Solved

Cannot Manage Cisco Aironet 1131AG from LAN via 2950

Posted on 2011-03-11
10
703 Views
Last Modified: 2012-05-11
I've got a number of Cisco Aironets that are happily allowing wifi users to connect on thier allocated VLAN but I can't manage them when they are connected to the trunk port on my 2950!

The AP has been given the IP of 10.132.0.12/24 which is associated with VLAN 99 in which all the infrastructure devices have thier IP's, switches, routers etc.

The Wifi clients are connected to an unsecured public network with the SSID associated into VLAN 98, from which is working OK.

On the 2950 the port is set to be a trunk:

interface FastEthernet0/16
 description Uplink to AP
 switchport mode trunk

I can't issue as recommended this command on the interface:
switchport trunk encapsulation dot1q

The Native VLAN on the switch is 1 (default) but there are no devices in this VLAN.
The AP's config is below.

I've added VLAN 1 as the native as the documents all say that this how it should be done so it looks like everything is as it should be but I still can't manage it!

Any help please experts?
Current configuration : 3184 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1st-floor-ap
!
enable secret 5 $1$ULAf$f2SvJXI0rKHwdxGSS34U50
!
no aaa new-model
!
!
dot11 vlan-name DEFAULT vlan 1
!
dot11 ssid INFRA
   vlan 99
   authentication open
   mobility network-id 99
!
dot11 ssid TEST
   vlan 98
   authentication open
!
power inline negotiation prestandard source
!
!
username Cisco password 7 1531021F0725
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 !
 ssid INFRA
 !
 ssid TEST
 !
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.98
 encapsulation dot1Q 98
 no ip route-cache
 bridge-group 98
 bridge-group 98 subscriber-loop-control
 bridge-group 98 block-unknown-source
 no bridge-group 98 source-learning
 no bridge-group 98 unicast-flooding
 bridge-group 98 spanning-disabled
!
interface Dot11Radio0.99
 encapsulation dot1Q 99
 no ip route-cache
 bridge-group 99
 bridge-group 99 subscriber-loop-control
 bridge-group 99 block-unknown-source
 no bridge-group 99 source-learning
 no bridge-group 99 unicast-flooding
 bridge-group 99 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 ssid INFRA
 !
 ssid TEST
 !
 no dfs band block
 channel dfs
 station-role root
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.98
 encapsulation dot1Q 98
 no ip route-cache
 bridge-group 98
 bridge-group 98 subscriber-loop-control
 bridge-group 98 block-unknown-source
 no bridge-group 98 source-learning
 no bridge-group 98 unicast-flooding
 bridge-group 98 spanning-disabled
!
interface Dot11Radio1.99
 encapsulation dot1Q 99
 no ip route-cache
 bridge-group 99
 bridge-group 99 subscriber-loop-control
 bridge-group 99 block-unknown-source
 no bridge-group 99 source-learning
 no bridge-group 99 unicast-flooding
 bridge-group 99 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.98
 encapsulation dot1Q 98
 no ip route-cache
 bridge-group 98
 no bridge-group 98 source-learning
 bridge-group 98 spanning-disabled
!
interface FastEthernet0.99
 encapsulation dot1Q 99
 no ip route-cache
 bridge-group 99
 no bridge-group 99 source-learning
 bridge-group 99 spanning-disabled
!
interface BVI1
 ip address 10.132.0.12 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.132.0.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server community tedco-mon RO
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

Open in new window

0
Comment
Question by:TSG_Users
  • 6
  • 4
10 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 35107604
Your native VLAN on the AP should be VLAN99

You should set this on the switchport and the AP.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35107614
With regard to setting the encapsulation on the switchport, can you post the output from the following command:

sho int fa0/16 sw
0
 
LVL 1

Author Comment

by:TSG_Users
ID: 35107667
OK, changed the native VLAN on the trunkport, can see from that output that it's showing encap as dot1q, so all good there.

Have made the change and I can now ping and browse to it from the server :)

I think that on the other AP's I've set the native VLAN as 98, so was getting there in some instances.... Now just to setup WPA2 Personal for one of the VLANs.

Name: Fa0/16
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (infrastructure)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none

0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35107759
Cool.  Glad it works :-)

If you need help with WPA give us a shout!
0
 
LVL 1

Author Comment

by:TSG_Users
ID: 35108004
Well this bit looked like it should have been a breeze!

dot11 ssid TEDCO-INT
   vlan 100
   authentication open
   authentication key-management wpa version 1
   mobility network-id 100
   wpa-psk ascii 7 [password]

encryption vlan 100 mode ciphers tkip

Two Win7 laptops can't connect using WPA Personal and TKIP. Have tried AES as the cipher to no avail too.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 35108082
You've assigned the TEDCO-INT SSID to VLAN100, but your config doesn't have an interface for VLAN100 (if the config is the same as above).
Can you post all your config from the AP, and make sure you have a VLAN100 on your switch - (I'm assuming you have :-)).
0
 
LVL 1

Author Comment

by:TSG_Users
ID: 35109919
OK, sorry, had started to go round the other AP's to make the config changes and half of them had no Ethernet connections, faulty ports on the switch, time for new switches I think!

Here is the config from AP that this particular one needs to be on, I've removed it from the other AP.

Current configuration : 3691 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname reception-ap
!
enable secret 5 $1$s3mS$Ly6M0gaeY2F4evRXTxG9X1
!
no aaa new-model
!
!
dot11 vlan-name INFRA vlan 99
dot11 vlan-name TEDCO-INT vlan 100
!
dot11 ssid INFRA
   vlan 99
   authentication open
!
dot11 ssid TEDCO-INT
   vlan 100
   authentication open
   authentication key-management wpa
   mobility network-id 100
   wpa-psk ascii 7 [Password]
!
dot11 ssid TEDCO-PUBLIC
   vlan 98
   authentication open
   guest-mode
!
power inline negotiation prestandard source
!
!
username xxx password 7 xxxx
usernamexxx privilege 15 password 7 xxxx
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 100 mode ciphers aes-ccm
 !
 ssid INFRA
 !
 ssid TEDCO-INT
 !
 ssid TEDCO-PUBLIC
 !
 speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.98
 encapsulation dot1Q 98
 no ip route-cache
 bridge-group 98
 bridge-group 98 subscriber-loop-control
 bridge-group 98 block-unknown-source
 no bridge-group 98 source-learning
 no bridge-group 98 unicast-flooding
 bridge-group 98 spanning-disabled
!
interface Dot11Radio0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 bridge-group 100 subscriber-loop-control
 bridge-group 100 block-unknown-source
 no bridge-group 100 source-learning
 no bridge-group 100 unicast-flooding
 bridge-group 100 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption vlan 100 mode ciphers aes-ccm
 !
 ssid INFRA
 !
 ssid TEDCO-INT
 !
 ssid TEDCO-PUBLIC
 !
 no dfs band block
 speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel dfs
 station-role root
!
interface Dot11Radio1.98
 encapsulation dot1Q 98
 no ip route-cache
 bridge-group 98
 bridge-group 98 subscriber-loop-control
 bridge-group 98 block-unknown-source
 no bridge-group 98 source-learning
 no bridge-group 98 unicast-flooding
 bridge-group 98 spanning-disabled
!
interface Dot11Radio1.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 bridge-group 100 subscriber-loop-control
 bridge-group 100 block-unknown-source
 no bridge-group 100 source-learning
 no bridge-group 100 unicast-flooding
 bridge-group 100 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.98
 encapsulation dot1Q 98
 no ip route-cache
 bridge-group 98
 no bridge-group 98 source-learning
 bridge-group 98 spanning-disabled
!
interface FastEthernet0.99
 encapsulation dot1Q 99 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 no bridge-group 100 source-learning
 bridge-group 100 spanning-disabled
!
interface BVI1
 ip address x x
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35110127
Ok, lets remove the mobility option to test...

Can you change your config to this:


dot11 ssid TEDCO-INT
   vlan 100
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 [Password]



Also can you enable terminal monitor and paste the output from the terminal when a client tries to connect?
0
 
LVL 1

Author Comment

by:TSG_Users
ID: 35110206
Dude, just removing the mobility option did the trick :-)

Any idea what that is for?

Thanks for all your help!
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35110372
No problem! :-)

The mobility option is for moving between cells/networks.  If you've got a flat network you won't need it.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now