10-06-2003 06:59 AM - edited 07-04-2021 09:03 AM
If I configure an IP address on the native vlan (e.g. vlan 1, bridge group 1 -> bvi 1) I have full connectivity towards our ethernet environment. If I create a new vlan with a new linked bvi and configure again an address, I cannot access the device via this new ip address. The old one still works, but the new ip is not reachable.
My goal is to have a MGMT ip address on a different vlan than the native vlan (security reason).
Is this possible?
10-08-2003 10:55 PM
Hi,
this config should work. Note, that you also need BVI 1 for wlccp. I had make many tests with another BVI as BVI 1 and I can´t recommend it. The AP crashed very often or. needed a reload after the configuration of a new feature.
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxx
!
no logging console
aaa new-model
!
!
aaa authentication login default local
aaa authentication login leapauth group radius
aaa session-id common
enable secret xxxxxxxxx
!
username adm password xxxx
clock timezone gmt 1
clock summer-time gmt+1 recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
no ip domain lookup
ip domain name XXX
ip name-server XXXXX
ip name-server XXXXX
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 200 mode ciphers wep128
!
broadcast-key vlan 200 change 900
!
!
ssid XXXXX
vlan 200
authentication network-eap leapauth
authentication key-management cckm optional
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
power local 5
power client 5
channel 2412
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
bridge-group 200 subscriber-loop-control
bridge-group 200 block-unknown-source
no bridge-group 200 source-learning
no bridge-group 200 unicast-flooding
bridge-group 200 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
no bridge-group 100 source-learning
bridge-group 100 spanning-disabled
!
interface FastEthernet0.200
encapsulation dot1Q 200
no ip route-cache
bridge-group 200
no bridge-group 200 source-learning
bridge-group 200 spanning-disabled
!
interface BVI1
ip address XXXXXXX 255.255.255.192
no ip route-cache
!
interface BVI100
ip address XXXXXXX 255.255.255.192
no ip route-cache
!
ip default-gateway XXXXXXX
no ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI100
snmp-server community XXXXXXX RO
snmp-server community XXXXXXX RW
snmp-server enable traps tty
radius-server host XXXXXXX auth-port 1812 acct-port 1813 key XXXXXXX
radius-server host XXXXXXX auth-port 1812 acct-port 1813 key XXXXXXX
radius-server retransmit 3
radius-server deadtime 5
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
bridge 1 route ip
bridge 100 route ip
!
wlccp ap username XXXXXXX password XXXXXXX
banner login ^C
******************************************************************************
* *
* This system is for the use of authorized users only. *
* Individuals using this system without authority, or in *
* excess of their authority, are subject to having all of their *
* activities on this system monitored and recorded by system *
* personnel. *
* *
* Anyone using this system expressly consents to such monitoring *
* and is advised that if such monitoring reveals possible *
* evidence of criminal activity, system personnel may provide the *
* evidence of such monitoring to law enforcement officials. *
* *
******************************************************************************
^C
!
line con 0
session-timeout 10
password XXXXXXX
logging synchronous
line vty 0 4
session-timeout 10
password XXXXXXX
logging synchronous
transport input telnet ssh
line vty 5 15
transport input none
!
ntp clock-period 2860640
ntp server XXXXXXX
end
06-28-2004 07:10 AM
So... I this config you have two VLANS, but one SSID.
You are using VLAN 100 as your "managment" VLAN, for wlccp & CDP, and management Access, but you are using VLAN 200 for the Wireless users.
Is that correct?
Because that is exactly what I want to do. I want 3 VLANs:
Guest -- Will have SSID & WEP for any visiting clients, etc... Only has access to the Internet.
CompanyName -- Will have SSID w/ LEAP & have access to main network.
Vlan1 (management) -- Used for CiscoWorks, Telnet Access, etc... Basically management of all my Cisco Switches, Routers, AP's... I DO NOT want an SSID on this VLAN.
I am about to test this, but was wondering if it will work that way. Your config seems to be perfect for what I am trying to do.
Thanks,
A.
07-08-2004 06:19 PM
Yes it will,
I am using the same setup at my site.
3 vlans
2 ssids
Public, with Internet access only, Brodcast SSID
Private, with Some LAN access, Cloaked SSID
Native, management traffic, (wlccp, iapp) No SSID
Native VLAN of Acccess Point does not need to be native vlan of switch it is plugged into.
When you program the switchport, you decied what Vlan to make native for the AP
"switchport mode trunk encapsulation dot1q"
"switchport mode trunk"
"switchport trunk native vlan xx"
"switchport trunk allowed vlan xx,xx,xx"
This way you can section off 60 or 30 Access Points in a building and make a native vlan for those access points in that building. Any roaming will be layer 2. WDS will function within its limits and this allows you to use all the features of your WLSE.
All management traffic must be on native vlan, and it helps to keep it bvi1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: