Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
4
Replies

Trouble with vlan/trunking on 1142+2960S+ASA5505

Samuel Eng
Level 1
Level 1

‎05-21-2012 06:52 AM - edited ‎03-07-2019 06:49 AM

Hi, I'm trying to configure an 1142N AP +  2960-S + ASA5505 with wireless, vlans and trunking with no success. DHCP is provided from my DHCP-server on the inside. Here's my config:

Thanks/Sam

AP

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP-TRI-LABB

!

enable secret 5 $1$6Xtu$1v76qIsBXYBEFPJO6tiyX/

!

no aaa new-model

ip domain name triathlon.local

!

!

dot11 syslog

!

dot11 ssid TRI-LABB

   vlan 80

   authentication open

   authentication key-management wpa version 2

   mbssid guest-mode

   wpa-psk ascii 7 03104902071B29404107

!

!

!

username Cisco password 7 062506324F41

username admin privilege 15 secret 5 $1$EWxG$.l0ECJtBxrnbZldnVbbwQ0

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 80 mode ciphers aes-ccm

!

ssid TRI-LABB

!

antenna gain 0

mbssid

channel 2467

station-role root

!

interface Dot11Radio0.80

encapsulation dot1Q 80 native

ip helper-address 192.168.1.20

no ip route-cache

bridge-group 80

bridge-group 80 subscriber-loop-control

bridge-group 80 block-unknown-source

no bridge-group 80 source-learning

no bridge-group 80 unicast-flooding

bridge-group 80 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption vlan 80 mode ciphers aes-ccm

!

ssid TRI-LABB

!

antenna gain 0

no dfs band block

mbssid

channel width 40-above

channel dfs

station-role root

!

interface Dot11Radio1.80

encapsulation dot1Q 80 native

ip helper-address 192.168.1.20

no ip route-cache

bridge-group 80

bridge-group 80 subscriber-loop-control

bridge-group 80 block-unknown-source

no bridge-group 80 source-learning

no bridge-group 80 unicast-flooding

bridge-group 80 spanning-disabled

!

interface GigabitEthernet0

no ip address

ip helper-address 192.168.1.20

no ip route-cache

duplex auto

speed auto

no keepalive

!

interface GigabitEthernet0.80

encapsulation dot1Q 80 native

ip helper-address 192.168.1.20

no ip route-cache

bridge-group 80

no bridge-group 80 source-learning

bridge-group 80 spanning-disabled

!

interface BVI1

ip address 192.168.1.32 255.255.255.0

ip helper-address 192.168.1.20

no ip route-cache

!

ip default-gateway 192.168.1.1

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

2960-S Switch   (port 1 to AP, port 24 to ASA)

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname TRIGOTSW01

!

boot-start-marker

boot-end-marker

!

enable password TgbYhn!23

!

!

!

no aaa new-model

switch 1 provision ws-c2960s-24ps-l

!

!

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

!

!

!

vlan internal allocation policy ascending

!

!

!

interface FastEthernet0

ip address 192.168.1.41 255.255.255.0

!

interface GigabitEthernet1/0/1

switchport trunk native vlan 80

switchport mode trunk

switchport nonegotiate

!

interface GigabitEthernet1/0/2

!

interface GigabitEthernet1/0/3

!

interface GigabitEthernet1/0/4

!

interface GigabitEthernet1/0/5

!

interface GigabitEthernet1/0/6

!

interface GigabitEthernet1/0/7

!

interface GigabitEthernet1/0/8

!

interface GigabitEthernet1/0/9

!

interface GigabitEthernet1/0/10

!

interface GigabitEthernet1/0/11

!

interface GigabitEthernet1/0/12

!

interface GigabitEthernet1/0/13

!

interface GigabitEthernet1/0/14

!

interface GigabitEthernet1/0/15

!

interface GigabitEthernet1/0/16

!

interface GigabitEthernet1/0/17

!

interface GigabitEthernet1/0/18

!

interface GigabitEthernet1/0/19

!

interface GigabitEthernet1/0/20

!

interface GigabitEthernet1/0/21

!

interface GigabitEthernet1/0/22

!

interface GigabitEthernet1/0/23

!

interface GigabitEthernet1/0/24

switchport trunk native vlan 80

switchport mode trunk

switchport nonegotiate

!

interface GigabitEthernet1/0/25

!

interface GigabitEthernet1/0/26

!

interface GigabitEthernet1/0/27

!

interface GigabitEthernet1/0/28

!

interface Vlan1

no ip address

shutdown

!

ip http server

ip http secure-server

ip sla enable reaction-alerts

!

line con 0

line vty 5 15

!

end

ASA5505 (port 0/3 to switch)

hostname TRIGOTASA01

domain-name triathlon.local

enable password v4fmcWqoQy.l8i1X encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

shutdown

no nameif

security-level 100

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Vlan10

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan80

nameif wireless

security-level 100

ip address 192.168.80.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

switchport trunk allowed vlan 2,10,80

switchport trunk native vlan 80

switchport mode trunk

!

interface Ethernet0/4

switchport access vlan 10

!

interface Ethernet0/5

switchport trunk allowed vlan 2,10,80

switchport trunk native vlan 10

switchport mode trunk

!

interface Ethernet0/6

switchport access vlan 10

!

interface Ethernet0/7

switchport trunk allowed vlan 2,10,80

switchport trunk native vlan 10

switchport mode trunk

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name triathlon.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network OBJ-INSIDE

subnet 192.168.1.0 255.255.255.0

object network OBJ-VPN

subnet 192.168.50.0 255.255.255.0

object network OBJ-WIRELESS

subnet 192.168.80.0 255.255.255.0

access-list SSLVPN_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu wireless 1500

mtu labb 1500

ip local pool VPN_POOL 192.168.50.100-192.168.50.130 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any wireless

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static OBJ-INSIDE OBJ-INSIDE destination static OBJ-VPN OBJ-VPN

!

object network OBJ-INSIDE

nat (inside,outside) dynamic interface

object network OBJ-WIRELESS

nat (wireless,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 83.218.72.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 wireless

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcprelay server 192.168.1.20 inside

dhcprelay enable wireless

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.36.133.17 source outside prefer

webvpn

enable outside

anyconnect image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 1

anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2

anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 3

anyconnect enable

tunnel-group-list enable

group-policy SSLVPN internal

group-policy SSLVPN attributes

dns-server value 192.168.1.10

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SSLVPN_SPLIT_TUNNEL

default-domain value triathlon.local

split-dns value triathlon.local

address-pools value VPN_POOL

group-policy TRIGROUP internal

group-policy TRIGROUP attributes

dns-server value 192.168.1.10

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SSLVPN_SPLIT_TUNNEL

default-domain value triathlon.local

split-dns value triathlon.local

address-pools value VPN_POOL

username admin password EzAev6eqAFlJ7Hg7 encrypted privilege 15

tunnel-group WEBVPN type remote-access

tunnel-group WEBVPN general-attributes

default-group-policy SSLVPN

tunnel-group WEBVPN webvpn-attributes

group-alias WEBVPN enable

tunnel-group vpngroup1 type remote-access

tunnel-group vpngroup1 general-attributes

address-pool VPN_POOL

default-group-policy TRIGROUP

tunnel-group vpngroup1 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect ip-options

  inspect pptp

!

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-21-2012 08:28 AM

Hello Samuel,

on access point you should use BVI80 instead of BVI1, bvi number should follow the bridge group number it tells to which bridge group it refers to.

On ASA you have configured under vlan80 ip address 192.168.80.x  but on AP you have 192.168.1.y on BVI they are in different IP subnets so you need to fix taking a decision.

Hope to help

Giuseppe

0 Helpful

Samuel Eng
Level 1
Level 1
In response to Giuseppe Larosa

‎05-21-2012 08:36 AM

Ok, but naming it BVI80 is necessary?

And I thought natives vlans was created for giving the AP an adress that is in the management subnet (vlan 10?) I've done this before without the switch inbetween.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Samuel Eng

‎05-21-2012 09:03 AM

Hello Samuel,

>>

k, but naming it BVI80 is necessary?

yes unless you change all the commands referring to bridge-group 80 in bridge-group 1

>>

And I thought natives vlans was created for giving the AP an adress that is in the management subnet (vlan 10?) I've done this before without the switch inbetween.

in current configuration native vlan is 80 everywhere if you want to change it to 10 you can of course.

Hope to help

Giuseppe

0 Helpful

Samuel Eng
Level 1
Level 1
In response to Giuseppe Larosa

‎05-21-2012 10:18 AM

Ok, my bad. I've changed all the native vlans on the routerport and switchports but it's still not working. I'm suspecting something with the AP-configuration? Not getting any DHCP-adress and no connectivity when I use a static address...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card