Solved

Unable to get DHCP addresses on second SSID from a Cisco 1131 WAP

Posted on 2009-05-07
3
985 Views
Last Modified: 2013-12-27
We've recently changed some equipment and we now require our WAPs to broadcast both WPA and WEP.

Due to WEP being so insecure (but unfortunately required for us) I was hoping to set the Cisco 1131's to broadcast two SSID's. One with WPA and one with WEP - the WEP one to then be hidden.

At the moment I've got the config so I can see and connect to both SSID's although I only seem to get DHCP addresses when connecting to the first SSID on VLAN1. When connecting to the second SSID on VLAN2 I can't get an IP address. Any help or suggestions appreciated as I can't seem to find any sample configs or cisco examples as of yet.
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname WAP1
!
enable secret 5 *****
!
no aaa new-model
clock timezone gmt 0
ip domain name test.local
ip name-server 4.2.2.4
!
!
dot11 vlan-name Company vlan 1
dot11 vlan-name test vlan 2
!
dot11 ssid internal
   vlan 1
   authentication open 
   authentication key-management wpa version 1
   mbssid guest-mode
   wpa-psk ascii 7 ******
!
dot11 ssid testwep
   vlan 2
   authentication open
   mbssid guest-mode
!
power inline negotiation prestandard source
!
!
username admin privilege 15 secret 5 *****
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip 
 !
 encryption vlan 1 mode ciphers tkip 
 !
 encryption vlan 2 key 1 size 40bit 7 07A8C7DB11C6 transmit-key
 encryption vlan 2 key 2 size 40bit 7 3F31ABD2AFFA
 encryption vlan 2 key 3 size 40bit 7 7AE8AF53EFC7
 encryption vlan 2 key 4 size 40bit 7 93BCE5A8ADCA
 encryption vlan 2 mode ciphers wep40 
 !
 ssid internal
 !
 ssid testwep
 !
 mbssid
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption mode ciphers tkip 
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface BVI1
 ip address 192.168.11.250 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.11.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

Open in new window

0
Comment
Question by:v0r73x
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 8

Accepted Solution

by:
Sniper98G earned 500 total points
ID: 24332208
If you statically code your IP can you get connection? Your problem may not be with DHCP but with general connectivity.
ot1q
If you cannot get connectivity with a static IP I would look at the port connecting to the AP to ensure it has been properly configured as a Dot1q trunk and that both VLANs 1 and 2 are passing on that trunk. From there I would make sure the switch has VLANs 1 and 2 in it database.

Then I would check the SVI for vlan 2 to ensure that it is operating corectly and if you have an other switches between the switch the AP and the switch with the SVI I would check thier trunks and VLAN databases as well.
0
 

Author Comment

by:v0r73x
ID: 24334061
I've tried a client with a static IP and it's not able to ping / talk to anything. At the moment the setups are for small remote offices whereby they have the WAP, sometimes an unmanaged switch and a Cisco 877w in place.

Unfortunately my knowledge of configuring the VLANs etc for this sort of scenario is very limited, I'm assuming from what you've mentioned I'll need to configure the same VLANs on the 877 to allow them both to obtain addresses?

The rough overview and ideal scenario:

Small office with the equipment mentioned above + vpn to main office (site-site from the 877)
Two wireless SSID's, one for company use with WPA, one for guest access using WEP that can only access the internet and not the office vpn.

I'm eventually aiming to have the above set up and I believe this is easily done with the VLANs etc although I'm a bit out of my depth I'm afraid so any guidance / sample configs would be greatly appreciated.
0
 

Author Closing Comment

by:v0r73x
ID: 31579191
Forgot to set the 877 router ports over to trunks! Many thanks :)
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MAC Filtering: MAC filtering is like handing a list of names to a doorman. If someone comes to the door and mentions a name, this name is checked by the doorman on his list and granted or denied access by this. This means that if someone menti…
Hopefully this article will help someone who's had the same issues I had. I have a Dell Wireless 1390 WLAN Mini-Card and Windows 7, and for the past couple of days I was beyond frustrated because my wireless laptop was not able to access the Inte…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question