×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

1042n AP can't get DHCP for guest network

Answered Question
Aug 3rd, 2012
User Badges:

This is rattling my brain. I have configured 2 SSIDs, one for internal, one for guests. They are on seperate VLANs (50 and 51) and bridge groups (1 and 2). I can get IPs via DHCP for the internal network, but not for the guest. I can't get DHCP for any VLAN 51 sub-interface, nor clients that connect to it. The overall goal is to keep all traffic on the guest network seperate from the internal traffic, however, DHCP requests will be from an internal server. I have removed all the access-lists for troubleshooting purposes. AP and Switchport configs are below! Please help!


AP Config


Current configuration : 4011 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Test

!

logging rate-limit console 9

enable secret 5

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.75.49 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

server 192.168.75.49 auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

ip dhcp-server 192.168.75.49

dot11 mbssid

dot11 syslog

!

dot11 ssid Guest

   vlan 51

   authentication open

   authentication key-management wpa version 2

   mbssid guest-mode

   wpa-psk ascii 7

!

dot11 ssid Internal

   vlan 50

   authentication open eap eap_methods

   authentication key-management wpa version 2

   mbssid guest-mode

!

!

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

ip helper-address 192.168.75.49

no ip route-cache

!

encryption vlan 50 mode ciphers aes-ccm

!

encryption vlan 51 mode ciphers aes-ccm

!

ssid Guest

!

ssid Internal

!

antenna gain 0

station-role root

!

interface Dot11Radio0.50

encapsulation dot1Q 50 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.51

encapsulation dot1Q 51

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio1

no ip address

ip helper-address 192.168.75.49

no ip route-cache

!

encryption vlan 50 mode ciphers aes-ccm

!

encryption vlan 51 mode ciphers aes-ccm

!

ssid Guest

!

ssid Internal

!

antenna gain 0

dfs band 3 block

channel dfs

station-role root

!

interface Dot11Radio1.50

encapsulation dot1Q 50 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.51

encapsulation dot1Q 51

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface GigabitEthernet0

ip address dhcp

ip helper-address 192.168.75.49

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.50

encapsulation dot1Q 50 native

ip address dhcp

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.51

encapsulation dot1Q 51

ip address 192.168.51.100 255.255.255.0

no ip route-cache

!

interface BVI1

ip address dhcp

ip helper-address 192.168.75.49

no ip route-cache

!

interface BVI2

ip address dhcp

ip helper-address 192.168.75.49

no ip route-cache

!

ip default-gateway 192.168.50.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.75.49 auth-port 1645 acct-port 1646 key 7

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

logging synchronous

line vty 0 4

transport input all

!

end


Switchport Config


interface GigabitEthernet0/11

switchport trunk encapsulation dot1q

switchport trunk native vlan 50

switchport trunk allowed vlan 50,51

switchport mode trunk

end


Correct Answer by Scott Fella about 5 years 1 week ago

Okay... the BVI interface on your AP is your management address for the AP, so this need to be native vlan on the trunk.  You do not need BVI2 not do you need to have an ip address for the gigabit0 interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Fri, 08/03/2012 - 13:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Do you have the ip helper defined on your Layer 3 interface for vlan 51?


Sent from Cisco Technical Support iPhone App

Amjad Abdullah Sun, 08/05/2012 - 23:49
User Badges:
  • Red, 2250 points or more

Do you have interface VLAN50/ VLAN51 configured on the neighbor swtich? if yes please provide the config.

Why are you using DHCP to provide ip addresses to the BVI interfaces?

Do both your BVI interfaces get an IP address correctly from your DHCP server?

Confirm please that your DHCP server is 192.168.75.49 for both VLANs.

Where is the DHCP server configured? on a switch or third-party server?

KevlarDud Mon, 08/06/2012 - 08:47
User Badges:

Scott: Do you have the ip helper defined on your Layer 3 interface for vlan 51?



Yep, we have the IP helper on the switch for both VLANs.


Amjad: Do you have interface VLAN50/ VLAN51 configured on the neighbor swtich? if yes please provide the config.



I do, here is the config:


!

interface Vlan50

ip address 192.168.50.1 255.255.255.0

ip helper-address 192.168.75.49

ip route-cache policy

!

interface Vlan51

ip address 192.168.51.1 255.255.255.0

ip helper-address 192.168.75.49

!


Why are you using DHCP to provide ip addresses to the BVI interfaces?


The interfaces are set to DHCP for testing. My production APs have statics. I figured it's easier to t-shoot the DHCP issue with the BVI interface rather than assigning a static and then t-shooting from a client laptop.


Do both your BVI interfaces get an IP address correctly from your DHCP server?


Only BVI1 gets the DHCP address correctly.


Confirm please that your DHCP server is 192.168.75.49 for both VLANs.


Confirmed. 75.49 is the DHCP server for both VLANs.


Where is the DHCP server configured? on a switch or third-party server?


The DHCP server is a Windows 2008 R2 server. I have tested putting DHCP on the switch, this works, but I'd rather manage it from the Windows server.

Correct Answer
Scott Fella Mon, 08/06/2012 - 18:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Okay... the BVI interface on your AP is your management address for the AP, so this need to be native vlan on the trunk.  You do not need BVI2 not do you need to have an ip address for the gigabit0 interface.

KevlarDud Tue, 08/07/2012 - 07:37
User Badges:

That was it, thank you. I guess if you have a 2nd BVI, bridge-group 2 will route through that rather than through BVI1. I also didn't realize that you only need an IP on the native VLAN rather than on both VLANs.


Here's my configs in case others are confused:


AP Config:


Test#show ip int br

Interface                  IP-Address      OK? Method Status                Protocol

BVI1                       192.168.50.127  YES DHCP   up                    up     

Dot11Radio0                unassigned      YES NVRAM  up                    up     

Dot11Radio0.50             unassigned      YES unset  up                    up     

Dot11Radio0.51             unassigned      YES unset  up                    up     

Dot11Radio1                unassigned      YES NVRAM  up                    up     

Dot11Radio1.50             unassigned      YES unset  up                    up     

Dot11Radio1.51             unassigned      YES unset  up                    up     

GigabitEthernet0           unassigned      YES NVRAM  up                    up     

GigabitEthernet0.50        192.168.50.126  YES DHCP   up                    up     

GigabitEthernet0.51        unassigned      YES DHCP   up                    up     

Test#show run

Building configuration...



Current configuration : 3935 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Test

!

logging rate-limit console 9

!

aaa new-model

!

!

aaa group server radius rad_eap

server 192.168.75.49 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

server 192.168.75.49 auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

dot11 mbssid

dot11 syslog

!        

dot11 ssid Guest

   vlan 51

   authentication open

   authentication key-management wpa version 2

   mbssid guest-mode

   wpa-psk ascii 7

!

dot11 ssid Internal

   vlan 50

   authentication open eap eap_methods

   authentication key-management wpa version 2

   mbssid guest-mode

!

!

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

ip helper-address 192.168.75.49

no ip route-cache

!

encryption vlan 50 mode ciphers aes-ccm

!

encryption vlan 51 mode ciphers aes-ccm

!

ssid Guest

!

ssid Internal

!

antenna gain 0

station-role root

!

interface Dot11Radio0.50

encapsulation dot1Q 50 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.51

encapsulation dot1Q 51

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio1

no ip address

ip helper-address 192.168.75.49

no ip route-cache

!

encryption vlan 50 mode ciphers aes-ccm

!

encryption vlan 51 mode ciphers aes-ccm

!

ssid Guest

!

ssid Internal

!

antenna gain 0

dfs band 3 block

channel dfs

station-role root

!

interface Dot11Radio1.50

encapsulation dot1Q 50 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.51

encapsulation dot1Q 51

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.50

encapsulation dot1Q 50 native

ip address dhcp

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.51

encapsulation dot1Q 51

ip address dhcp

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface BVI1

ip address dhcp

ip helper-address 192.168.75.49

no ip route-cache

!

ip default-gateway 192.168.50.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

snmp-server community cisco RO

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.75.49 auth-port 1645 acct-port 1646 key 7

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

logging synchronous

line vty 0 4

logging synchronous

transport input all

!

end


Switchport Config


interface GigabitEthernet0/11

switchport trunk encapsulation dot1q

switchport trunk native vlan 50

switchport trunk allowed vlan 50,51

switchport mode trunk

end

Scott Fella Tue, 08/07/2012 - 07:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Glad you got it working. Thanks for using the rating system!


Sent from Cisco Technical Support iPhone App

Actions

This Discussion

Related Content