Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

1240AG aironet

hello to all,

i want to know about the VLAN configuration for the Aironet AP...

here on redio interface we are assinging the SSID then we assing the SSID to perticular VLAN... now why are we creating subinterfaces on radio interface of each and every vlan with respected to the various number of VLAN with the dot1q encapsulation?

is it for intervlanrouting or what?

now letsay my aironet connected with the 2600 router and i want to make the vlan on the aironet and i wwant to configure the intervlan routing on that router then i have to follow the same procedure as we configure the trunk between Cisco Switch and Cisco router... it means here also i have to connect aironet Fastethernet interface with the 2600 series fast ethernet interface and by creating multiple subinterfaces on 2600 fastethernet router ....

please reply me...

regards

Devang

7 REPLIES
Green

Re: 1240AG aironet

The subinterface is necessary so you can define a specific dot1q encaps ID/tag to each SSID/VLAN.

If the AP (with dot1q VLANs) connects to a switch, the switch port must be configured as a trunk port (otherwise, it will only pass traffic in the native VLAN).

If the AP connects directly to a router, then you must also configure the router as if it was connecting to a trunk port (as if from a switch using a trunk port).

Inter-VLAN routing config for an AP on a router is the same as for a switch with multiple VLANs on a router .

If you intend to use DHCP, the same rules apply as for a switch/router combo: you need a IP_HELPER command on the router interface closest to the client to forward the request to the segment containing the DHCP server process (except if the DHCP and client are in the same VLAN/broadcast domain).

Good Luck

Scott

Re: 1240AG aironet

hi scott it will be more better if you explain me this configuration...

AccessPoint#configure terminal

AccessPoint(config)#interface dot11radio 0

AccessPoint(config−if)#ssid Admin

AccessPoint(config−if−ssid)#vlan 20

AccessPoint(config−if−ssid)#authentication open

AccessPoint(config−if−ssid)#end

AccessPoint(config) interface fastethernet 0.20

AccessPoint(config−subif) encapsulation dot1Q 20

AccessPoint(config−subif) bridge−group 20

AccessPoint(config−subif) exit

AccessPoint(config) interface dot11radio 0.20

AccessPoint(config−subif) encapsulation dot1Q 20

AccessPoint(config−subif) bridge−group 20

AccessPoint(config−subif) exit

instad of above configuration can i configure like if i make whole port of AP as a trunk port which is connected connected with switch...what happen if i will not configure the subinterfaces on the AP...

and still confusing that AP is layer3 or layer 2

as you told me that intervlan routing on AP same as the switch... but how can i make communication between different vlan with any layer 3 device connected with AP... so my quastion is AP has capabilities to perform intervlan routing same as layer3 swithc?

regards

Devang

Green

Re: 1240AG aironet

The access point is more of a layer one-two device; there is no layer three functionality (though some of the configuration (i.e., subinterfaces)resembles the way you'd do a router).

It's an L1 device in that it is shared bandwidth, like a traditional hub (but uses CSMA/CA - like functionality instead of CSMA/CD)

It's like an L2 device (like a switch) in that you *can* configure VLANS and dot1q.

If, as you mention, you only have one VLAN (possibly fed by several SSIDs, each SSID on a different subnet address block), the system will work, but it's insecure (one client can get to the other clients, regardless of subnet, even with PSPF - Public Secure Packet Forwarding - enabled), and you'll need to configure secondary addressing on your router interface (also a security risk, and may or may not screw up your routing protocol(s), if they are configured).

Using subinterfaces and dot1q is more organized, more secure, and is legally defensable as "best practice."

Good Luck

Scott

(thanks for the rating!)

Re: 1240AG aironet

hi scott thank you very much again for your reply...

you mean to say that if you have only access point and clients connected to it... and if i connect every client with the appropriate VLAN then they are not going to communicate with each other with out any layer 3 device... am i right?

and there is no option in AP to make communication between those differnt vlan HOSTS with out layer3 device... right?

scott can i have some link from where i can find more and more scenario of wireless network design... i m not only talking about cisco only i am also looking for any other... so please reply me with some links...

regards

Devang

Green

Re: 1240AG aironet

If you have only an access point (single VLAN/default), AND, if you have "Public Secure Packet Forwarding (PSPF)" enabled, no clients could talk to each other (PSPF is used in "hotspots" to prevent one client from hacking other users on the same AP).

If you have only an access point, and there are multiple VLANs & SSIDs defined (one VLAN per SSID), PSPF disabled, then:

--- Clients on the same VLAN would be able to comunicate to each other,

--- Clients would not be able to communicate to other clients on other VLANs (no L3 device to route the traffic, just like on a switch with VLANs).

If you have only an access point, one SSID, clients are using multiple IP address blocks, then:

--- Clients in one address block would not normally be able to communicate with clients using another address block (just like a switch or hub with multiple IP blocks in-use).

--- ** However, finding the other address blocks would be a trivial issue, and the other clients (on the different address block) are exposed to interception / attack, different address block or not (just like on a switch / hub).

There is no option in the (Cisco) AP for Layer Three traffic movement. Clients on different dot1q VLANs will not be able to talk to each other without a router or L3 switch to move the trafficform one VLAN to the other (just like a L2 switch using dot1q VLANs).

I don't have any links handy, if I get some time later, I'll see what I can find for you.

Good Luck

Scott

Re: 1240AG aironet

hi scott...

again thank you very much for your respons...

one more queation from the same topic...

as you told me that APs are layer2 and layer 1 devices... then still i can not able to understand that why the they provide the facilities to creat the subinterfaces on the LAN Fastethernet interface... we can use it by creating normal trunk as in Layer2 switch instad of creating the multiple subinterfaces...and by attaching layer3 device or server we can make the intervlan routing...

SO WHY DO WE NEED THE SUBINTERFACES ON AP???

what is the benifit for creating subinterfaces on it???

regards

Devang

Green

Re: 1240AG aironet

The sub-interfaces provides a discreet logical interface that can be bound to a specific SSID. I believe in this implementation, it's more of a programming convenience than Layer role assignment.

SSID -->Bridge group-->VLAN -->Ethernet Subinterface-->802.1q encaps-->Ethernet Interface (trunking)-->switch port(trunking)-->router/L3 switch-->other networks/subnetworks/VLANs

It's a way to associate the SSID to the VLAN and then move it out of the AP into the wired infrastructure (using 802.1q trunking).

It's a mapping mechanism (SSID->VLAN), that's all.

Good Luck

Scott

466
Views
8
Helpful
7
Replies