Can't access Access Point (VLAN problems)

matejzerovnik · ‎12-18-2011

Hello!

I have the next network:

Configuration on 3650:

interface Vlan3

description ===== ID-180, wifi1=====

ip address x.x.x.x 255.255.255.224

ip access-group 115 in

ip access-group 114 out

no ip redirects

!

interface Vlan4

description ===== ID-180, wifi2=====

ip address y.y.y.y 255.255.255.224

ip access-group 117 in

ip access-group 116 out

no ip redirects

!

interface Vlan5

description ===== ID-180, management =====

ip address z.z.z.1 255.255.255.240

ip access-group 119 in

ip access-group 118 out

no ip redirects

!

interface FastEthernet0/5

description ===== ID-180, managemenet =====

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/7

description ===== ID-180, WIFI =====

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 3-5

switchport mode trunk

Configuration on wifi AP:

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 254

no bridge-group 254

!

interface FastEthernet0.5

encapsulation dot1Q 5

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3 spanning-disabled

!

interface FastEthernet0.4

encapsulation dot1Q 4

no ip route-cache

bridge-group 4

no bridge-group 4 source-learning

bridge-group 4 spanning-disabled

!

interface BVI1

ip address z.z.z.2 255.255.255.240

no ip route-cache

!

ip default-gateway z.z.z.1

PC has IP z.z.z.3.

The problem is, I can't access AP. I'm very new to the whole cisco scene and vlan's, but as far as I read documentation about the things, I think that this configuration should work, but it doesn't.

One option, I could try, is to change vlan 5 as native on port 7 on switch and as native on AP. The problem is I don't have access to switch and can't do any changes there. I might be able to convince switch admin to do it, but I'm not sure.

On the other side, I'm courius as to why the thing doesnt work? If I understand correctly, PC send out untagged frame, which gets tagged on switch as vlan5 and then switch sends it out to trunk on port 7. AP receives it and, since it's tagged as vlan5, it delivers it to interface fastethernet0.5, which is connected to BVI1 via bridge-group 1. Is that correct? So in theory, this should work? And if not, why not or what am I missing?

I'm not sure if I saw that correctly, but I think that I saw packages beeing received on AP(on status page of FastEthernet IF), but none was send...

Thanks for the help!

JohnTylerPearce · ‎12-18-2011

From the looks of this, it seems as if you are trying to do Router-On-A-Switch with the AP. I'm not sure you can even do routing like that on an AP.... I would configure the switch as a L3 device, and configure the routing on the L3 switch itself. I woudl then configure the AP, just as an AP. From looking at the configuration, you should have routing setup on the L3 switch, since you have multiple interface vlans. Those should all be directly connected interfaces. I dont see a default route but that's up to you if you want to put one in there, in theory you don' t to. As far as the configuration for the AP goes, I've never really just configured and AP by itself, I just configure them to work with a WLC, but this setup is autononmous so you obviously don't need a WLC.

matejzerovnik · ‎12-18-2011

Why do you think I want to do router-on-a-switch with AP? I don't know which part of configuration is trying to do that.

Switch should be configured as L3 and AP should just be AP(or, to be exact, bridge device between wlan and ethernet).

Almost the same configuration is used here:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml

The difference is only the management vlan, which is 1 and set to native on AP and on switch in the arcticle. I think if I would set vlan 5 as native on AP and switch in my case, things would start to work, but unfortunately, I don't have access to switch.

JohnTylerPearce · ‎12-18-2011

From looking at the documentation I noticed the following.

Because interface BVI 1 is associated to the subinterface of the Native VLAN, the IP address assigned to interface BVI 1 must be in the same IP subnet as other infrastructure devices on the network (i.e. interface SC0 on a Catalyst switch that runs CatOS.)

What is the native vlan on the switch? If it's 5, try to set vlan 5 as native on the AP.

matejzerovnik · ‎12-18-2011

I think native vlan on switch is vlan1(don't have access to switch, but I saw some configuration files).

Matej

matejzerovnik · ‎12-18-2011

Just for a test, I plugged vmware guest to a trunk port and set guests vlanid to 3, set it's IP to x.x.x.130 and tried to ping x.x.x.129. No success! Why?

Guest sends frame with VLANID that can travel along the trunk port and when it reaches switch, it should reply, since ip x.x.x.129 is IP of vlan3 interface:

interface Vlan3

description ===== ID-180, wifi1=====

ip address x.x.x.129 255.255.255.224

ip access-group 115 in

ip access-group 114 out

no ip redirects

!

JohnTylerPearce · ‎12-18-2011

Can you post the configuration the ACLs configured on the switch?

JohnTylerPearce · ‎12-18-2011

In the configured of the AP, can you verify that the c,ommand 'bridge irb' is configured, this command enables IRB, also can you ensure that 'bridge 1 route ip' is also configured? Whenever, you can please verify that the native vlan on the switchports connected to the trunk between the AP and the switch are the same.

matejzerovnik · ‎12-18-2011

Will get all the answers tomorrow, when I return to the company! Thanks for the help..

matejzerovnik · ‎12-25-2011

Sorry for late answer.

Ok so, 'bridge irb' and 'bridge 1 route ip' seems to be configured.

As for native vlan's, they are both set to vlan 1. So native vlan's are 1, but trunk only accepts 3-5 and the port where management PC is plugged into the switch is set as 'access port' and 'vlan 5'(not native).

AP:

interface FastEthernet0.5

encapsulation dot1Q 5

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

Switch:

interface Vlan5

description ===== ID-180, management =====

ip address z.z.z.1 255.255.255.240

ip access-group 119 in

ip access-group 118 out

no ip redirects

!

interface FastEthernet0/5

description ===== ID-180, managemenet =====

switchport access vlan 5

switchport mode access

!

interface FastEthernet0/7

description ===== ID-180, WIFI =====

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 3-5

switchport mode trunk

Ooo and access-group is not blocking anything important, only local ethernet IPs(192. and 10.), since I have public IPs on all the devices.

Matej

JohnTylerPearce · ‎12-26-2011

I have a few questions for ya. The BVI address on the 3650, what vlan/network range is it configured on? Also, according to your first post, how did you try to access the AP from the client PC?

matejzerovnik · ‎12-27-2011

Found the problem. It looked like I forgot to remove the bridge-group 1 from FastEthernet0 and it didn't get assigned to FastEthernet0.5. I fixed that and now it's working... JUHEY!

Thanks for the help, Matej

JohnTylerPearce · ‎12-27-2011

Glad you got it working matej. Got a question for ya, Was the Fa0 with the bridge-group 1 that was removed, on the AP or hte switch?

matejzerovnik · ‎12-27-2011

It was on the AP.

Matej