1941w - Need help with IP address assigning, and relay wireless to a DHCP server.

techfactor13 · ‎03-12-2012

Hope someone can point me in the right direction -

Basically have a Win08 R2 DHCP server, and a 1941w router.

I've got the internet, got the lan clients getting DHCP ok (with ip helper-address set on the 0/0 internal interface).

Also have the SSID, and wireless clients can connect - but no IPs are being handed out, also not sure if I understand or did the bridging correctly or assigned IPs to the vlan or bvi1 correctly.

for ex:

DHCP server IP:

10.10.2.4

Router Ethernet internal interface 0/0 IP:

10.10.2.1

with helper-address 10.10.2.4 (lan clients are resolving IPs correctly from the DHCP server)

Vlan1 IP address:

10.10.3.1

Does this interface need the helper-address as well? (10.10.2.4)?

wlan-ap 0 IP address:

unnumbered

interface BVI1 IP address (static):

10.10.2.2

am i totally off? not even sure if i have the vlan bridged to the 0/0 adapter or not correctly - but as I said, i can get a wireless client to connect with the SSID.

would appreciate any advice/pointers, thanks

Stephen Rodriguez · ‎03-12-2012

can you post the config of the router and AP?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

techfactor13 · ‎03-12-2012

of course - here is the router config:

=======================================================

Using 5591 out of 262136 bytes

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname router

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$JWwK$.04.NFg7tQ82UTy68/hyv.

!

no aaa new-model

service-module wlan-ap 0 bootimage autonomous

!

no ipv6 cef

no ip source-route

ip cef

!

no ip bootp server

ip name-server 10.10.2.4

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-975501586

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-975501586

revocation-check none

rsakeypair TP-self-signed-975501586

!

crypto pki certificate chain TP-self-signed-975501586

certificate self-signed 01 nvram:IOS-Self-Sig#3.cer

license udi pid CISCO1941W-A/K9 sn FTX155085QG

hw-module ism 0

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$

ip address 10.10.2.1 255.255.255.0

ip helper-address 10.10.2.4

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered GigabitEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

no mop enabled

no mop sysid

!

interface GigabitEthernet0/1

description $ES_WAN$$FW_OUTSIDE$

ip address dhcp client-id GigabitEthernet0/1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface Wlan-GigabitEthernet0/0

description Internal switch interface connecting to the embedded AP

no ip address

!

interface Vlan1

ip address 10.10.3.1 255.255.255.0

ip helper-address 10.10.2.4

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=GigabitEthernet0/0

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.2.0 0.0.0.255

!

no cdp run

!

control-plane

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line 67

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

=======================================================

and the ap config:

=======================================================

Using 2067 out of 32768 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$xKDT$GdLGeA6h.H9LKL9l3dPmj.

!

no aaa new-model

!

dot11 syslog

!

dot11 ssid WIFI1

vlan 1

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 044B1E030D2D43632A

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 30

!

ssid WIFI1

!

antenna gain 0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption vlan 1 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 30

!

ssid WIFI1

!

antenna gain 0

dfs band 3 block

channel dfs

station-role root

!

interface Dot11Radio1.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface GigabitEthernet0

description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router

no ip address

no ip route-cache

!

interface GigabitEthernet0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.10.2.2 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

line con 0

no activation-character

line vty 0 4

login local

!

end

============================================

Stephen Rodriguez · ‎03-12-2012

ok, so a couple of things.

interface Wlan-GigabitEthernet0/0

description Internal switch interface connecting to the embedded AP

no ip address

This tells me that the AP is going to be in VLAN 1, 10.10.3.x/24, but the AP has a static IP that doesn't match.

Then under the Radio subinterfaces, you call encapsulation dot1q 1 native, but are linked to bridge-group 2. When you issue the native command, it should place that interface in bridge-group 1.

So to fix this.

Conf t

interface Dot11Radio0.1

bridge-group 1

interface Dot11Radio1.1

bridge-group 1

!

exit

!

Interface BVI 1

ip address dhcp ( or set a 10.10.3.x address)

!

end

wr

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

techfactor13 · ‎03-12-2012

excellent! that worked for passing through dhcp but i have one problem left -

i get all the settings, but there is a problem with getting the internet

i can't ping ip addresses or domain names.

set up manual DNS entries on a wireless client and still nothing.

changed to all manual settings (ip address in the 10.10.2.0 range and the 10.10.3.0 range)

no successful pings.

techfactor13 · ‎03-12-2012

to clarify - the wired lan clients get the internet - dns resolves correctly.

the wireless clients do not resolve or ping successfully

Stephen Rodriguez · ‎03-12-2012

ok, so the client should be getting 10.10.3.x address space.

You need to add ip nat inside to VLAN 1, and add add the 10.10.3.0 to the NAT ACL

Current config only shows 10.10.2.0 in the permit list:

access-list 1 remark INSIDE_IF=GigabitEthernet0/0

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.2.0 0.0.0.255

conf t

interface VLAN 1

ip nat inside

exit

access-list 1 permit 10.10.3.0 0.0.0.255

end

wr

once that is done, you should be able to get the wireless cliens out to the interwebs.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

techfactor13 · ‎03-12-2012

was pulling that up the same time i saw your post.

added the entry - it's now picking up the correct dns suffix in ipconfig

but still no ping or domain resolution on the wireless clients.

====================================================

ip nat inside source list 1 interface GigabitEthernet0/1 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=GigabitEthernet0/0

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.2.0 0.0.0.255

access-list 1 permit 10.10.3.0 0.0.0.255

techfactor13 · ‎03-12-2012

i am pinging the entire internal network successfully with wireless and wired

both with ip address and machine name

Stephen Rodriguez · ‎03-12-2012

and you added the ip nat inside to the VLAN 1?

Can you post the current config from the router?

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

techfactor13 · ‎03-12-2012

yeah i did both -

current config

========================================

Current configuration : 7040 bytes

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname router

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$JWwK$.04.NFg7tQ82UTy68/hyv.

!

no aaa new-model

service-module wlan-ap 0 bootimage autonomous

!

no ipv6 cef

no ip source-route

ip cef

!

no ip bootp server

ip name-server 10.10.2.4

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-975501586

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-975501586

revocation-check none

rsakeypair TP-self-signed-975501586

!

hw-module ism 0

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$

ip address 10.10.2.1 255.255.255.0

ip helper-address 10.10.2.4

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered GigabitEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

no mop enabled

no mop sysid

!

interface GigabitEthernet0/1

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address dhcp client-id GigabitEthernet0/1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface Wlan-GigabitEthernet0/0

description Internal switch interface connecting to the embedded AP

no ip address

!

interface Vlan1

ip address 10.10.3.1 255.255.255.0

ip helper-address 10.10.2.4

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=GigabitEthernet0/0

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.2.0 0.0.0.255

access-list 1 remark WLAN

access-list 1 permit 10.10.3.0 0.0.0.255

!

no cdp run

!

control-plane

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line 67

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Stephen Rodriguez · ‎03-12-2012

what happens if you do a source ping from the vlan 1 interface? can you traceroute from the client to an address?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

techfactor13 · ‎03-12-2012

traceroute from client - request timed out with DHCP settings.

source ping from 10.10.3.1 succeeds to outside ip

changing a wireless client to the 10.10.3.0 range also successful outside ping.

actually the wireless client gets internet with an 10.10.3.0 range and using the internal DNS server (10.10.2.4)

tracert with the 10.10.3.0 range first hop is 10.10.3.1 == successful.

Stephen Rodriguez · ‎03-12-2012

what do you mean changing the wireless to a 10.10.3.x address?

The AP is linked to VLAN 1/10.10.3.0. What address are you assigning to the clients?

Do you want them to be in a different subnet?

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

techfactor13 · ‎03-12-2012

just testing, no don't want the wireless clients to be in a different subnet.

didn't change anything on the router/ap config

just tested a wireless client with a random ip from the 10.10.3.0 range

ip settings on client:

ip: 10.10.3.25/24

gateway: 10.10.3.1 (the vlan1)

dns: 10.10.2.4

got internet access.

when dhcp is assigned:

10.10.2.xx/24

gateway: 10.10.2.1

dns: 10.10.2.4

no internet access on wireless clients.