Solved

Help with Aironet 1130AG VLAN's

Posted on 2011-09-13
11
788 Views
Last Modified: 2013-11-12
Hello All,

I'm having a lot of headaches setting this up, should be pretty simple, but I'm missing something, somewhere.

I have a production network of 192.168.1.0/24

I bought Aironets wanting to create a private SSID for the production network, and a public SSID for guests, and never shall the two meet.

Here's the hardware I'm working with, I'm working with a budget, hence the lower end switch and firewall, but they claim to support VLAN.

3, Cisco 1130AG access points

1, Cisco SB SG200-08p POE Switch

1,Cisco SBPro SA520 Security Appliance.

---------------------------------------------------------------------------------------------------------------

The plan was use VLAN 1 for production network.

Create a VLAN 10 for guest/public wireless network with a subnet of 192.168.10.0/24.

On VLAN1 , DHCP for the production network will be handld by the SBS 2003 server

DHCP On VLAN 10 for the guest network would be handled by the by the SA520 firewall.

Secure both

I created a VLAN 10 on the firewall, and the POE Switch.

All of the ports on the POE switch are Trunk ports, default, out of the box. The port on the Firewall that connects to the POE switch is also a trunk port.

My challenges so far are :

Cannot secure the WLAN's using WPA on the Aironets if I try to put the SSID(s) on VLAN 1.

So, for testing, I created VLAN 2, and VLAN 10 , and put production SSID on VLAN 2, public SSID on VLAN 10.

Both networks were broadcasting SSID fine, and was able to authenticate to each respective WLAN using WPA2. Did all that from home, using the AC Adapter.

Brought the AP back to the office today, powered it up by connecting to POE switch, and none of the SSID's were broadcasting.

Plugged in AC Adapter, and now have SSID's broadcasting, but DHCP is not passing through to the public SSID.

Here's my config:

Building configuration...

 

Current configuration : 3214 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$8ZHx$elaFgIVI7rCx10HqABl3..

!

no aaa new-model

!

!

dot11 syslog

!

dot11 ssid CASPRIV

   vlan 2

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 06361D285A1C5948545451

!

dot11 ssid CASPUB

   vlan 10

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 15310A1F343F29676B

!

!

!

username Cisco password 7 032752180500

!

!

bridge irb

!

!

interface Dot11Radio0

 no ip address

 no ip route-cache

 !

 encryption vlan 2 mode ciphers aes-ccm

 !

 encryption vlan 10 mode ciphers aes-ccm

 !

 ssid CASPRIV

 !

 ssid CASPUB

 !

 mbssid

 channel 2412

 station-role root

 bridge-group 1

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

 bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

 encapsulation dot1Q 2

 no ip route-cache

 bridge-group 2

 bridge-group 2 subscriber-loop-control

 bridge-group 2 block-unknown-source

 no bridge-group 2 source-learning

 no bridge-group 2 unicast-flooding

 bridge-group 2 spanning-disabled

!

interface Dot11Radio0.10

 encapsulation dot1Q 10

 no ip route-cache

 bridge-group 10

 bridge-group 10 subscriber-loop-control

 bridge-group 10 block-unknown-source

 no bridge-group 10 source-learning

 no bridge-group 10 unicast-flooding

 bridge-group 10 spanning-disabled

!

interface Dot11Radio1

 no ip address

 no ip route-cache

 shutdown

 !

 encryption vlan 2 mode ciphers aes-ccm

 !

 encryption vlan 10 mode ciphers aes-ccm

 !

 ssid CASPRIV

 !

 ssid CASPUB

 !

 dfs band 3 block

 channel dfs

 station-role root

 bridge-group 1

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

 bridge-group 1 spanning-disabled

!

interface Dot11Radio1.2

 encapsulation dot1Q 2

 no ip route-cache

 bridge-group 2

 bridge-group 2 subscriber-loop-control

 bridge-group 2 block-unknown-source

 no bridge-group 2 source-learning

 no bridge-group 2 unicast-flooding

 bridge-group 2 spanning-disabled

!

interface Dot11Radio1.10

 encapsulation dot1Q 10

 no ip route-cache

 bridge-group 10

 bridge-group 10 subscriber-loop-control

 bridge-group 10 block-unknown-source

 no bridge-group 10 source-learning

 no bridge-group 10 unicast-flooding

 bridge-group 10 spanning-disabled

!

interface FastEthernet0

 no ip address

 no ip route-cache

 duplex auto

 speed auto

 bridge-group 1

 no bridge-group 1 source-learning

 bridge-group 1 spanning-disabled

!

interface FastEthernet0.2

 encapsulation dot1Q 2

 no ip route-cache

 bridge-group 2

 no bridge-group 2 source-learning

 bridge-group 2 spanning-disabled

!

interface FastEthernet0.10

 encapsulation dot1Q 10

 no ip route-cache

 bridge-group 10

 no bridge-group 10 source-learning

 bridge-group 10 spanning-disabled

!

interface BVI1

 ip address 192.168.1.4 255.255.255.0

 no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

 login local

!

end
0
Comment
Question by:Tom-J-Lael
  • 7
  • 4
11 Comments
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 36531198
First thing, you need to set the native VLAN on the AP, so if you haven't already, configure the port on the switch which connects to the AP so that it's native VLAN is set to either VLAN 2 or 10.  Do the same on the AP.
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36531915
Ok...if I set the AP's native vlan as VLAN 2, does that mean that the other SSID that's on VLAN 10 won't get through the switch? or vice verca
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 36531942
No it just means that untagged traffic will be put on VLAN2.  The switchport is probably using the default (VLAN1), but you don't appear to have VLAN1 in your config.  This will cause traffic to drop.

If the SSID's weren't broadcasting when you plugged the AP into a PoE switch I'd guess the AP didn't get enough power.  If you look at the GUI, or console to the AP you should see something like "Insufficient Power" (in the GUI), or IL-POWER errors (in the CLI).  If this is true, try setting the AP to use Pre-Standard PoE.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36532264
ok..I'll go that route and let you know the results
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36532549
Sorry...do I set the native VLAN on FA0 ? BVI1 ? FA0.20? all of the above, et cetera?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 36532667
Do it on the Fa0.20, Dot11Radio0.20 and Dot11Radio1.20 interfaces...

conf t
int Dot11Radio0.20
 encapsulation dot1Q 20 native
int Dot11Radio1.20
 encapsulation dot1Q 20 native
int FastEthernet0.20
 encapsulation dot1Q 20 native
end
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36532952
Ok..I'll let you know tomorrow morning
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36535743
Ok..here's my config now. I dont have a VLAN 20 , so I assumed set native VLAN to 2 on the 0.2 and 1.2 subinterfaces


Building configuration...

Current configuration : 2945 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$8ZHx$elaFgIVI7rCx10HqABl3..
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid CASPRIV
   vlan 2
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 06361D285A1C5948545451
!
dot11 ssid CASPUB
   vlan 10
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 15310A1F343F29676B
!
!
!
username Cisco password 7 032752180500
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 ssid CASPUB
 !
 mbssid
 channel 2412
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 ssid CASPUB
 !
 dfs band 3 block
 channel dfs
 station-role root
!
interface Dot11Radio1.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 no bridge-group 10 source-learning
 bridge-group 10 spanning-disabled
!
interface BVI1
 ip address 192.168.1.4 255.255.255.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 36537931
That looks good - now you need to set the port on the switch where the AP connects so that its native VLAN is VLAN2 also.
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36552823
Ok...well..I was able to accomplish what I want, but the AP's are connected to the firewall itself. The correct DHCP (done by the firewall so far) is passing to the correct SSID. I'm hoping I can turn DHCP off at the firewall for VLAN 10 and let the SBS 2003 server handle DHCP or that subnet/vlan.

My next challenge is I cannot get the trunking between the switch and the SA520 to work correctly.

The main switch for all the nodes on the private LAN ( VLAN 10) is an unmanaged switch. My plan is to trunk the Cisco SG200-08p switch  to the firewall, connect the unmanaged switch.

If you want me to start a new thread, I will. Otherwise, I'll create a network diagram so you can see what I'm proposing.


Here's a copy of one of my configs:




o service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP2
!
enable secret 5 $1$j1CJ$7IWkbgC6uFr29fWAriTOc/
!
no aaa new-model
no ip domain lookup
!
!
dot11 syslog
!
dot11 ssid CASPRIV
   vlan 10
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 107E1B101345425A5D4769
!
dot11 ssid CASPUB
   vlan 20
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 132616013B19066968
!
!
!
username Cisco password 7 0802455D0A16
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 20 mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 ssid CASPUB
 !
 mbssid
 channel 6
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 ip address 192.168.1.5 255.255.255.0
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 ip address 192.168.20.3 255.255.255.0
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 no bridge-group 10 source-learning
 bridge-group 10 spanning-disabled
!
interface FastEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled
!
interface BVI1
 no ip address
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path

http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/ea

g
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!

0
 
LVL 3

Author Closing Comment

by:Tom-J-Lael
ID: 36719087
Thanks for the help.

I eventually worked through all the bugs. A firmware upgrade on the firewall was the fix I was looking for. It was hard to find, but it was the last place I looked =).

I ended up dumping the POE swith and using POE injectors.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What Accesspoint 7 41
Expand Verizon 3G to LTE - possible? 4 36
SBS2011 VPN users no longer connecting 4 35
Exchange 2010 Edge subscription question 1 28
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question