• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2218
  • Last Modified:

Cisco 871W WLAN VLANs no DHCP

I have an 871 that I am trying to get the wireless configuration to function. I need the ssid that is broadcast to be tagged in vlan 20 and obtain an IP from the router's DHCP server. I have two aironet 1130AGs in the field that are working correctly but I cannot get this router to work. I am able to see the SSID and associate but no communication with DHCP side.

I have attempted to use the Cisco wireless configuration manager. The was an option difference between the 1130AG WAP and the router that I think may have something to do with my troubles. I noticed under VLANs that it gave me two options, bridged and routed. I tried the configuration for both and wasn't able to get positive results.

Here is the config:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 871
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 xxx
!
no aaa new-model
!

dot11 syslog
dot11 vlan-name VLAN_20 vlan 20
!
dot11 ssid SSID
 vlan 20
 authentication open
 guest-mode
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.20.1 192.168.20.200
ip dhcp excluded-address 192.168.10.1 192.168.10.200
!
ip dhcp pool VLAN1_TEMP
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.1
   domain-name xxx
!
ip dhcp pool VLAN20_DHCP
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1
   dns-server 192.168.20.1
   domain-name xxx
!
ip dhcp pool VLAN10_DHCP
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 192.168.10.1
   domain-name xxx
!
!
ip cef
ip domain name xxx
ip name-server 4.2.2.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
vtp version 2
username xxx password 7 xxx
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 ssid SSID
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip dns server
ip nat inside source list NAT_ADDRESSES interface FastEthernet4 overload

Open in new window

0
farroar
Asked:
farroar
  • 5
  • 3
1 Solution
 
GJHopkinsCommented:
from what  I can see in the config you only have one side to the bridge. The usual Cisco config is to bridge the wireless to a VLAN and to allow the Network to route traffic to other networks use a BVI interface which supports both bridging and routing.

sample config

interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 bridge-group 1
 bridge-group 1 spanning-disabled


interface BVI1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly              

bridge 1 route ip

0
 
farroarAuthor Commented:
I am still having trouble getting the router to accept connections from the wireless.

I have tried setting up the BVI as mentioned but no luck. Am I missing something to do with the bridge-groups? What do they do? I am guessing that they relate to the BVI.

I have three VLANs 1, 10 and 20. VLAN 1 is native and in 192.168.1.0/24, VLAN 10 is in 192.168.10.0/24 and VLAN 20 is in 192.168.20.0/24. I have fa0 trunking with all vlans functioning. I want to have the dot11radio 0 interface to accept connections and place them into VLAN 20 as well as be able to get a DHCP address from the router. This is working from the 1130AG WAPs throughout the house using two radios one for 802.11a in VLAN 20 and 802.11g in VLAN 10.

Is there something I am missing?
0
 
farroarAuthor Commented:
Added note:

The issue I am seeing is that I have the VLANs configured on the router with IP addresses so they can act as default gateways for each VLAN. When I create a BVI for vlan 20 and set an IP address in the same subnet it gives me an error... obviously because the address is in the same subnet as VLAN 20 and are overlapping. How do I go about adding the wireless to the VLAN? Do I need to create the VLANs without IPs and then create BVIs for each VLAN with the IP addresses, ie 192.168.1.1, 192.168.10.1, and 192.168.20.1?
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
GJHopkinsCommented:
Yes

place the wireless interface and the vlan in the same bridge group - this will then bridge traffic between the wireless and the wired LANs. The BVi interface is the IP entry point to that bridged network, it supports both bridging from wireless to wired and routing to and from the LAN.

See my example above - the IP address is on the BVI , the BVI interface number relates to the bridge group number.

0
 
farroarAuthor Commented:
I currently have.

interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly

Instead I should be using this?

interface Vlan1
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan10
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 10
 bridge-group 10 spanning-disabled
!
interface Vlan20
no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 20
 bridge-group 20 spanning-disabled

interface BVI1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface BVI10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly      
!
interface BVI20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly              


Then for the dot11Radio do I create subinterfaces for each VLAN and associate them with the corresponding BVI? Like:

dot11Radio 0.20
 encapsulation dot1Q 20
 no cdp enable
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding

0
 
GJHopkinsCommented:
yes looks about right,

don't forget to add the lines

bridge 1 route ip
bridge 10 route ip
bridge 20 route ip
0
 
farroarAuthor Commented:
Ok, I'll give it a go on Friday. I won't be back onsite until then. Don't want to fubar the router remotely.
0
 
farroarAuthor Commented:
Thanks for the help
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now