Allow Multiple subnets

Unanswered Question
Mar 1st, 2012
User Badges:

Good morning I hope someone can shed some light on the following problem.   I have 2 subnets both on seperate vlans - 1(static) and 100(dhcp).  I have the lwapp ap's set to receive a vlan 100 DHCP ip address from our server.  The switchport is trunked with a native vlan 100, this allows users to receive a vlan100 dhcp address. The problem is the users utilizing vlan 1 which is a static subnet are not allowed access through the access-point.  They can associate to the AP with no problem, but unable to past traffic.


Any help would be appreciated.


Thanks


Larnel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Stephen Rodriguez Thu, 03/01/2012 - 07:04
User Badges:
  • Purple, 4500 points or more

Larnel,

     To clarify, do the users have to be in VLAN 1 to gain access to those resources?


Can you post the AP config?


Steve

larnelhight Thu, 03/01/2012 - 07:30
User Badges:

Yes, but only a select few.  Everyone else is on vlan 100 which works perfectly.


The AP's are LWAPP so not real config on the ap itself.  Hreap Vlan is enabled on vlan 1.  The WLANS associated with the ap are vlan 1 as well. 

Stephen Rodriguez Thu, 03/01/2012 - 07:33
User Badges:
  • Purple, 4500 points or more

ok, so the problem is that users in VLAN 100 can't access the resources in VLAN 1.  Is that correct?  If not, please give me a detailed description of the issue.


Steve

larnelhight Thu, 03/01/2012 - 07:45
User Badges:

no, the users in vlan 1 cannot access the internet.  They can associate with the access-point, but the AP is not passing the traffic through.  If they are wired we have no problems.


switchport config


interface GigabitEthernet0/35

description "APe8b7.48f5.1b21 - G0"

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport mode trunk

srr-queue bandwidth share 10 10 60 20

queue-set 2

priority-queue out

mls qos trust dscp

auto qos voip trust

spanning-tree portfast trunk

Stephen Rodriguez Thu, 03/01/2012 - 07:48
User Badges:
  • Purple, 4500 points or more

ok, can you share the AP config?  more than likely you need to create another SSID and map it to VLAN 1, with the sub-interfaces created.


Steve

larnelhight Thu, 03/01/2012 - 07:53
User Badges:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

!

logging rate-limit console 9

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login reap_eap_methods group radius

!

aaa session-id common

eap profile lwapp_eap_profile

method fast

!

!

interface Dot11Radio0

no ip route-cache

!

interface Dot11Radio0.1

encapsulation dot1Q 1

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.17

encapsulation dot1Q 17 native

no ip route-cache

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip route-cache

!

interface Dot11Radio1.1

encapsulation dot1Q 1

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.17

encapsulation dot1Q 17 native

no ip route-cache

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

ip address dhcp client-id GigabitEthernet0

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

no ip http server

radius-server local

  no authentication eapfast

  no authentication leap

  no authentication mac

  group hreap

  !

!

!

control-plane

!

!


!

end

Stephen Rodriguez Thu, 03/01/2012 - 07:58
User Badges:
  • Purple, 4500 points or more

yeah, everything is mapping to VLAN 100.


Can you screenshot the HREAP VLAN mappings?

Stephen Rodriguez Thu, 03/01/2012 - 08:29
User Badges:
  • Purple, 4500 points or more

with what you have configured here, all the traffic would be untagged, and sent down to the switch, which would put it in VLAN 100.


Try changing the native to be 100.  that should change the bridge groups on the HREAP to be correct.


Steve

larnelhight Fri, 03/02/2012 - 07:37
User Badges:

So changing the native to vlan 100 will allow the AP to pass vlan 1 traffic?

Stephen Rodriguez Fri, 03/02/2012 - 07:47
User Badges:
  • Purple, 4500 points or more

I believe it will.  Currently, you are telling the AP that everything is flat, the native and all the SSID are linked to VLAN 1, which is why all of your bridge-groups show as bridge-group 1 in the AP config.


By changing the native to be VLAN 100, this will make the interface Dot11Radio1.17 be a different VLAN, so all the management traffic will be untagged, but any traffic that really should be in VLAN 1, will be tagged for VLAN 1.  Currently all of the traffic is being sent untagged and getting put into VLAN 100 on the switch.


Keep in mind, that if one of the WLAN should be in VLAN 100, you want to map it to VLAN 100, and not VLAN 1


Steve

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode