Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

1252 config multiple vlans not trunking over ethernet

Hi all I am new to these forums, but have read some posts on setups for a AP 1252 to a 2950 switch.

  I have multiple vlans andmultiple ssids setup on my ap.  The switch has knowledge of the vlans on the ap

in its config I think.

When I put the 2950 into trunk mode on the port the ap is conencted too, I can no longer see the ap. And none of my ssid / vlans traffic accross the ether net trunk to the switch.  I suspect I have an issue on the config side of the ap specifically either at the BVI (Don't fully understand this virtual port) or in the bridge groups. (Never worked with bridge groups before.)

The AP is in autonomous mode.

Here is my config on the ap side.

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 300 mode ciphers aes-ccm tkip

!

broadcast-key vlan 300 change 600 membership-termination capability-change

!

!

ssid 101

!

ssid 300

!

countermeasure tkip hold-time 120

antenna gain 0

speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

bridge-group 100 block-unknown-source

no bridge-group 100 source-learning

no bridge-group 100 unicast-flooding

bridge-group 100 spanning-disabled

!

interface Dot11Radio0.300

encapsulation dot1Q 300

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

bridge-group 255 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption vlan 300 mode ciphers aes-ccm tkip

!

broadcast-key vlan 300 change 600 membership-termination capability-change

!

!

ssid 101

!

ssid 300

!

countermeasure tkip hold-time 120

antenna gain 0

dfs band 3 block

speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

channel dfs

station-role root

!

interface Dot11Radio1.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

bridge-group 100 block-unknown-source

no bridge-group 100 source-learning

no bridge-group 100 unicast-flooding

!

interface Dot11Radio1.300

encapsulation dot1Q 300

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

bridge-group 255 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface GigabitEthernet0.51

encapsulation dot1Q 51 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

no bridge-group 100 source-learning

bridge-group 100 spanning-disabled

!

interface GigabitEthernet0.300

encapsulation dot1Q 300

no ip route-cache

bridge-group 255

no bridge-group 255 source-learning

bridge-group 255 spanning-disabled

!

interface BVI1

ip address 10.131.10.70 255.255.255.0

no ip route-cache

!

Vlan 51 is what I am trying to trunk over.  Vlan 100 is my normal LAN vlan for pretty much everything at the moment.  And Vlan 300 is my attempt at securing the wireless traffic to a new more secure vlan on my LAN.

Vlan 51 has no ip range

Vlan 100 ip range is 10.131.10.0

Vlan 300 range is 10.131.11.0

The routing happens at my 3750 core switch / router, but the ap is conencted to a 2950 that is trunked to my distribution layer on a 2975 stack.  Again the vlan 300 works on the 2975 stack and will pull dhcp if active.  Haven't tried this on the 2950 yet, but I suspect it will also work based on the trunk setup on the s950 to the 2975 stack.

Anyway, what I would like to be able to do is have multiple vlans configured on the AP (from most secure to least secure based on equipment capabilities) and have that vlan tagged traffic make it to my 3750 eventually for further direction.

Any help here would be greatly appreciated.

Thank you for taking the time to read this.

Sincerely,

Kevin Pulford

Systems Administrator

Harmon City, Inc.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: 1252 config multiple vlans not trunking over ethernet

Yes, remove vlan 51 then tell vlan 100 that it's the native, and it will link to bridge-group 1.  Then change the switch port to be native vlan 100.  you should then be able to reach the AP via telnet/GUI.

commands are going to be:

config t

no int dot11radio0.51

no int dot11radio1.51

no int g0.51

int dot11radio0.100

encapsulation dot1q 100 native

int dot11radio1.100

encapsulation dot1q 100 native

int g0.100

encapsulation dot1q 100 native.

To be safe, save wr mem and reboot.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
10 REPLIES
Cisco Employee

Re: 1252 config multiple vlans not trunking over ethernet

It looks pretty good as it is, but could you also add a "show vlan", "show int status" and a "show run int " of the interface where AP is connected to ?

Also the "dot11 ssid" configuration part is missing in what you pasted.

You said vlan 300 works, but does vlan 100 work when you trunk the AP ?

Nicolas

New Member

Re: 1252 config multiple vlans not trunking over ethernet

Thank you for your response.

VCurrently neither vlan seems to be working as far as getting traffic to my network.  However, both currently are setup to allow connection by wireless devices, and both ssid's allow connection by wireless devices.  Just no connectivity once connected to the wireless device to the LAN.

Here is show vlan from the 2950.

Cisco2950-24-Lab#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
50   Cross-Stack                      active
51   Lab                              active
60   Management                       active
100  VLAN0100                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
                                                Gi0/1
200  Voice                            active
300  Workstations                     active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
50   enet  100050     1500  -      -      -        -    -        0      0
51   enet  100051     1500  -      -      -        -    -        0      0
60   enet  100060     1500  -      -      -        -    -        0      0
100  enet  100100     1500  -      -      -        -    -        0      0
200  enet  100200     1500  -      -      -        -    -        0      0
300  enet  100300     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

Here is the Show int status on my gi 0/1 (The one the ap is conencted too.)

show int gi 0/1 status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1     AP 1252            connected    100        a-full a-1000 10/100/1000BaseTX

Here is the show run int gi 0/1

Cisco2950-24-Lab#show run int gi 0/1
Building configuration...

Current configuration : 111 bytes
!
interface GigabitEthernet0/1
description AP 1252
switchport access vlan 100
no snmp trap link-status
end

Now currently the switchport is not in trunking because I can't access the AP once I put it in trunking.

The trunking commands I have used are:

switchport trunking vlan 51

switchport mode trunk

And I have removed the swithport access vlan 100 when I setup trunking.

I appologize for missing the dot11 ssid section. Please find it below for your reference.

dot11 ssid 101

vlan 100

authentication open

accounting acct_methods6

guest-mode

mbssid guest-mode

no ids mfp client

!

dot11 ssid 300

vlan 300

authentication open eap eap_methods2

authentication network-eap eap_methods2

authentication key-management wpa version 2

accounting acct_methods2

mbssid guest-mode

mobility network-id 300

!

dot11 network-map

Again thank you for looking at this and any help you can provide.

Sincerely,

Kevin Pulford

Cisco Employee

Re: 1252 config multiple vlans not trunking over ethernet

I know the 2950 doesn't run the last IOS but it's the first time ever I see the command "switchport trunking vlan 51" ... Don't you have the command "Switchport trunk native vlan 51" instead ?

From what I read "switchport trunking vlan" has to do with pruning ? I can be wrong though as I never faced that command.

For helping, it would have been better to get the show int status and show vlan commands when the port was in trunk mode, otherwise there is nothing to see :-)

Btw, unless you have a WLSM (which is not common), you don't need the command "mobility network-id" ... I've seen it breaking connectivity in some cases so ...

Nicolas

===

Don't forget to rate answers that you find useful

New Member

Re: 1252 config multiple vlans not trunking over ethernet

Thank you for your reply.  Yes you are right I do use a switchport trunking native vlan 51 and switchport

mode trunk.  Here is teh show run int gi 0/1 (My 2950 port going to the ap.

Cisco2950-24-Lab#show run int gi 0/1
Building configuration...

Current configuration : 139 bytes
!
interface GigabitEthernet0/1
description AP 1252
switchport trunk native vlan 51
switchport mode trunk
no snmp trap link-status
end

Here is the sho vlan on the 2950 with the trunk port setup.

Cisco2950-24-Lab#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
50   Cross-Stack                      active
51   Lab                              active
60   Management                       active
100  VLAN0100                         active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24
200  Voice                            active
300  Workstations                     active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
50   enet  100050     1500  -      -      -        -    -        0      0
51   enet  100051     1500  -      -      -        -    -        0      0
60   enet  100060     1500  -      -      -        -    -        0      0
100  enet  100100     1500  -      -      -        -    -        0      0
200  enet  100200     1500  -      -      -        -    -        0      0
300  enet  100300     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

And here is the show int gi 0/1 status with the trunk setup.

Cisco2950-24-Lab#show int gi 0/1 status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1     AP 1252            connected    trunk      a-full a-1000 10/100/1000BaseTX

Again my vlan 51 is for the trunk going between the 2950 and the ap.

Vlan 100 is my current active vlan of my entire network with an ip range of 10.131.10.0 / 24

Vlan 300 is my workstation vlan and is setup for a more secure internal workstation access.  Ip range is 10.131.11.0 /24

You may notice vlan 50 with is my trunk vlan between the 2975 and 3750 stacks.

I thought I understood how trunking and vlans work but I am missing simething here.  I have a trunk on the 2975 stack called vlan 50 and it is my aggregate etherchannel between my 2975 stack and my 3750 stack and it seems to pass vlans with no problem.  I thought I had the 2950 trunk to the AP setup the same way, so I am concerned that I don't have my vlan 100 (Management vlan for the ap) mapped properly to the ehternet port on the AP. I say this because when I put the 2950 into trunk I lose connection to the AP on Vlan 100.  I suspect what ever I must do to get that Vlan 100 working over my trunk I can do to the other Vlan and it should work as well.

Again, and help and all of the help you have provided so far is appreciated.

Thank you.

Sincerely,

Kevin Pulford

Re: 1252 config multiple vlans not trunking over ethernet

one thing I'm noticing.

interface BVI1

ip address 10.131.10.70 255.255.255.0

This is the address space of VLAN 100, but you have this set to be in native to VLAN 51.  So the AP is going to be sending untagged traffic to the switchport, and the port will send the traffic in VLAN 51.  But as there is no IP range for VLAN 51, and the address is going to be in VLAN 100, the AP will not have network reachability.

     Now the clients should work, as we are going to send their traffic tagged for vlan 300.  SSID 101, is this linked to VLAN 101 or 100?  Can you post the full AP config?

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: 1252 config multiple vlans not trunking over ethernet

Thank you for your response.  So I am confused about what to do to get network reachability to the ap

on VLan 100?  Should the native vlan be 100 to begin with?

And then just leave the ip assigned to the ap in BVI?

Here is the full config of the ap:

!

! No configuration change since last restart

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Harmons-01

!

enable secret 5 $1$JF5J$/6B3DofwtJEKKejFxskXh0

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.131.10.1 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

server 10.131.10.1 auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct

server 10.131.10.1 auth-port 1645 acct-port 1646

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_acct4

server 10.131.10.1 auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct5

server 10.131.10.1 auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct6

server 10.131.10.1 auth-port 1645 acct-port 1646

!

aaa group server radius rad_eap2

server 10.131.10.1 auth-port 1645 acct-port 1646

!

aaa group server radius rad_acct2

server 10.131.10.1 auth-port 1645 acct-port 1646

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local group rad_mac

aaa authentication login eap_methods2 group rad_eap2

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa accounting network acct_methods4 start-stop group rad_acct4

aaa accounting network acct_methods5 start-stop group rad_acct5

aaa accounting network acct_methods6 start-stop group rad_acct6

aaa accounting network acct_methods2 start-stop group rad_acct2

!

aaa session-id common

clock timezone GMT -7

clock summer-time T recurring

ip domain name harmons.harmonsgrocery.com

ip name-server 10.131.10.1

ip name-server 10.131.10.14

!

!

dot11 syslog

dot11 vlan-name Unsecured vlan 100

dot11 vlan-name Workstations vlan 300

!

dot11 ssid 101

vlan 100

authentication open

accounting acct_methods6

guest-mode

mbssid guest-mode

no ids mfp client

!

dot11 ssid 300

vlan 300

authentication open eap eap_methods2

authentication network-eap eap_methods2

authentication key-management wpa version 2

accounting acct_methods2

mbssid guest-mode

mobility network-id 300

!

dot11 network-map

power inline negotiation prestandard source

!

crypto pki trustpoint TP-self-signed-349324094

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-349324094

revocation-check none

rsakeypair TP-self-signed-349324094

!

!

crypto pki certificate chain TP-self-signed-349324094

certificate self-signed 01

3082025D 308201C6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33343933 32343039 34301E17 0D313031 31303431 39313231

385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3334 39333234

30393430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

C26F23AC 5D51E3EE 20DF0C46 EF197468 31657789 DDF0C806 1988975E D4A648AF

2F1EDEE4 18A03016 5CD40C0D 8579ECBC 47DB299B 7BB5F713 75E61927 B3B5BA83

E5E715BF DE9FD4F8 5A5FAEA7 6B3BE9E4 0E4220C7 FA9ACBFE BB7ACB53 32FC7665

8A7CB704 7529995B 679A1FE5 9A6A2059 A0C47310 58FFCAA0 4B9D924C 0CAB1DD7

02030100 01A38186 30818330 0F060355 1D130101 FF040530 030101FF 30300603

551D1104 29302782 25486172 6D6F6E73 2D30312E 6861726D 6F6E732E 6861726D

6F6E7367 726F6365 72792E63 6F6D301F 0603551D 23041830 16801460 6298FF52

CB13C402 60D7304A B8630C3B 1715A230 1D060355 1D0E0416 04146062 98FF52CB

13C40260 D7304AB8 630C3B17 15A2300D 06092A86 4886F70D 01010405 00038181

004773B6 6B5DFDEC 3EC16344 0FF54BC6 0285A6B3 1CBE2ABE C0C4C998 CE37B4BE

00BDA6E8 E2D7517B FCAEED2C E1951EDC 4FC9B1D4 B3B24CD3 051A144B 59A88A94

EE46231F F54ADD10 8875F151 E02F76C7 5472AF5A D4DC8AFC D4376947 FD1D6D7B

1B07D8EF B255C833 2B37E2C9 E56323D6 58FDC215 C49D7B37 18DA5BFE 7780E92E 80

quit

!

!

ip ftp username #######

ip ftp password 7 #######

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 300 mode ciphers aes-ccm tkip

!

broadcast-key vlan 300 change 600 membership-termination capability-change

!

!

ssid 101

!

ssid 300

!

countermeasure tkip hold-time 120

antenna gain 0

speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

bridge-group 100 block-unknown-source

no bridge-group 100 source-learning

no bridge-group 100 unicast-flooding

bridge-group 100 spanning-disabled

!

interface Dot11Radio0.300

encapsulation dot1Q 300

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

bridge-group 255 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption vlan 300 mode ciphers aes-ccm tkip

!

broadcast-key vlan 300 change 600 membership-termination capability-change

!

!

ssid 101

!

ssid 300

!

countermeasure tkip hold-time 120

antenna gain 0

dfs band 3 block

speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

channel dfs

station-role root

!

interface Dot11Radio1.51

encapsulation dot1Q 51 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

bridge-group 100 block-unknown-source

no bridge-group 100 source-learning

no bridge-group 100 unicast-flooding

!

interface Dot11Radio1.300

encapsulation dot1Q 300

no ip route-cache

bridge-group 255

bridge-group 255 subscriber-loop-control

bridge-group 255 block-unknown-source

no bridge-group 255 source-learning

no bridge-group 255 unicast-flooding

bridge-group 255 spanning-disabled

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface GigabitEthernet0.51

encapsulation dot1Q 51 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

no bridge-group 100 source-learning

bridge-group 100 spanning-disabled

!

interface GigabitEthernet0.300

encapsulation dot1Q 300

no ip route-cache

bridge-group 255

no bridge-group 255 source-learning

bridge-group 255 spanning-disabled

!

interface BVI1

ip address 10.131.10.70 255.255.255.0

no ip route-cache

!

ip default-gateway 10.131.10.254

no ip http server

ip http authentication aaa

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

access-list 111 permit tcp any any neq telnet

snmp-server community harmons RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps entity

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server enable traps wlan-wep

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps syslog

snmp-server enable traps cpu threshold

snmp-server enable traps aaa_server

snmp-server host 10.131.10.180 harmons

radius-server local

nas 10.131.10.1 key 7 0702204B470A485C4440

!

radius-server attribute 32 include-in-access-req format %h

radius-server host 10.131.10.1 auth-port 1645 acct-port 1646 key 7 03095A0C0F0C70151D5B

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

access-class 111 in

line vty 0 4

access-class 111 in

!

sntp server 10.131.10.254

sntp broadcast client

end

Thanks again for any help you can provide.

Sincerely,

Kevin Pulford

Re: 1252 config multiple vlans not trunking over ethernet

Yes, remove vlan 51 then tell vlan 100 that it's the native, and it will link to bridge-group 1.  Then change the switch port to be native vlan 100.  you should then be able to reach the AP via telnet/GUI.

commands are going to be:

config t

no int dot11radio0.51

no int dot11radio1.51

no int g0.51

int dot11radio0.100

encapsulation dot1q 100 native

int dot11radio1.100

encapsulation dot1q 100 native

int g0.100

encapsulation dot1q 100 native.

To be safe, save wr mem and reboot.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: 1252 config multiple vlans not trunking over ethernet

Thank you Stephen for your repsonse and all of your time,

This solution worked perfectly and I believe I have what I was trying to get.  My Vlan 300 is working and ip addresses are getting handed out by my DHCP server to it, and my SSID 101 is working on the VLAN 100 as it should.

I have one thing to ask if you can explain the vlan use on the AP.  I ask because I always thought it would be better to have untagged traffic be on a non-IP based vlan rather than take a chance of having untagged traffic on my main vlan.  Is this not the case for a best practice?

So the follwo up to that is this.  Would there be a way or even a good reason to try to get the native vlan on my trunk to an unused vlan such as vlan 51 and still have my ap be managed by a vlan 100 IP address?  It seems like if I were to assign an ip address in the vlan 100 range to the g.100 subinterface it would be possible, then remove the bvi1 ip address.

I am asking this because my next step is to configure a quest vlan that will bypass all of my network vlans and go directly out to the ASA I have and then to the Internet.  We have a need to keep as private as possible our internal network and I would not want to expose any guest traffic (Viruses, etc) to my internal vlan and ip traffic.

Again, thank you so much for your help and time.

Sincerely,

Kevin Pulford

Re: 1252 config multiple vlans not trunking over ethernet

with the way the AP works, you wouldn't be able to put an IP directly on the g0.100 interface and have it work reliably.  We only route off of one bridge, and that is bridge 1.  Remember that the AP is only a L2 device, we simply pass traffic in the vlan we receive it in.

  I do understand the logic behind untagged traffic going to a null VLAN, but with the AP's it's usually not that big of a deal, as you have to authenticate before you get an IP.

     For the guest network, you just create the vlan, and the ssid on the AP calls the vlan just like the interal ones do.  Then at L3, acl off the guest subnet from being able to reach the internals.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: 1252 config multiple vlans not trunking over ethernet

Once again thank you so much for your help.

So the only way I reliably could move the ap off of my primary vlan would be to assign an ip address in a different subnet and route it on my routers, so my other vlans could see it and use that as a native trunk to the ap, it sounds like.  Which is about what I have now with my VLan 100.  Unless my boss decides to change it I think I will leave it.  It works very well as is for sure.

I also appreciate your suggestions on the private vlan for guests and will get to work on that next.

I really appreciate your time and effort on this.

Sincerely,

Kevin Pulford

798
Views
0
Helpful
10
Replies
CreatePlease to create content