09-03-2014 12:58 PM - edited 03-07-2019 08:37 PM
Hi hope someone could help?
I'm trying to get a DHCP to my Guest ssid from my access point.
The Thing is that when i connect to SSID 1 i get DHCP from VLAN 1 and that ok.
When i connect to SSID 2 Vlan 2 no DHCP at all.
AP:
Operation Mode: | Multi ssid |
Enable VLAN | |
SSID1: | VLAN ID: |
SSID2: | VLAN ID: |
SSID3: | VLAN ID: |
SSID4: | VLAN ID: |
Region: | |
Warning: | Ensure you select a correct country to conform local law. Incorrect settings may cause interference. |
Channel: | |
Mode: | 11bgn |
Channel Width: | |
Max Tx Rate: | 300mbps |
Enable Vlan is selected.
Router:
871 ISR
Router#sh run
Building configuration...
Current configuration : 7524 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AAA_AUTH_LOCAL local
aaa authorization exec default local
!
!
aaa session-id common
!
crypto pki trustpoint
xxxxxxxxxxxx
quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 172.16.0.1
ip dhcp excluded-address 172.16.0.2
ip dhcp excluded-address 172.16.1.1
!
ip dhcp pool DHCPPOOL
network 172.16.0.0 255.255.255.0
default-router 172.16.0.2
dns-server 192.168.0.2
!
!
ip dhcp pool GUEST
network 172.16.1.0 255.255.255.0
default-router 172.16.1.0
dns-server 192.168.0.2
!
ip dhcp pool AP-LS
host 172.16.1.3 255.255.255.0
client-identifier xxxx.xxx.xxx.xx
!
!
ip cef
ip domain name router.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
vtp mode transparent
username xxxxxxxxxx privilege 15 secret 5 xxxxxxx
username xxxxxxxxxx privilege 15 secret 5 xxxxxxx
!
!
!
archive
log config
hidekeys
!
!
vlan 2
!
ip ssh version 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map match-all ips_class_map
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description $FW_INSIDE$
ip address 172.16.0.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
description GUEST
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 172.16.0.0 0.0.0.255
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login authentication local
transport input ssh
!
exception data-corruption buffer truncate
scheduler max-task-time 5000
end
Thanks :)
Solved! Go to Solution.
09-04-2014 12:46 PM
Hi Mr Moreno,
You need also to add on interface configuration:
switchport mode trunk // if not will use only access mode on vlan 1
What is the configuration on the access point (interfaces)?
You need to create two bridges between subinterfaces on the ethernet side and on the wireless interface.
This is an example of an ap with two vlan (1 and 20):
!
dot11 ssid vlan20
vlan 20
!
dot11 ssid vlan1
vlan 1
bridge irb
!
!
interface Dot11Radio0
ssid vlan1
ssid vlan20
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface FastEthernet0
interface FastEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.20
encapsulation dot1Q 20
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
I hope this will help.
Regards,
Pedro Lereno
09-06-2014 12:10 AM
Hi Mr. Moreno,
Vlan 2 is active and FastEthernet3 is a trunk, this is right.
You do not have any switch between the ap and the router?
So we need to make some debugging. Let's try:
1.
debug ip dhcp server events // do not forget "term mon" if you are remotely connected to the router
With debug on connect a pc to vlan 1 and other to vlan 2 and check the differences from the output of the debug.
2.
Connect a physical port of the router (if available) to vlan 2, for example:
int FastEthernet0
switchport access vlan 2
and connect a pc directly to this port, check if it gets the ip address and compare the debug output.
3.
If point 2 is OK. Assign manually an ip address to pc on wireless ssid vlan 2. Check if it can ping the router.
If point 2 not ok, the problem is within the router. We have to make more debugs.
4.
Sniffing. You need to shutdown the wireless network!
Connect directly the ap ethernet side to a pc with wireshark or tcpdump (you may need a cross-over cable).
Connect a pc to each vlan and check the vlan tag for vlan 2 is correct (send me the output)
Have a nice weekend.
Best Regards,
Pedro Lereno
09-04-2014 02:03 AM
How is configured your switch port where the router is connected ? I think that you must configure the router in a stick, so you can configure the vlan native and the DHCP packet can pass
09-04-2014 02:11 AM
Hi Mr. Moreno,
From the router configuration it seems that you do not have any interface belonging to vlan 2 or in trunking mode. All lan interfaces belong to vlan 1 by default (0 to 3). You need at least one interface in vlan 2 or trunk.
You have also mistaken the dhcp GUEST default-router configuration. You added the network address (default-router 172.16.1.0 ) instead of the router address ( default-router 172.16.1.1 ).
I hope this will help you.
Best regards,
Pedro Lereno
09-04-2014 09:58 AM
Hi Mr. Lereno,
Thank you for your quick reply and for being sharp on analysing the configuration.
I did change the default-router to 172.16.1.1.
I also changed the interface connected to the Access point to:
switchport trunk allowed vlan add 1,2
The thing is that I use an access point that's hosting two SSID's from different VLAN's 1, 2 on the same port FA2 in that case.
After making the changes i am still unable to have DHCP from SSID on VLAN 2, But like before VLAN 1 is Ok.
Please advice.
Best Regards,
Antoni
09-04-2014 12:46 PM
Hi Mr Moreno,
You need also to add on interface configuration:
switchport mode trunk // if not will use only access mode on vlan 1
What is the configuration on the access point (interfaces)?
You need to create two bridges between subinterfaces on the ethernet side and on the wireless interface.
This is an example of an ap with two vlan (1 and 20):
!
dot11 ssid vlan20
vlan 20
!
dot11 ssid vlan1
vlan 1
bridge irb
!
!
interface Dot11Radio0
ssid vlan1
ssid vlan20
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface FastEthernet0
interface FastEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.20
encapsulation dot1Q 20
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
I hope this will help.
Regards,
Pedro Lereno
09-04-2014 01:17 PM
Hi Mr. Lereno,
Thank you again,
The router is a cisco 871.
The AP is a TP-Link without cli just a web interface config and it is limited to
1. multi SSID that assign to VLAN.
2.Here is an emulator for my AP.
http://www.tp-link.com/resources/simulator/TL-WA901ND_V3/Index.htm
Thanks on advance
Antoni
09-05-2014 03:01 AM
Hi Mr. Moreno,
I do not have experience with TPLINK. From what I checked on the emulator make sure on (wireless configuration) :
operation mode -> multi-ssid
enable vlan box enabled
From the router side (interface configuration):
switchport mode trunk
switchport trunk encapsulation dot1q
The command the you added (switchport trunk allowed vlan add 1,2) will permit vlan 1 and 2 only when in trunking mode(forced or negotiated), you need to force the trunking mode with "switchport mode trunk".
Check the config with the following commands:
show int status
show int trunk
show vlans
Regards,
Pedro Lereno
09-05-2014 06:48 AM
Hi Mr. Lereno,
Thank you again.
I do not know if it is a good idea but my vlan2 is Interface VLAN2 and not vlan2.
Router#sh vlans
No Virtual LANs configured.
Jut added the configuration changes that you suggested and i will try this in the next minutes .
Kind Regards,
Antoni
Edit:
Still no dhcp on ssid2 vlan2 :(
Port Mode Encapsulation Status Native vlan
Fa3 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa3 1-4094
Port Vlans allowed and active in management domain
Fa3 1-2
Port Vlans in spanning tree forwarding state and not pruned
Fa3 1-2
DOORS#show int stat
FastEthernet0
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Total 0 0 0 0
FastEthernet1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 177213 43112337 502014 246694268
Route cache 0 0 0 0
Total 177213 43112337 502014 246694268
FastEthernet2
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 548225 67050713 889382 614508932
Route cache 0 0 209760 12585600
Total 548225 67050713 1099142 627094532
FastEthernet3
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 624774 79715009 1308638 1310136575
Route cache 0 0 171547 10292820
Total 624774 79715009 1480185 1320429395
FastEthernet4
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 67849 8100427 75332 7951694
Route cache 1794772 2071656886 1157350 14895
Total 1862621 2079757313 1232682 7966589
Interface NVI0 is disabled
Vlan1
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 150303 15243186 88597 10225572
Route cache 1175818 163789663 1794769 2071080416
Total 1326121 179032849 1883366 2081305988
Vlan2
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 523 48203 201 14034
Route cache 1730 618548 0 0
Total 2253 666751 201 14034
09-05-2014 09:48 AM
Hi Mr. Moreno,
It seems right from the router!
Anyway issue the following commands:
show vlan-switch
show ip interface brief
show run all | s FastEthernet3
Check if vlan 2 has a spanning-tree instance:
show spanning-tree
If not go to config mode and issue the command: spanning-tree vlan 2
Then : show spanning-tree vlan 2
Regards,
Pedro Lereno
09-05-2014 02:20 PM
Hi Mr. Lereno,
Thanks again and here it is:
Router#show vlan-swit
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0, Fa1, Fa2
2 VLAN0002 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Router#sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up up
FastEthernet4 192.168.0.3 YES DHCP up up
NVI0 unassigned YES unset administratively down down
Vlan1 172.16.0.2 YES NVRAM up up
Vlan2 172.16.1.1 YES NVRAM up up
Router#show run all | s FastEthernet3
interface FastEthernet3
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1-4094
switchport mode trunk
switchport voice vlan none
switchport priority extend none
switchport priority default 0
snmp trap link-status
ip igmp snooping tcn flood
Router#show spanning-tree
VLAN1 is executing the ieee compatible Spanning Tree protocol
Bridge Identifier has priority 32768, address xxxxxxxxxxx
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag not set, detected flag not set
Number of topology changes 1 last change occurred 07:06:03 ago
from FastEthernet1
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 0, topology change 0, notification 0, aging 300
Port 2 (FastEthernet1) of VLAN1 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.2.
Designated root has priority 32768, address xxxxxxxxxxx
Designated bridge has priority 32768, address xxxxxxxxxxx
Designated port id is 128.2, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 12792, received 0
Port 3 (FastEthernet2) of VLAN1 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.3.
Designated root has priority 32768, address xxxxxxxxxxx
Designated bridge has priority 32768, address xxxxxxxxxxx
Designated port id is 128.3, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 12792, received 0
Port 4 (FastEthernet3) of VLAN1 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.4.
Designated root has priority 32768, address xxxxxxxxxxx
Designated bridge has priority 32768, address xxxxxxxxxxx
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 25588, received 0
VLAN2 is executing the ieee compatible Spanning Tree protocol
Bridge Identifier has priority 32768, address xxxxxxxxxxx
Configured hello time 2, max age 20, forward delay 15
We are the root of the spanning tree
Topology change flag not set, detected flag not set
Number of topology changes 1 last change occurred 07:06:08 ago
from FastEthernet3
Times: hold 1, topology change 35, notification 2
hello 2, max age 20, forward delay 15
Timers: hello 1, topology change 0, notification 0, aging 300
Port 4 (FastEthernet3) of VLAN2 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.4.
Designated root has priority 32768, address xxxxxxxxxxx
Designated bridge has priority 32768, address xxxxxxxxxxx
Designated port id is 128.4, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
BPDU: sent 12796, received 0
Thanks again
Best Regards,
Antoni
09-06-2014 12:10 AM
Hi Mr. Moreno,
Vlan 2 is active and FastEthernet3 is a trunk, this is right.
You do not have any switch between the ap and the router?
So we need to make some debugging. Let's try:
1.
debug ip dhcp server events // do not forget "term mon" if you are remotely connected to the router
With debug on connect a pc to vlan 1 and other to vlan 2 and check the differences from the output of the debug.
2.
Connect a physical port of the router (if available) to vlan 2, for example:
int FastEthernet0
switchport access vlan 2
and connect a pc directly to this port, check if it gets the ip address and compare the debug output.
3.
If point 2 is OK. Assign manually an ip address to pc on wireless ssid vlan 2. Check if it can ping the router.
If point 2 not ok, the problem is within the router. We have to make more debugs.
4.
Sniffing. You need to shutdown the wireless network!
Connect directly the ap ethernet side to a pc with wireshark or tcpdump (you may need a cross-over cable).
Connect a pc to each vlan and check the vlan tag for vlan 2 is correct (send me the output)
Have a nice weekend.
Best Regards,
Pedro Lereno
09-06-2014 04:47 AM
Hi Mr. Lereno,
Thank you again you are a Guinness.
It was the switch that was buried under my desk.
Its working now :)
I will set up the Vlan tagging on the switch and i'm done
Now i just need to isolate the SSID 2 on VLAN2 since i can from the guest VLAN ssh to the router and see the VLAN1 network.
Thank you again you are the best.
Have a nice weekend.
Best Regards,
Antoni
09-05-2014 12:03 PM
I think You have a typo here:
-
ip dhcp pool GUEST
network 172.16.1.0 255.255.255.0
default-router 172.16.1.0
-
Change the default-router to be 172.16.1.1.
HTH.
Rgrds,
Martin, IT Specialist
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide