcp pool in your L3 192.168.2.1 .


create SVI interface and assign IP address for the respective VLAN ( that will act as a gateway the respective vlan )


repeat the same thing for all the vlans.


create the DHCP pool for the respective vlan and give default-router with L3 ip address.



AccessPoint#configure terminal
AccessPoint(config)#interface dot11radio 0
AccessPoint(config-if)#ssid .......give the name of your ssid
AccessPoint(config-if-ssid)#vlan ?
AccessPoint(config-if-ssid)#authentication open
AccessPoint(config-if-ssid)#end
AccessPoint(config) interface fastethernet 0.30
AccessPoint(config-subif) encapsulation dot1Q 30
AccessPoint(config-subif) exit
AccessPoint(config) interface dot11radio 0.30
AccessPoint(config-subif) encapsulation dot1Q 30
AccessPoint(config-subif) exit     


check whether you are getting the ip address for the clients.



In case you are expecting to get the IP address from your external dhcp server ...........


try to give below command on each respective dot11Radio 0  subinterface  " ip helper-address .... give the dhcp server ip address here "



please let me know whether it is working .........................



thanks,

vinod

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Leo Laohoo Mon, 08/23/2010 - 16:52
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

I'd move the DHCP to the 3550.

vinodjad1234 Mon, 08/23/2010 - 21:55
User Badges:

could you please send configuration which you have done on AP ..... it would help to troubleshoot .



Thanks

Vinod

Peter Marquis Tue, 08/24/2010 - 02:35
User Badges:

Vinod,

     Here is the AP config, I'm confused, so any help would be useful, got to get a wireless course under my belt.

Cheers,

Peter



!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname IT_AP1121G_01

!

no logging console

enable secret

!

ip subnet-zero

!

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 vlan-name Corporate vlan 3

dot11 vlan-name Default vlan 1

dot11 vlan-name Managment vlan 2

!

dot11 ssid stosWIFI

vlan 1

authentication open

guest-mode

mbssid guest-mode

infrastructure-ssid optional

mobility network-id 1

!

dot11 ssid stoswaldsWIFI

vlan 3

authentication open eap eap_methods

mobility network-id 3

!

!

!

username admin privilege 15 secret 5 $1$.dBF$jstGCUjGPaD6OQ/JVmZEY1

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption key 1 size 128bit 7 0D1A262E215F252C7E5A2D6A6498 transmit-key

encryption mode wep mandatory

!

encryption vlan 1 key 1 size 128bit 7 DA303E012047F6068707FC131B4A transmit-key

encryption vlan 1 mode wep mandatory

!

encryption vlan 3 mode wep mandatory

!

ssid stosWIFI

!

ssid stoswaldsWIFI

!

mbssid

speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

channel 2412

station-role root

world-mode dot11d country GB both

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 254

bridge-group 254 subscriber-loop-control

bridge-group 254 block-unknown-source

no bridge-group 254 source-learning

no bridge-group 254 unicast-flooding

bridge-group 254 spanning-disabled

!

interface Dot11Radio0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.1

encapsulation dot1Q 1

no ip route-cache

bridge-group 254

no bridge-group 254 source-learning

bridge-group 254 spanning-disabled

!

interface FastEthernet0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3

!

interface FastEthernet0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.2.33 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.2.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

logging trap notifications

logging

radius-server attribute 32 include-in-access-req format %h

radius-server vsa send accounting

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

password


line vty 0 4

password

line vty 5 15

!

end

Correct Answer
vinodjad1234 Tue, 08/24/2010 - 03:47
User Badges:

Hi,



As i understood , you have connected your AP to your one of the L2 switch. I would suggest you to configure your L3 ( gateway switch ) with dhcp pool to get the ip address for respective vlan first.



To configure dhcp pool in your L3 192.168.2.1 .


create SVI interface and assign IP address for the respective VLAN ( that will act as a gateway the respective vlan )


repeat the same thing for all the vlans.


create the DHCP pool for the respective vlan and give default-router with L3 ip address.



AccessPoint#configure terminal
AccessPoint(config)#interface dot11radio 0
AccessPoint(config-if)#ssid .......give the name of your ssid
AccessPoint(config-if-ssid)#vlan ?
AccessPoint(config-if-ssid)#authentication open
AccessPoint(config-if-ssid)#end
AccessPoint(config) interface fastethernet 0.30
AccessPoint(config-subif) encapsulation dot1Q 30
AccessPoint(config-subif) exit
AccessPoint(config) interface dot11radio 0.30
AccessPoint(config-subif) encapsulation dot1Q 30
AccessPoint(config-subif) exit     


check whether you are getting the ip address for the clients.



In case you are expecting to get the IP address from your external dhcp server ...........


try to give below command on each respective dot11Radio 0  subinterface  " ip helper-address .... give the dhcp server ip address here "



please let me know whether it is working .........................



thanks,

vinod

Peter Marquis Wed, 08/25/2010 - 01:17
User Badges:

By preference I would like to run the DHCP on the 3550, but the monitoring tools we have don't give us the statistics we get from server 2003


Ok Tested it all now, it seems the encryption is failing to authenticate. copied the settings from one of the other access points with the single ssid set-up


The non-broadcast ssid is open auth but I still cant connect, this is the importnat bits of the ap config



ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 vlan-name Corporate vlan 20
dot11 vlan-name Default vlan 1
dot11 vlan-name Managment vlan 42
!
dot11 ssid stosWIFI
   vlan 1
   authentication open
   guest-mode
   mbssid guest-mode
   infrastructure-ssid optional
   mobility network-id 1
!
dot11 ssid stoswaldsWIFI
   vlan 20
   authentication open
   mobility network-id 20
!
dot11 network-map
dot11 arp-cache optional
!
!
username admin privilege 15 secret 5 $1$.dBF$jstGCUjGPaD6OQ/JVmZEY1
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
!
encryption vlan 1 key 1 size 128bit 7 715E582F760E232942AF331B7D05 transmit-key
encryption vlan 1 mode wep mandatory
!
ssid stosWIFI
!
ssid stoswaldsWIFI
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
channel 2412
station-role root
world-mode dot11d country GB both
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
ip helper-address 192.168.1.26
ip helper-address 192.168.1.30
no ip route-cache
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
!
interface Dot11Radio0.20
encapsulation dot1Q 20
ip helper-address 192.168.1.30
ip helper-address 192.168.1.26
ip helper-address 192.168.20.1
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
!
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
!
interface FastEthernet0.42
encapsulation dot1Q 42 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled


Message was edited by: Peter Marquis

Actions

This Discussion

Related Content