03-01-2012 06:58 AM - edited 07-03-2021 09:41 PM
Good morning I hope someone can shed some light on the following problem. I have 2 subnets both on seperate vlans - 1(static) and 100(dhcp). I have the lwapp ap's set to receive a vlan 100 DHCP ip address from our server. The switchport is trunked with a native vlan 100, this allows users to receive a vlan100 dhcp address. The problem is the users utilizing vlan 1 which is a static subnet are not allowed access through the access-point. They can associate to the AP with no problem, but unable to past traffic.
Any help would be appreciated.
Thanks
Larnel
03-01-2012 07:04 AM
Larnel,
To clarify, do the users have to be in VLAN 1 to gain access to those resources?
Can you post the AP config?
Steve
03-01-2012 07:30 AM
Yes, but only a select few. Everyone else is on vlan 100 which works perfectly.
The AP's are LWAPP so not real config on the ap itself. Hreap Vlan is enabled on vlan 1. The WLANS associated with the ap are vlan 1 as well.
03-01-2012 07:33 AM
ok, so the problem is that users in VLAN 100 can't access the resources in VLAN 1. Is that correct? If not, please give me a detailed description of the issue.
Steve
03-01-2012 07:45 AM
no, the users in vlan 1 cannot access the internet. They can associate with the access-point, but the AP is not passing the traffic through. If they are wired we have no problems.
switchport config
interface GigabitEthernet0/35
description "APe8b7.48f5.1b21 - G0"
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust dscp
auto qos voip trust
spanning-tree portfast trunk
03-01-2012 07:48 AM
ok, can you share the AP config? more than likely you need to create another SSID and map it to VLAN 1, with the sub-interfaces created.
Steve
03-01-2012 07:53 AM
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login reap_eap_methods group radius
!
aaa session-id common
eap profile lwapp_eap_profile
method fast
!
!
interface Dot11Radio0
no ip route-cache
!
interface Dot11Radio0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.17
encapsulation dot1Q 17 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip route-cache
!
interface Dot11Radio1.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.17
encapsulation dot1Q 17 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
ip address dhcp client-id GigabitEthernet0
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
no ip http server
radius-server local
no authentication eapfast
no authentication leap
no authentication mac
group hreap
!
!
!
control-plane
!
!
!
end
03-01-2012 07:58 AM
yeah, everything is mapping to VLAN 100.
Can you screenshot the HREAP VLAN mappings?
03-01-2012 08:03 AM
03-01-2012 08:29 AM
with what you have configured here, all the traffic would be untagged, and sent down to the switch, which would put it in VLAN 100.
Try changing the native to be 100. that should change the bridge groups on the HREAP to be correct.
Steve
03-02-2012 07:37 AM
So changing the native to vlan 100 will allow the AP to pass vlan 1 traffic?
03-02-2012 07:47 AM
I believe it will. Currently, you are telling the AP that everything is flat, the native and all the SSID are linked to VLAN 1, which is why all of your bridge-groups show as bridge-group 1 in the AP config.
By changing the native to be VLAN 100, this will make the interface Dot11Radio1.17 be a different VLAN, so all the management traffic will be untagged, but any traffic that really should be in VLAN 1, will be tagged for VLAN 1. Currently all of the traffic is being sent untagged and getting put into VLAN 100 on the switch.
Keep in mind, that if one of the WLAN should be in VLAN 100, you want to map it to VLAN 100, and not VLAN 1
Steve
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: