Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trouble with VLANs

I have a second WLAN implmentation underway. We have 5 APs and a Cisco 3550 switch. I have deleted all the default vlans / ssids from the IOS AP1200 ver 12.2 and then created two new ones:

SSID GUEST associated to VLAN 10 Native

SSID Engineer associated to VLAN 11

When my clients connect to guest.Life is good. They can access the network but when they connect to Engineer they can't access the network.They can't even ping the AP. All my clients have static IPs. I did this to make sure DHCP wa sout of the trouble loop. Here is my config any ideas would be highly appreciated ...

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname AP-VLAN

!

username xxx password xxxx

clock timezone U -8

clock summer-time U recurring

ip subnet-zero

!

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers ckip

!

encryption vlan 11 mode ciphers ckip

!

ssid Guest

vlan 10

authentication open

guest-mode

!

ssid Engineer

vlan 11

authentication open

authentication network-eap eap_methods

!

speed basic-1.0 2.0 5.5 11.0

rts threshold 2312

power local 50

power client 50

station-role root

!

interface Dot11Radio0.10

encapsulation dot1Q 10 native

no ip route-cache

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.11

encapsulation dot1Q 11

no ip route-cache

no cdp enable

bridge-group 11

bridge-group 11 subscriber-loop-control

bridge-group 11 block-unknown-source

no bridge-group 11 source-learning

no bridge-group 11 unicast-flooding

bridge-group 11 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

ntp broadcast client

!

interface FastEthernet0.10

encapsulation dot1Q 10 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.11

encapsulation dot1Q 11

no ip route-cache

bridge-group 11

no bridge-group 11 source-learning

bridge-group 11 spanning-disabled

!

interface BVI1

ip address 192.168.0.200 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.0.1

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip radius source-interface BVI1

logging facility auth

radius-server local

!

radius-server host x.x.0.92 auth-port 1645 acct-port 1646 key xxxx

radius-server retransmit 3

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

line con 0

line vty 5 15

!

end

AP-VLAN#

5 REPLIES
New Member

Re: Trouble with VLANs

One more thing...If I make the ssid Engineer VLAN 11 native it works but then the guest doesn't work.

So I know my eap is setup correctly.

Any Help would be great ... thnx

New Member

Re: Trouble with VLANs

With AP's doing VLAN Mapping, I take what is happening is when you map Vlan 10 or Vlan 11 to the Native, it starts working. WEll, if on your switch, your ACS (or whatever authenticates EAP) is in the Switches Native VLAN, then only clients that are mapped to that native vlan will be able to talk to the authentication server. You need a router for inter vlan communications, so Vlan 11 will not talk to Vlan 10, (VLAN 10 being mapped to the native of the switch where DHCP and ACS reside).

Also, when a client connects to an AP, there are 2 connections established. One connection is set to blocking only state. The other connection is set to blocking, with 802.1x forewarding. Once 802.1x auth is complete ,(EAP), then the other connection is set to active from blocking and the client can begin communication with the network.

New Member

Re: Trouble with VLANs

Hope that you had already solved your problem, but if not then try to create int BVI11 with empty config beneath. I am not joking. There's a misbehaviour observed with VLAN configs like this. Or try to put both user VLANs into separate non-native VLANs and leave native vlan alone.

New Member

Re: Trouble with VLANs

Hi There

Just had a look at this. you say that the GUEST SSID associated to VLAN10 is OK. Well, under your dot11radio0 interface, there is a statement that applies to the encryption mode to be used for VLAN 11, but none for VLAN 10. Hence, it may well be that the GUEST SSID VLAN is not being encrypted and, therefore, no encryption mismatch issues, therefore all traffic passes without issue.

I have seen issues where association to the AP was fine, but could not pass traffic, as there was an encryption mismatch.

I would suggest turning off all encryption, test that. If that works, then check that the clients support the encryption method that you want to implement. But to start with, it is worth just turning on static WEP to initialise the radio interface and make sure that works.

Hope that helps

Marc

New Member

Re: Trouble with VLANs

Maybe you didn't configure switch port (to which AP is connected) as a trunk, so only native VLAN traffic is passing between AP and switch?

Good luck,

Srdja

131
Views
0
Helpful
5
Replies
CreatePlease login to create content