Solved

Help with Aironet 1130AG VLAN's

Posted on 2011-09-13
11
790 Views
Last Modified: 2013-11-12
Hello All,

I'm having a lot of headaches setting this up, should be pretty simple, but I'm missing something, somewhere.

I have a production network of 192.168.1.0/24

I bought Aironets wanting to create a private SSID for the production network, and a public SSID for guests, and never shall the two meet.

Here's the hardware I'm working with, I'm working with a budget, hence the lower end switch and firewall, but they claim to support VLAN.

3, Cisco 1130AG access points

1, Cisco SB SG200-08p POE Switch

1,Cisco SBPro SA520 Security Appliance.

---------------------------------------------------------------------------------------------------------------

The plan was use VLAN 1 for production network.

Create a VLAN 10 for guest/public wireless network with a subnet of 192.168.10.0/24.

On VLAN1 , DHCP for the production network will be handld by the SBS 2003 server

DHCP On VLAN 10 for the guest network would be handled by the by the SA520 firewall.

Secure both

I created a VLAN 10 on the firewall, and the POE Switch.

All of the ports on the POE switch are Trunk ports, default, out of the box. The port on the Firewall that connects to the POE switch is also a trunk port.

My challenges so far are :

Cannot secure the WLAN's using WPA on the Aironets if I try to put the SSID(s) on VLAN 1.

So, for testing, I created VLAN 2, and VLAN 10 , and put production SSID on VLAN 2, public SSID on VLAN 10.

Both networks were broadcasting SSID fine, and was able to authenticate to each respective WLAN using WPA2. Did all that from home, using the AC Adapter.

Brought the AP back to the office today, powered it up by connecting to POE switch, and none of the SSID's were broadcasting.

Plugged in AC Adapter, and now have SSID's broadcasting, but DHCP is not passing through to the public SSID.

Here's my config:

Building configuration...

 

Current configuration : 3214 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$8ZHx$elaFgIVI7rCx10HqABl3..

!

no aaa new-model

!

!

dot11 syslog

!

dot11 ssid CASPRIV

   vlan 2

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 06361D285A1C5948545451

!

dot11 ssid CASPUB

   vlan 10

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 15310A1F343F29676B

!

!

!

username Cisco password 7 032752180500

!

!

bridge irb

!

!

interface Dot11Radio0

 no ip address

 no ip route-cache

 !

 encryption vlan 2 mode ciphers aes-ccm

 !

 encryption vlan 10 mode ciphers aes-ccm

 !

 ssid CASPRIV

 !

 ssid CASPUB

 !

 mbssid

 channel 2412

 station-role root

 bridge-group 1

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

 bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

 encapsulation dot1Q 2

 no ip route-cache

 bridge-group 2

 bridge-group 2 subscriber-loop-control

 bridge-group 2 block-unknown-source

 no bridge-group 2 source-learning

 no bridge-group 2 unicast-flooding

 bridge-group 2 spanning-disabled

!

interface Dot11Radio0.10

 encapsulation dot1Q 10

 no ip route-cache

 bridge-group 10

 bridge-group 10 subscriber-loop-control

 bridge-group 10 block-unknown-source

 no bridge-group 10 source-learning

 no bridge-group 10 unicast-flooding

 bridge-group 10 spanning-disabled

!

interface Dot11Radio1

 no ip address

 no ip route-cache

 shutdown

 !

 encryption vlan 2 mode ciphers aes-ccm

 !

 encryption vlan 10 mode ciphers aes-ccm

 !

 ssid CASPRIV

 !

 ssid CASPUB

 !

 dfs band 3 block

 channel dfs

 station-role root

 bridge-group 1

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

 bridge-group 1 spanning-disabled

!

interface Dot11Radio1.2

 encapsulation dot1Q 2

 no ip route-cache

 bridge-group 2

 bridge-group 2 subscriber-loop-control

 bridge-group 2 block-unknown-source

 no bridge-group 2 source-learning

 no bridge-group 2 unicast-flooding

 bridge-group 2 spanning-disabled

!

interface Dot11Radio1.10

 encapsulation dot1Q 10

 no ip route-cache

 bridge-group 10

 bridge-group 10 subscriber-loop-control

 bridge-group 10 block-unknown-source

 no bridge-group 10 source-learning

 no bridge-group 10 unicast-flooding

 bridge-group 10 spanning-disabled

!

interface FastEthernet0

 no ip address

 no ip route-cache

 duplex auto

 speed auto

 bridge-group 1

 no bridge-group 1 source-learning

 bridge-group 1 spanning-disabled

!

interface FastEthernet0.2

 encapsulation dot1Q 2

 no ip route-cache

 bridge-group 2

 no bridge-group 2 source-learning

 bridge-group 2 spanning-disabled

!

interface FastEthernet0.10

 encapsulation dot1Q 10

 no ip route-cache

 bridge-group 10

 no bridge-group 10 source-learning

 bridge-group 10 spanning-disabled

!

interface BVI1

 ip address 192.168.1.4 255.255.255.0

 no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

 login local

!

end
0
Comment
Question by:Tom-J-Lael
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 36531198
First thing, you need to set the native VLAN on the AP, so if you haven't already, configure the port on the switch which connects to the AP so that it's native VLAN is set to either VLAN 2 or 10.  Do the same on the AP.
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36531915
Ok...if I set the AP's native vlan as VLAN 2, does that mean that the other SSID that's on VLAN 10 won't get through the switch? or vice verca
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 36531942
No it just means that untagged traffic will be put on VLAN2.  The switchport is probably using the default (VLAN1), but you don't appear to have VLAN1 in your config.  This will cause traffic to drop.

If the SSID's weren't broadcasting when you plugged the AP into a PoE switch I'd guess the AP didn't get enough power.  If you look at the GUI, or console to the AP you should see something like "Insufficient Power" (in the GUI), or IL-POWER errors (in the CLI).  If this is true, try setting the AP to use Pre-Standard PoE.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36532264
ok..I'll go that route and let you know the results
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36532549
Sorry...do I set the native VLAN on FA0 ? BVI1 ? FA0.20? all of the above, et cetera?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 36532667
Do it on the Fa0.20, Dot11Radio0.20 and Dot11Radio1.20 interfaces...

conf t
int Dot11Radio0.20
 encapsulation dot1Q 20 native
int Dot11Radio1.20
 encapsulation dot1Q 20 native
int FastEthernet0.20
 encapsulation dot1Q 20 native
end
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36532952
Ok..I'll let you know tomorrow morning
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36535743
Ok..here's my config now. I dont have a VLAN 20 , so I assumed set native VLAN to 2 on the 0.2 and 1.2 subinterfaces


Building configuration...

Current configuration : 2945 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$8ZHx$elaFgIVI7rCx10HqABl3..
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid CASPRIV
   vlan 2
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 06361D285A1C5948545451
!
dot11 ssid CASPUB
   vlan 10
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 15310A1F343F29676B
!
!
!
username Cisco password 7 032752180500
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 ssid CASPUB
 !
 mbssid
 channel 2412
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption vlan 2 mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 ssid CASPUB
 !
 dfs band 3 block
 channel dfs
 station-role root
!
interface Dot11Radio1.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.2
 encapsulation dot1Q 2 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 no bridge-group 10 source-learning
 bridge-group 10 spanning-disabled
!
interface BVI1
 ip address 192.168.1.4 255.255.255.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 36537931
That looks good - now you need to set the port on the switch where the AP connects so that its native VLAN is VLAN2 also.
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 36552823
Ok...well..I was able to accomplish what I want, but the AP's are connected to the firewall itself. The correct DHCP (done by the firewall so far) is passing to the correct SSID. I'm hoping I can turn DHCP off at the firewall for VLAN 10 and let the SBS 2003 server handle DHCP or that subnet/vlan.

My next challenge is I cannot get the trunking between the switch and the SA520 to work correctly.

The main switch for all the nodes on the private LAN ( VLAN 10) is an unmanaged switch. My plan is to trunk the Cisco SG200-08p switch  to the firewall, connect the unmanaged switch.

If you want me to start a new thread, I will. Otherwise, I'll create a network diagram so you can see what I'm proposing.


Here's a copy of one of my configs:




o service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP2
!
enable secret 5 $1$j1CJ$7IWkbgC6uFr29fWAriTOc/
!
no aaa new-model
no ip domain lookup
!
!
dot11 syslog
!
dot11 ssid CASPRIV
   vlan 10
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 107E1B101345425A5D4769
!
dot11 ssid CASPUB
   vlan 20
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 132616013B19066968
!
!
!
username Cisco password 7 0802455D0A16
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 20 mode ciphers aes-ccm
 !
 encryption vlan 10 mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 ssid CASPUB
 !
 mbssid
 channel 6
 station-role root
 bridge-group 1
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 ip address 192.168.1.5 255.255.255.0
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 ip address 192.168.20.3 255.255.255.0
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 !
 encryption mode ciphers aes-ccm
 !
 ssid CASPRIV
 !
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 no bridge-group 10 source-learning
 bridge-group 10 spanning-disabled
!
interface FastEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled
!
interface BVI1
 no ip address
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path

http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/ea

g
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!

0
 
LVL 3

Author Closing Comment

by:Tom-J-Lael
ID: 36719087
Thanks for the help.

I eventually worked through all the bugs. A firmware upgrade on the firewall was the fix I was looking for. It was hard to find, but it was the last place I looked =).

I ended up dumping the POE swith and using POE injectors.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question