03-12-2012 02:49 AM - edited 07-03-2021 09:46 PM
Hope someone can point me in the right direction -
Basically have a Win08 R2 DHCP server, and a 1941w router.
I've got the internet, got the lan clients getting DHCP ok (with ip helper-address set on the 0/0 internal interface).
Also have the SSID, and wireless clients can connect - but no IPs are being handed out, also not sure if I understand or did the bridging correctly or assigned IPs to the vlan or bvi1 correctly.
for ex:
DHCP server IP:
10.10.2.4
Router Ethernet internal interface 0/0 IP:
10.10.2.1
with helper-address 10.10.2.4 (lan clients are resolving IPs correctly from the DHCP server)
Vlan1 IP address:
10.10.3.1
Does this interface need the helper-address as well? (10.10.2.4)?
wlan-ap 0 IP address:
unnumbered
interface BVI1 IP address (static):
10.10.2.2
am i totally off? not even sure if i have the vlan bridged to the 0/0 adapter or not correctly - but as I said, i can get a wireless client to connect with the SSID.
would appreciate any advice/pointers, thanks
03-12-2012 06:06 AM
can you post the config of the router and AP?
03-12-2012 09:00 AM
of course - here is the router config:
=======================================================
Using 5591 out of 262136 bytes
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$JWwK$.04.NFg7tQ82UTy68/hyv.
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
ip name-server 10.10.2.4
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-975501586
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-975501586
revocation-check none
rsakeypair TP-self-signed-975501586
!
!
crypto pki certificate chain TP-self-signed-975501586
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
license udi pid CISCO1941W-A/K9 sn FTX155085QG
hw-module ism 0
!
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
ip address 10.10.2.1 255.255.255.0
ip helper-address 10.10.2.4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
ip address 10.10.3.1 255.255.255.0
ip helper-address 10.10.2.4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.2.0 0.0.0.255
!
no cdp run
!
!
control-plane
!
!
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
=======================================================
and the ap config:
=======================================================
Using 2067 out of 32768 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$xKDT$GdLGeA6h.H9LKL9l3dPmj.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid WIFI1
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 044B1E030D2D43632A
!
!
!
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 30
!
!
ssid WIFI1
!
antenna gain 0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 30
!
!
ssid WIFI1
!
antenna gain 0
dfs band 3 block
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.10.2.2 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
no activation-character
line vty 0 4
login local
!
end
============================================
03-12-2012 09:10 AM
ok, so a couple of things.
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
no ip address
This tells me that the AP is going to be in VLAN 1, 10.10.3.x/24, but the AP has a static IP that doesn't match.
Then under the Radio subinterfaces, you call encapsulation dot1q 1 native, but are linked to bridge-group 2. When you issue the native command, it should place that interface in bridge-group 1.
So to fix this.
Conf t
interface Dot11Radio0.1
bridge-group 1
interface Dot11Radio1.1
bridge-group 1
!
exit
!
Interface BVI 1
ip address dhcp ( or set a 10.10.3.x address)
!
end
wr
Steve
03-12-2012 09:44 AM
excellent! that worked for passing through dhcp but i have one problem left -
i get all the settings, but there is a problem with getting the internet
i can't ping ip addresses or domain names.
set up manual DNS entries on a wireless client and still nothing.
changed to all manual settings (ip address in the 10.10.2.0 range and the 10.10.3.0 range)
no successful pings.
03-12-2012 09:45 AM
to clarify - the wired lan clients get the internet - dns resolves correctly.
the wireless clients do not resolve or ping successfully
03-12-2012 09:53 AM
ok, so the client should be getting 10.10.3.x address space.
You need to add ip nat inside to VLAN 1, and add add the 10.10.3.0 to the NAT ACL
Current config only shows 10.10.2.0 in the permit list:
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.2.0 0.0.0.255
conf t
interface VLAN 1
ip nat inside
exit
access-list 1 permit 10.10.3.0 0.0.0.255
end
wr
once that is done, you should be able to get the wireless cliens out to the interwebs.
Steve
03-12-2012 10:11 AM
was pulling that up the same time i saw your post.
added the entry - it's now picking up the correct dns suffix in ipconfig
but still no ping or domain resolution on the wireless clients.
====================================================
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.2.0 0.0.0.255
access-list 1 permit 10.10.3.0 0.0.0.255
03-12-2012 10:12 AM
i am pinging the entire internal network successfully with wireless and wired
both with ip address and machine name
03-12-2012 10:13 AM
and you added the ip nat inside to the VLAN 1?
Can you post the current config from the router?
Steve
03-12-2012 10:34 AM
yeah i did both -
current config
========================================
Current configuration : 7040 bytes
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$JWwK$.04.NFg7tQ82UTy68/hyv.
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
ip name-server 10.10.2.4
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-975501586
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-975501586
revocation-check none
rsakeypair TP-self-signed-975501586
!
!
hw-module ism 0
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
ip address 10.10.2.1 255.255.255.0
ip helper-address 10.10.2.4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
ip address 10.10.3.1 255.255.255.0
ip helper-address 10.10.2.4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.2.0 0.0.0.255
access-list 1 remark WLAN
access-list 1 permit 10.10.3.0 0.0.0.255
!
no cdp run
!
!
control-plane
!
!
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
03-12-2012 10:51 AM
what happens if you do a source ping from the vlan 1 interface? can you traceroute from the client to an address?
03-12-2012 11:07 AM
traceroute from client - request timed out with DHCP settings.
source ping from 10.10.3.1 succeeds to outside ip
changing a wireless client to the 10.10.3.0 range also successful outside ping.
actually the wireless client gets internet with an 10.10.3.0 range and using the internal DNS server (10.10.2.4)
tracert with the 10.10.3.0 range first hop is 10.10.3.1 == successful.
03-12-2012 11:14 AM
what do you mean changing the wireless to a 10.10.3.x address?
The AP is linked to VLAN 1/10.10.3.0. What address are you assigning to the clients?
Do you want them to be in a different subnet?
Steve
03-12-2012 11:20 AM
just testing, no don't want the wireless clients to be in a different subnet.
didn't change anything on the router/ap config
just tested a wireless client with a random ip from the 10.10.3.0 range
ip settings on client:
ip: 10.10.3.25/24
gateway: 10.10.3.1 (the vlan1)
dns: 10.10.2.4
got internet access.
when dhcp is assigned:
10.10.2.xx/24
gateway: 10.10.2.1
dns: 10.10.2.4
no internet access on wireless clients.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: