[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1003
  • Last Modified:

Unable to get DHCP addresses on second SSID from a Cisco 1131 WAP

We've recently changed some equipment and we now require our WAPs to broadcast both WPA and WEP.

Due to WEP being so insecure (but unfortunately required for us) I was hoping to set the Cisco 1131's to broadcast two SSID's. One with WPA and one with WEP - the WEP one to then be hidden.

At the moment I've got the config so I can see and connect to both SSID's although I only seem to get DHCP addresses when connecting to the first SSID on VLAN1. When connecting to the second SSID on VLAN2 I can't get an IP address. Any help or suggestions appreciated as I can't seem to find any sample configs or cisco examples as of yet.
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname WAP1
!
enable secret 5 *****
!
no aaa new-model
clock timezone gmt 0
ip domain name test.local
ip name-server 4.2.2.4
!
!
dot11 vlan-name Company vlan 1
dot11 vlan-name test vlan 2
!
dot11 ssid internal
   vlan 1
   authentication open 
   authentication key-management wpa version 1
   mbssid guest-mode
   wpa-psk ascii 7 ******
!
dot11 ssid testwep
   vlan 2
   authentication open
   mbssid guest-mode
!
power inline negotiation prestandard source
!
!
username admin privilege 15 secret 5 *****
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip 
 !
 encryption vlan 1 mode ciphers tkip 
 !
 encryption vlan 2 key 1 size 40bit 7 07A8C7DB11C6 transmit-key
 encryption vlan 2 key 2 size 40bit 7 3F31ABD2AFFA
 encryption vlan 2 key 3 size 40bit 7 7AE8AF53EFC7
 encryption vlan 2 key 4 size 40bit 7 93BCE5A8ADCA
 encryption vlan 2 mode ciphers wep40 
 !
 ssid internal
 !
 ssid testwep
 !
 mbssid
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption mode ciphers tkip 
 no dfs band block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface BVI1
 ip address 192.168.11.250 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.11.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

Open in new window

0
v0r73x
Asked:
v0r73x
  • 2
1 Solution
 
Sniper98GCommented:
If you statically code your IP can you get connection? Your problem may not be with DHCP but with general connectivity.
ot1q
If you cannot get connectivity with a static IP I would look at the port connecting to the AP to ensure it has been properly configured as a Dot1q trunk and that both VLANs 1 and 2 are passing on that trunk. From there I would make sure the switch has VLANs 1 and 2 in it database.

Then I would check the SVI for vlan 2 to ensure that it is operating corectly and if you have an other switches between the switch the AP and the switch with the SVI I would check thier trunks and VLAN databases as well.
0
 
v0r73xAuthor Commented:
I've tried a client with a static IP and it's not able to ping / talk to anything. At the moment the setups are for small remote offices whereby they have the WAP, sometimes an unmanaged switch and a Cisco 877w in place.

Unfortunately my knowledge of configuring the VLANs etc for this sort of scenario is very limited, I'm assuming from what you've mentioned I'll need to configure the same VLANs on the 877 to allow them both to obtain addresses?

The rough overview and ideal scenario:

Small office with the equipment mentioned above + vpn to main office (site-site from the 877)
Two wireless SSID's, one for company use with WPA, one for guest access using WEP that can only access the internet and not the office vpn.

I'm eventually aiming to have the above set up and I believe this is easily done with the VLANs etc although I'm a bit out of my depth I'm afraid so any guidance / sample configs would be greatly appreciated.
0
 
v0r73xAuthor Commented:
Forgot to set the 877 router ports over to trunks! Many thanks :)
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now