Solved

Help with Aironet 1130AG VLAN's

Posted on 2011-09-13
11
782 Views
Last Modified: 2013-11-12
Hello All,

I'm having a lot of headaches setting this up, should be pretty simple, but I'm missing something, somewhere.

I have a production network of 192.168.1.0/24

I bought Aironets wanting to create a private SSID for the production network, and a public SSID for guests, and never shall the two meet.

Here's the hardware I'm working with, I'm working with a budget, hence the lower end switch and firewall, but they claim to support VLAN.

3, Cisco 1130AG access points

1, Cisco SB SG200-08p POE Switch

1,Cisco SBPro SA520 Security Appliance.

---------------------------------------------------------------------------------------------------------------

The plan was use VLAN 1 for production network.

Create a VLAN 10 for guest/public wireless network with a subnet of 192.168.10.0/24.

On VLAN1 , DHCP for the production network will be handld by the SBS 2003 server

DHCP On VLAN 10 for the guest network would be handled by the by the SA520 firewall.

Secure both

I created a VLAN 10 on the firewall, and the POE Switch.

All of the ports on the POE switch are Trunk ports, default, out of the box. The port on the Firewall that connects to the POE switch is also a trunk port.

My challenges so far are :

Cannot secure the WLAN's using WPA on the Aironets if I try to put the SSID(s) on VLAN 1.

So, for testing, I created VLAN 2, and VLAN 10 , and put production SSID on VLAN 2, public SSID on VLAN 10.

Both networks were broadcasting SSID fine, and was able to authenticate to each respective WLAN using WPA2. Did all that from home, using the AC Adapter.

Brought the AP back to the office today, powered it up by connecting to POE switch, and none of the SSID's were broadcasting.

Plugged in AC Adapter, and now have SSID's broadcasting, but DHCP is not passing through to the public SSID.

Here's my config:

Building configuration...

 

Current configuration : 3214 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$8ZHx$elaFgIVI7rCx10HqABl3..

!

no aaa new-model

!

!

dot11 syslog

!

dot11 ssid CASPRIV

   vlan 2

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 06361D285A1C5948545451

!

dot11 ssid CASPUB

   vlan 10

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 15310A1F343F29676B

!

!

!

username Cisco password 7 032752180500

!

!

bridge irb

!

!

interface Dot11Radio0

 no ip address

 no ip route-cache

 !

 encryption vlan 2 mode ciphers aes-ccm

 !

 encryption vlan 10 mode ciphers aes-ccm

 !

 ssid CASPRIV

 !

 ssid CASPUB

 !

 mbssid

 channel 2412

 station-role root

 bridge-group 1

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

 bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

 encapsulation dot1Q 2

 no ip route-cache

 bridge-group 2

 bridge-group 2 subscriber-loop-control

 bridge-group 2 block-unknown-source

 no bridge-group 2 source-learning

 no bridge-group 2 unicast-flooding

 bridge-group 2 spanning-disabled

!

interface Dot11Radio0.10

 encapsulation dot1Q 10

 no ip route-cache

 bridge-group 10

 bridge-group 10 subscriber-loop-control

 bridge-group 10 block-unknown-source

 no bridge-group 10 source-learning

 no bridge-group 10 unicast-flooding

 bridge-group 10 spanning-disabled

!

interface Dot11Radio1

 no ip address

 no ip route-cache

 shutdown

 !

 encryption vlan 2 mode ciphers aes-ccm

 !

 encryption vlan 10 mode ciphers aes-ccm

 !

 ssid CASPRIV

 !

 ssid CASPUB

 !

 dfs band 3 block

 channel dfs

 station-role root

 bridge-group 1

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

 bridge-group 1 spanning-disabled

!

interface Dot11Radio1.2

 encapsulation dot1Q 2

 no ip route-cache

 bridge-group 2

 bridge-group 2 subscriber-loop-control

 bridge-group 2 block-unknown-source

 no bridge-group 2 source-learning

 no bridge-group 2 unicast-flooding

 bridge-group 2 spanning-disabled

!

interface Dot11Radio1.10

 encapsulation dot1Q 10

 no ip route-cache

 bridge-group 10

 bridge-group 10 subscriber-loop-control

 bridge-group 10 block-unknown-source

 no bridge-group 10 source-learning

 no bridge-group 10 unicast-flooding

 bridge-group 10 spanning-disabled

!

interface FastEthernet0

 no ip address

 no ip route-cache

 duplex auto

 speed auto

 bridge-group 1

 no bridge-group 1 source-learning

 bridge-group 1 spanning-disabled

!

interface FastEthernet0.2

 encapsulation dot1Q 2

 no ip route-cache

 bridge-group 2

 no bridge-group 2 source-learning

 bridge-group 2 spanning-disabled

!

interface FastEthernet0.10

 encapsulation dot1Q 10

 no ip route-cache

 bridge-group 10

 no bridge-group 10 source-learning

 bridge-group 10 spanning-disabled

!

interface BVI1

 ip address 192.168.1.4 255.255.255.0

 no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

 login local

!

end
0
Comment
Question by:Tom-J-Lael
  • 7
  • 4
11 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
Comment Utility
First thing, you need to set the native VLAN on the AP, so if you haven't already, configure the port on the switch which connects to the AP so that it's native VLAN is set to either VLAN 2 or 10.  Do the same on the AP.
0
 
LVL 3

Author Comment

by:Tom-J-Lael
Comment Utility
Ok...if I set the AP's native vlan as VLAN 2, does that mean that the other SSID that's on VLAN 10 won't get through the switch? or vice verca
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
No it just means that untagged traffic will be put on VLAN2.  The switchport is probably using the default (VLAN1), but you don't appear to have VLAN1 in your config.  This will cause traffic to drop.

If the SSID's weren't broadcasting when you plugged the AP into a PoE switch I'd guess the AP didn't get enough power.  If you look at the GUI, or console to the AP you should see something like "Insufficient Power" (in the GUI), or IL-POWER errors (in the CLI).  If this is true, try setting the AP to use Pre-Standard PoE.
0
 
LVL 3

Author Comment

by:Tom-J-Lael
Comment Utility
ok..I'll go that route and let you know the results
0
 
LVL 3

Author Comment

by:Tom-J-Lael
Comment Utility
Sorry...do I set the native VLAN on FA0 ? BVI1 ? FA0.20? all of the above, et cetera?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Do it on the Fa0.20, Dot11Radio0.20 and Dot11Radio1.20 interfaces...

conf t
int Dot11Radio0.20
 encapsulation dot1Q 20 native
int Dot11Radio1.20
 encapsulation dot1Q 20 native
int FastEthernet0.20
 encapsulation dot1Q 20 native
end
0
 
LVL 3

Author Comment

by:Tom-J-Lael
Comment Utility
Ok..I'll let you know tomorrow morning
0
 
LVL 3

Author Comment

by:Tom-J-Lael
Comment Utility
Ok..here's my config now. I dont have a VLAN 20 , so I assumed set native VLAN to 2 on the 0.2 and 1.2 subinterfaces


Building configuration...

Current configuration : 2945 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$8ZHx$elaFgIVI7rCx10HqABl3..
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid CASPRIV
   vlan 2
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 06361D285A1C5948545451
!
dot11 ssid CASPUB
   vlan 10
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 15310A1F343F29676B
!
!
!
username Cisco password 7 032752180500
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 ssid CASPUB
 !
 mbssid
 channel 2412
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 ssid CASPUB
 !
 dfs band 3 block
 channel dfs
 station-role root
!
interface Dot11Radio1.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 no bridge-group 10 source-learning
 bridge-group 10 spanning-disabled
!
interface BVI1
 ip address 192.168.1.4 255.255.255.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
That looks good - now you need to set the port on the switch where the AP connects so that its native VLAN is VLAN2 also.
0
 
LVL 3

Author Comment

by:Tom-J-Lael
Comment Utility
Ok...well..I was able to accomplish what I want, but the AP's are connected to the firewall itself. The correct DHCP (done by the firewall so far) is passing to the correct SSID. I'm hoping I can turn DHCP off at the firewall for VLAN 10 and let the SBS 2003 server handle DHCP or that subnet/vlan.

My next challenge is I cannot get the trunking between the switch and the SA520 to work correctly.

The main switch for all the nodes on the private LAN ( VLAN 10) is an unmanaged switch. My plan is to trunk the Cisco SG200-08p switch  to the firewall, connect the unmanaged switch.

If you want me to start a new thread, I will. Otherwise, I'll create a network diagram so you can see what I'm proposing.


Here's a copy of one of my configs:




o service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP2
!
enable secret 5 $1$j1CJ$7IWkbgC6uFr29fWAriTOc/
!
no aaa new-model
no ip domain lookup
!
!
dot11 syslog
!
dot11 ssid CASPRIV
   vlan 10
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 107E1B101345425A5D4769
!
dot11 ssid CASPUB
   vlan 20
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 132616013B19066968
!
!
!
username Cisco password 7 0802455D0A16
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 20 mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 ssid CASPUB
 !
 mbssid
 channel 6
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 ip address 192.168.1.5 255.255.255.0
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 ip address 192.168.20.3 255.255.255.0
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 no bridge-group 10 source-learning
 bridge-group 10 spanning-disabled
!
interface FastEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled
!
interface BVI1
 no ip address
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path

http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/ea

g
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!

0
 
LVL 3

Author Closing Comment

by:Tom-J-Lael
Comment Utility
Thanks for the help.

I eventually worked through all the bugs. A firmware upgrade on the firewall was the fix I was looking for. It was hard to find, but it was the last place I looked =).

I ended up dumping the POE swith and using POE injectors.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Wireshark 7 52
RIP Routing 5 45
VMware NSX version 6.2.2 upgrade 6.2.4 6 46
Cisco VSS or VCP on GNS3 or IOU 3 22
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now