AP 1220b: Mgmt IP address in different vlan than native vlan -> no access

mawalk2 · ‎10-06-2003

If I configure an IP address on the native vlan (e.g. vlan 1, bridge group 1 -> bvi 1) I have full connectivity towards our ethernet environment. If I create a new vlan with a new linked bvi and configure again an address, I cannot access the device via this new ip address. The old one still works, but the new ip is not reachable.

My goal is to have a MGMT ip address on a different vlan than the native vlan (security reason).

Is this possible?

l.meyer · ‎10-08-2003

Hi,

this config should work. Note, that you also need BVI 1 for wlccp. I had make many tests with another BVI as BVI 1 and I can´t recommend it. The AP crashed very often or. needed a reload after the configuration of a new feature.

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxxxxxx

!

no logging console

aaa new-model

!

aaa authentication login default local

aaa authentication login leapauth group radius

aaa session-id common

enable secret xxxxxxxxx

!

username adm password xxxx

clock timezone gmt 1

clock summer-time gmt+1 recurring last Sun Mar 2:00 last Sun Oct 2:00

ip subnet-zero

no ip domain lookup

ip domain name XXX

ip name-server XXXXX

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 200 mode ciphers wep128

!

broadcast-key vlan 200 change 900

!

ssid XXXXX

vlan 200

authentication network-eap leapauth

authentication key-management cckm optional

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2312

power local 5

power client 5

channel 2412

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.200

encapsulation dot1Q 200

no ip route-cache

bridge-group 200

bridge-group 200 subscriber-loop-control

bridge-group 200 block-unknown-source

no bridge-group 200 source-learning

no bridge-group 200 unicast-flooding

bridge-group 200 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

speed 100

full-duplex

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.100

encapsulation dot1Q 100

no ip route-cache

bridge-group 100

no bridge-group 100 source-learning

bridge-group 100 spanning-disabled

!

interface FastEthernet0.200

encapsulation dot1Q 200

no ip route-cache

bridge-group 200

no bridge-group 200 source-learning

bridge-group 200 spanning-disabled

!

interface BVI1

ip address XXXXXXX 255.255.255.192

no ip route-cache

!

interface BVI100

ip address XXXXXXX 255.255.255.192

no ip route-cache

!

ip default-gateway XXXXXXX

no ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip radius source-interface BVI100

snmp-server community XXXXXXX RO

snmp-server community XXXXXXX RW

snmp-server enable traps tty

radius-server host XXXXXXX auth-port 1812 acct-port 1813 key XXXXXXX

radius-server retransmit 3

radius-server deadtime 5

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

bridge 1 route ip

bridge 100 route ip

!

wlccp ap username XXXXXXX password XXXXXXX

banner login ^C

******************************************************************************

* *

* This system is for the use of authorized users only. *

* Individuals using this system without authority, or in *

* excess of their authority, are subject to having all of their *

* activities on this system monitored and recorded by system *

* personnel. *

* *

* Anyone using this system expressly consents to such monitoring *

* and is advised that if such monitoring reveals possible *

* evidence of criminal activity, system personnel may provide the *

* evidence of such monitoring to law enforcement officials. *

* *

******************************************************************************

^C

!

line con 0

session-timeout 10

password XXXXXXX

logging synchronous

line vty 0 4

session-timeout 10

password XXXXXXX

logging synchronous

transport input telnet ssh

line vty 5 15

transport input none

!

ntp clock-period 2860640

ntp server XXXXXXX

end

aaronw · ‎06-28-2004

So... I this config you have two VLANS, but one SSID.

You are using VLAN 100 as your "managment" VLAN, for wlccp & CDP, and management Access, but you are using VLAN 200 for the Wireless users.

Is that correct?

Because that is exactly what I want to do. I want 3 VLANs:

Guest -- Will have SSID & WEP for any visiting clients, etc... Only has access to the Internet.

CompanyName -- Will have SSID w/ LEAP & have access to main network.

Vlan1 (management) -- Used for CiscoWorks, Telnet Access, etc... Basically management of all my Cisco Switches, Routers, AP's... I DO NOT want an SSID on this VLAN.

I am about to test this, but was wondering if it will work that way. Your config seems to be perfect for what I am trying to do.

Thanks,

A.

dewman03 · ‎07-08-2004

Yes it will,

I am using the same setup at my site.

3 vlans

2 ssids

Public, with Internet access only, Brodcast SSID

Private, with Some LAN access, Cloaked SSID

Native, management traffic, (wlccp, iapp) No SSID

Native VLAN of Acccess Point does not need to be native vlan of switch it is plugged into.

When you program the switchport, you decied what Vlan to make native for the AP

"switchport mode trunk encapsulation dot1q"

"switchport mode trunk"

"switchport trunk native vlan xx"

"switchport trunk allowed vlan xx,xx,xx"

This way you can section off 60 or 30 Access Points in a building and make a native vlan for those access points in that building. Any roaming will be layer 2. WDS will function within its limits and this allows you to use all the features of your WLSE.

All management traffic must be on native vlan, and it helps to keep it bvi1