TSG_Users
asked on
Cannot Manage Cisco Aironet 1131AG from LAN via 2950
I've got a number of Cisco Aironets that are happily allowing wifi users to connect on thier allocated VLAN but I can't manage them when they are connected to the trunk port on my 2950!
The AP has been given the IP of 10.132.0.12/24 which is associated with VLAN 99 in which all the infrastructure devices have thier IP's, switches, routers etc.
The Wifi clients are connected to an unsecured public network with the SSID associated into VLAN 98, from which is working OK.
On the 2950 the port is set to be a trunk:
interface FastEthernet0/16
description Uplink to AP
switchport mode trunk
I can't issue as recommended this command on the interface:
switchport trunk encapsulation dot1q
The Native VLAN on the switch is 1 (default) but there are no devices in this VLAN.
The AP's config is below.
I've added VLAN 1 as the native as the documents all say that this how it should be done so it looks like everything is as it should be but I still can't manage it!
Any help please experts?
The AP has been given the IP of 10.132.0.12/24 which is associated with VLAN 99 in which all the infrastructure devices have thier IP's, switches, routers etc.
The Wifi clients are connected to an unsecured public network with the SSID associated into VLAN 98, from which is working OK.
On the 2950 the port is set to be a trunk:
interface FastEthernet0/16
description Uplink to AP
switchport mode trunk
I can't issue as recommended this command on the interface:
switchport trunk encapsulation dot1q
The Native VLAN on the switch is 1 (default) but there are no devices in this VLAN.
The AP's config is below.
I've added VLAN 1 as the native as the documents all say that this how it should be done so it looks like everything is as it should be but I still can't manage it!
Any help please experts?
Current configuration : 3184 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1st-floor-ap
!
enable secret 5 $1$ULAf$f2SvJXI0rKHwdxGSS34U50
!
no aaa new-model
!
!
dot11 vlan-name DEFAULT vlan 1
!
dot11 ssid INFRA
vlan 99
authentication open
mobility network-id 99
!
dot11 ssid TEST
vlan 98
authentication open
!
power inline negotiation prestandard source
!
!
username Cisco password 7 1531021F0725
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
!
ssid INFRA
!
ssid TEST
!
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.98
encapsulation dot1Q 98
no ip route-cache
bridge-group 98
bridge-group 98 subscriber-loop-control
bridge-group 98 block-unknown-source
no bridge-group 98 source-learning
no bridge-group 98 unicast-flooding
bridge-group 98 spanning-disabled
!
interface Dot11Radio0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
bridge-group 99 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
ssid INFRA
!
ssid TEST
!
no dfs band block
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.98
encapsulation dot1Q 98
no ip route-cache
bridge-group 98
bridge-group 98 subscriber-loop-control
bridge-group 98 block-unknown-source
no bridge-group 98 source-learning
no bridge-group 98 unicast-flooding
bridge-group 98 spanning-disabled
!
interface Dot11Radio1.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
bridge-group 99 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.98
encapsulation dot1Q 98
no ip route-cache
bridge-group 98
no bridge-group 98 source-learning
bridge-group 98 spanning-disabled
!
interface FastEthernet0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
no bridge-group 99 source-learning
bridge-group 99 spanning-disabled
!
interface BVI1
ip address 10.132.0.12 255.255.255.0
no ip route-cache
!
ip default-gateway 10.132.0.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server community tedco-mon RO
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
endASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK, changed the native VLAN on the trunkport, can see from that output that it's showing encap as dot1q, so all good there.
Have made the change and I can now ping and browse to it from the server :)
I think that on the other AP's I've set the native VLAN as 98, so was getting there in some instances.... Now just to setup WPA2 Personal for one of the VLANs.
Name: Fa0/16
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (infrastructure)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
Have made the change and I can now ping and browse to it from the server :)
I think that on the other AP's I've set the native VLAN as 98, so was getting there in some instances.... Now just to setup WPA2 Personal for one of the VLANs.
Name: Fa0/16
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 99 (infrastructure)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none
Cool. Glad it works :-)
If you need help with WPA give us a shout!
If you need help with WPA give us a shout!
ASKER
Well this bit looked like it should have been a breeze!
dot11 ssid TEDCO-INT
vlan 100
authentication open
authentication key-management wpa version 1
mobility network-id 100
wpa-psk ascii 7 [password]
encryption vlan 100 mode ciphers tkip
Two Win7 laptops can't connect using WPA Personal and TKIP. Have tried AES as the cipher to no avail too.
dot11 ssid TEDCO-INT
vlan 100
authentication open
authentication key-management wpa version 1
mobility network-id 100
wpa-psk ascii 7 [password]
encryption vlan 100 mode ciphers tkip
Two Win7 laptops can't connect using WPA Personal and TKIP. Have tried AES as the cipher to no avail too.
You've assigned the TEDCO-INT SSID to VLAN100, but your config doesn't have an interface for VLAN100 (if the config is the same as above).
Can you post all your config from the AP, and make sure you have a VLAN100 on your switch - (I'm assuming you have :-)).
Can you post all your config from the AP, and make sure you have a VLAN100 on your switch - (I'm assuming you have :-)).
ASKER
OK, sorry, had started to go round the other AP's to make the config changes and half of them had no Ethernet connections, faulty ports on the switch, time for new switches I think!
Here is the config from AP that this particular one needs to be on, I've removed it from the other AP.
Current configuration : 3691 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname reception-ap
!
enable secret 5 $1$s3mS$Ly6M0gaeY2F4evRXTx
!
no aaa new-model
!
!
dot11 vlan-name INFRA vlan 99
dot11 vlan-name TEDCO-INT vlan 100
!
dot11 ssid INFRA
vlan 99
authentication open
!
dot11 ssid TEDCO-INT
vlan 100
authentication open
authentication key-management wpa
mobility network-id 100
wpa-psk ascii 7 [Password]
!
dot11 ssid TEDCO-PUBLIC
vlan 98
authentication open
guest-mode
!
power inline negotiation prestandard source
!
!
username xxx password 7 xxxx
usernamexxx privilege 15 password 7 xxxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 100 mode ciphers aes-ccm
!
ssid INFRA
!
ssid TEDCO-INT
!
ssid TEDCO-PUBLIC
!
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.98
encapsulation dot1Q 98
no ip route-cache
bridge-group 98
bridge-group 98 subscriber-loop-control
bridge-group 98 block-unknown-source
no bridge-group 98 source-learning
no bridge-group 98 unicast-flooding
bridge-group 98 spanning-disabled
!
interface Dot11Radio0.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 100 mode ciphers aes-ccm
!
ssid INFRA
!
ssid TEDCO-INT
!
ssid TEDCO-PUBLIC
!
no dfs band block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
channel dfs
station-role root
!
interface Dot11Radio1.98
encapsulation dot1Q 98
no ip route-cache
bridge-group 98
bridge-group 98 subscriber-loop-control
bridge-group 98 block-unknown-source
no bridge-group 98 source-learning
no bridge-group 98 unicast-flooding
bridge-group 98 spanning-disabled
!
interface Dot11Radio1.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.98
encapsulation dot1Q 98
no ip route-cache
bridge-group 98
no bridge-group 98 source-learning
bridge-group 98 spanning-disabled
!
interface FastEthernet0.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
no bridge-group 100 source-learning
bridge-group 100 spanning-disabled
!
interface BVI1
ip address x x
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
Here is the config from AP that this particular one needs to be on, I've removed it from the other AP.
Current configuration : 3691 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname reception-ap
!
enable secret 5 $1$s3mS$Ly6M0gaeY2F4evRXTx
!
no aaa new-model
!
!
dot11 vlan-name INFRA vlan 99
dot11 vlan-name TEDCO-INT vlan 100
!
dot11 ssid INFRA
vlan 99
authentication open
!
dot11 ssid TEDCO-INT
vlan 100
authentication open
authentication key-management wpa
mobility network-id 100
wpa-psk ascii 7 [Password]
!
dot11 ssid TEDCO-PUBLIC
vlan 98
authentication open
guest-mode
!
power inline negotiation prestandard source
!
!
username xxx password 7 xxxx
usernamexxx privilege 15 password 7 xxxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 100 mode ciphers aes-ccm
!
ssid INFRA
!
ssid TEDCO-INT
!
ssid TEDCO-PUBLIC
!
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.98
encapsulation dot1Q 98
no ip route-cache
bridge-group 98
bridge-group 98 subscriber-loop-control
bridge-group 98 block-unknown-source
no bridge-group 98 source-learning
no bridge-group 98 unicast-flooding
bridge-group 98 spanning-disabled
!
interface Dot11Radio0.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 100 mode ciphers aes-ccm
!
ssid INFRA
!
ssid TEDCO-INT
!
ssid TEDCO-PUBLIC
!
no dfs band block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
channel dfs
station-role root
!
interface Dot11Radio1.98
encapsulation dot1Q 98
no ip route-cache
bridge-group 98
bridge-group 98 subscriber-loop-control
bridge-group 98 block-unknown-source
no bridge-group 98 source-learning
no bridge-group 98 unicast-flooding
bridge-group 98 spanning-disabled
!
interface Dot11Radio1.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 subscriber-loop-control
bridge-group 100 block-unknown-source
no bridge-group 100 source-learning
no bridge-group 100 unicast-flooding
bridge-group 100 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.98
encapsulation dot1Q 98
no ip route-cache
bridge-group 98
no bridge-group 98 source-learning
bridge-group 98 spanning-disabled
!
interface FastEthernet0.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
no bridge-group 100 source-learning
bridge-group 100 spanning-disabled
!
interface BVI1
ip address x x
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
Ok, lets remove the mobility option to test...
Can you change your config to this:
dot11 ssid TEDCO-INT
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 [Password]
Also can you enable terminal monitor and paste the output from the terminal when a client tries to connect?
Can you change your config to this:
dot11 ssid TEDCO-INT
vlan 100
authentication open
authentication key-management wpa
wpa-psk ascii 7 [Password]
Also can you enable terminal monitor and paste the output from the terminal when a client tries to connect?
ASKER
Dude, just removing the mobility option did the trick :-)
Any idea what that is for?
Thanks for all your help!
Any idea what that is for?
Thanks for all your help!
No problem! :-)
The mobility option is for moving between cells/networks. If you've got a flat network you won't need it.
The mobility option is for moving between cells/networks. If you've got a flat network you won't need it.
sho int fa0/16 sw