cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
443
Views
0
Helpful
5
Replies

Trouble with VLANs

jrodri52000
Level 1
Level 1

I have a second WLAN implmentation underway. We have 5 APs and a Cisco 3550 switch. I have deleted all the default vlans / ssids from the IOS AP1200 ver 12.2 and then created two new ones:

SSID GUEST associated to VLAN 10 Native

SSID Engineer associated to VLAN 11

When my clients connect to guest.Life is good. They can access the network but when they connect to Engineer they can't access the network.They can't even ping the AP. All my clients have static IPs. I did this to make sure DHCP wa sout of the trouble loop. Here is my config any ideas would be highly appreciated ...

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname AP-VLAN

!

username xxx password xxxx

clock timezone U -8

clock summer-time U recurring

ip subnet-zero

!

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers ckip

!

encryption vlan 11 mode ciphers ckip

!

ssid Guest

vlan 10

authentication open

guest-mode

!

ssid Engineer

vlan 11

authentication open

authentication network-eap eap_methods

!

speed basic-1.0 2.0 5.5 11.0

rts threshold 2312

power local 50

power client 50

station-role root

!

interface Dot11Radio0.10

encapsulation dot1Q 10 native

no ip route-cache

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.11

encapsulation dot1Q 11

no ip route-cache

no cdp enable

bridge-group 11

bridge-group 11 subscriber-loop-control

bridge-group 11 block-unknown-source

no bridge-group 11 source-learning

no bridge-group 11 unicast-flooding

bridge-group 11 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

ntp broadcast client

!

interface FastEthernet0.10

encapsulation dot1Q 10 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.11

encapsulation dot1Q 11

no ip route-cache

bridge-group 11

no bridge-group 11 source-learning

bridge-group 11 spanning-disabled

!

interface BVI1

ip address 192.168.0.200 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.0.1

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip radius source-interface BVI1

logging facility auth

radius-server local

!

radius-server host x.x.0.92 auth-port 1645 acct-port 1646 key xxxx

radius-server retransmit 3

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

line vty 5 15

!

end

AP-VLAN#

5 Replies 5

jrodri52000
Level 1
Level 1

One more thing...If I make the ssid Engineer VLAN 11 native it works but then the guest doesn't work.

So I know my eap is setup correctly.

Any Help would be great ... thnx

With AP's doing VLAN Mapping, I take what is happening is when you map Vlan 10 or Vlan 11 to the Native, it starts working. WEll, if on your switch, your ACS (or whatever authenticates EAP) is in the Switches Native VLAN, then only clients that are mapped to that native vlan will be able to talk to the authentication server. You need a router for inter vlan communications, so Vlan 11 will not talk to Vlan 10, (VLAN 10 being mapped to the native of the switch where DHCP and ACS reside).

Also, when a client connects to an AP, there are 2 connections established. One connection is set to blocking only state. The other connection is set to blocking, with 802.1x forewarding. Once 802.1x auth is complete ,(EAP), then the other connection is set to active from blocking and the client can begin communication with the network.

rslaski
Spotlight
Spotlight

Hope that you had already solved your problem, but if not then try to create int BVI11 with empty config beneath. I am not joking. There's a misbehaviour observed with VLAN configs like this. Or try to put both user VLANs into separate non-native VLANs and leave native vlan alone.

marcbutler
Level 1
Level 1

Hi There

Just had a look at this. you say that the GUEST SSID associated to VLAN10 is OK. Well, under your dot11radio0 interface, there is a statement that applies to the encryption mode to be used for VLAN 11, but none for VLAN 10. Hence, it may well be that the GUEST SSID VLAN is not being encrypted and, therefore, no encryption mismatch issues, therefore all traffic passes without issue.

I have seen issues where association to the AP was fine, but could not pass traffic, as there was an encryption mismatch.

I would suggest turning off all encryption, test that. If that works, then check that the clients support the encryption method that you want to implement. But to start with, it is worth just turning on static WEP to initialise the radio interface and make sure that works.

Hope that helps

Marc

Maybe you didn't configure switch port (to which AP is connected) as a trunk, so only native VLAN traffic is passing between AP and switch?

Good luck,

Srdja

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: