[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Problem w/ Cisco WLAN APs and VLAN bridging

Posted on 2011-10-28
13
Medium Priority
?
1,983 Views
Last Modified: 2013-12-09
I'm having some problems deploying a WLAN site-to-site connection. Devices used is a pair of Cisco 1242AG access points, with the 5Ghz radio used for the link (2.4 is unused). I've set up these devices before for simple LAN bridging with only one (the default) VLAN, which worked fine. For this project, I need a somewhat more complex setup. I've tried several ways to get this to work, but somehow couldn't match any samples and docs to what I need ...

The central site has a VoIP server which is connected both to the data LAN (in the datacenter VLAN, and reachable from all LAN segments through a router which does Inter-VLAN routing) as to the VOICE VLAN (I used VLAN 50). Additionally, the central site has a management VLAN (172) in which all switches, routers etc. are reachable for administration.

The remote site has one data vlan (default 1, mustn't be bridged to the VLAN 1 at the central site), which currently also contains the management IP subnet due to limitations in the current interconnection (leased line/MPLS). Additionally, we've started setting up VLAN 50 for the VOIP telephones.

In essence, I need the following:
- the data vlan should be routed to the central site via the WLAN link. If necessary or way less complicated, I could set up a new VLAN to route using the central router.
- the voice VLAN 50 should be bridged between both sites if possible, though if necessary, I might settle for routing also
- the management IPs should be routed, with remote site moved to its own management VLAN again as originally intended.
- for debugging issues, the APs should be directly reachable between each other (e.g. telnet to one, from there to the other) as well as in their management VLANs.

This type of configuration seems to be well beyond the scope of most (all?) documents I've been able to find, both on Cisco's site as well as the internet. I've originally just set up the basic connection, which worked fine, expecting to just add the appropriate features after having them on site (yeah, I'm a fool to expect that to go rather smoothly). I will be setting up a lab on Monday in order to figure out the pitfalls and bugs without risking cutting myself off the device access ... anyway, due to the limited feature samples I'm not sure whether the intended setup is even technically possible, and what I need to do to get it working ... any help or pointers to appropriate docs is appreciated!
Concept1.png
0
Comment
Question by:Garry Glendown
  • 8
  • 5
13 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 37049583
I would make this a purely routed link.  I would never bridge a Voice VLAN.
0
 
LVL 18

Author Comment

by:Garry Glendown
ID: 37049590
If I wanted to do that (i.e, keep the data vlan routed, change voice and mgmt to routed), I ran into one other problem - if I configure an IP on additional bridge groups, the AP didn't reply to any pings/telnet. It did reply to the arp request, though. Is this just a limitation when running in combined routing/bridging mode? I do need to keep the voice VLANs separate on both sides ... will this work?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 37049632
You can only have one management IP address on an Aironet bridge.  This should be on the native VLAN (or in the case of a routed link, an address on the routed subnet).

You could both route and bridge however this could cause a loop so it's best avoided.  Also you would be sending broadcast traffic over a wireless link which isn't recommended as it will reduce bandwidth.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 18

Author Comment

by:Garry Glendown
ID: 37049645
For routed links, can I still do something like this:

int fa0.50
 encap dot1q 50
 ip add 172.30.20.1 255.255.252.0

int fa0.172
 encap dot1q 172
 ip add 172.30.2.1 255.255.255.0

Open in new window


and configure routes in the different LAN segments using the both IPs above as the default router?
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 37049917
No - routed links won't transport VLANs unless you do something like QinQ.
0
 
LVL 18

Author Comment

by:Garry Glendown
ID: 37051111
So you're saying I shouldn't transport VOIP via Bridging, and you're saying I can't route it either ... !? (as for my previous posting - I meant just receiving the data from multiple VLANs, then forward via the WLAN link over a joint default VLAN link, then transmit on the other side again via dual VLANs ...)
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 800 total points
ID: 37052988
Apologies if I didn't understand your last comment (37049645), I thought you were asking if you could do that over the wireless link.  I'm not saying you can't (or shouldn't) transport VoIP over a wireless link - only that if you want to do it you don't want unnecessary traffic from consuming the bandwidth.  As you know that will be bad for VoIP.

The config snippet you posted looks to me like you still want to transport 2 VLANs over the wireless link (as per the subinterfaces)?  However, if you create a routed link you won't be doing that - you will have an access or L3 port at each end of the wireless link which will be point-to-point effectively.  Apologies again, but I am a little confused as to where you are applying the subinterfaces though as a you don't have any routers in the diagram and switches don't use subinterfaces (only SVIs).

You would need a router or layer3 switch at each end of the wireless link to enable you to do this properly.
0
 
LVL 18

Author Comment

by:Garry Glendown
ID: 37053083
Well, for the central side, that wouldn't be a problem, there's a 2800 currently, and the Nexus 5500 will get its L3 card soon, taking care of the routing ... remote end only has a L2 switches (central 2960S stack), so no real L3 at the moment.

Guess the best thing for now is to bridge the Voice VLAN as planned, and move the data VLAN to a new VLAN ID instead of native untagged, terminating that on the central router as default GW. As the site had previously used a 2M link, and the bandwidth requirements for the applications aren't really that high (RDP/Citrix mainly), it should be good even with the unwanted broadcast traffic ... especially as the wireless link is only ~1/2mi distance and the full 54mbit (probably around 20-22 mbit effective rate)
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 37055212
That sounds like a good plan until you get proper routing in place.

Just remember with the link though, the speed may be 54Mbit whilst there's nothing going over it, but under heavy load that might reduce.
0
 
LVL 18

Author Comment

by:Garry Glendown
ID: 37056295
 OK, I'm out of ideas ...

I've started with two APs this morning, clean config. Set them up with regular point-to-point bridging without VLANs. Worked fine. Started putting the additional VLANs on it, and even though I can't see and differences to the sample configs provided by Cisco website (e.g. this document), the wireless link does not come up, with the non-root bridge complaining:

*Mar  1 05:21:39.849: %DOT11-4-CANT_ASSOC: Interface Dot11Radio1, cannot associate: No Response
*Mar  1 05:21:41.849: %DOT11-4-CANT_ASSOC: Interface Dot11Radio1, cannot associate: Rcvd response from 40f4.ec56.bd00 channel 116 89562

Open in new window


The Mac address is the one from the root bridge ... what am I missing here? Did I overlook something, or does the document from Cisco not mention something important?

Here's the configs from the two APs:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-central
!
logging rate-limit console 9
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
!
dot11 syslog
dot11 vlan-name DATA vlan 22
dot11 vlan-name MGMT vlan 172
dot11 vlan-name VOIP vlan 50
!
dot11 ssid LL-WL-5G
   vlan 1
   authentication open
   authentication key-management wpa version 2
   infrastructure-ssid
   wpa-psk ascii 7 071B245F5A1D1C1603060E1F10
!
!
!
username [..]
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid LL-WL-5G
 !
 antenna gain 0
 no dfs band block
 speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 channel dfs
 station-role root bridge
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
!
interface Dot11Radio1.22
 encapsulation dot1Q 22
 no ip route-cache
 bridge-group 22
 bridge-group 22 spanning-disabled
!
interface Dot11Radio1.50
 encapsulation dot1Q 50
 no ip route-cache
 bridge-group 50
 bridge-group 50 spanning-disabled
!
interface Dot11Radio1.172
 encapsulation dot1Q 172
 no ip route-cache
 bridge-group 172
 bridge-group 172 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
!
interface GigabitEthernet0.22
 encapsulation dot1Q 22
 no ip route-cache
 bridge-group 22
 bridge-group 22 spanning-disabled
!
interface GigabitEthernet0.50
 encapsulation dot1Q 50
 no ip route-cache
 bridge-group 50
 bridge-group 50 spanning-disabled
!
interface GigabitEthernet0.172
 encapsulation dot1Q 172
 no ip route-cache
 bridge-group 172
 bridge-group 172 spanning-disabled
!
interface BVI1
 ip address 172.16.90.100 255.255.0.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip

Open in new window

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-remote
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
ip domain name nethinks.com
ip name-server 212.218.212.3
!
!
dot11 syslog
dot11 vlan-name DATA vlan 22
dot11 vlan-name MGMT vlan 172
dot11 vlan-name VOIP vlan 50
!
dot11 ssid LL-WL-5G
   vlan 1
   authentication open
   authentication key-management wpa version 2
   infrastructure-ssid
   wpa-psk ascii 7 03105E18121B245F5A1D1C1603
!
!
!
username nethinks privilege 15 secret 5 xxx
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm tkip
 !
 ssid LL-WL-5G
 !
 antenna gain 0
 speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
 station-role non-root bridge
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1.22
 encapsulation dot1Q 22
 no ip route-cache
 bridge-group 22
 bridge-group 22 spanning-disabled
!
interface Dot11Radio1.50
 encapsulation dot1Q 50
 no ip route-cache
 bridge-group 50
 bridge-group 50 spanning-disabled
!
interface Dot11Radio1.172
 encapsulation dot1Q 172
 no ip route-cache
 bridge-group 172
 bridge-group 172 spanning-disabled
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.22
 encapsulation dot1Q 22
 no ip route-cache
 bridge-group 22
 bridge-group 22 spanning-disabled
!
interface GigabitEthernet0.50
 encapsulation dot1Q 50
 no ip route-cache
 bridge-group 50
 bridge-group 50 spanning-disabled
!
interface GigabitEthernet0.172
 encapsulation dot1Q 172
 no ip route-cache
 bridge-group 172
 bridge-group 172 spanning-disabled
!
interface BVI1
 ip address 172.16.90.101 255.255.0.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip

Open in new window

0
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 0 total points
ID: 37056444
OK, answering myself ... while the rest of the docs were pretty much OK, one "optional" parameter wasn't quite so optional ... the line "encryption vlan 50 mode ciphers  aes-ccm tkip" has to be extended by the VLAN used ... once I added the "vlan 1" to that line, the connection came up at once .. correctly bridging the VLANs I had already configured ...
Wondering, do I need to configure that for every VLAN I bridge via the link? One of the docs seemed to state that only the native VLAN needed the encryption, that the rest would automatically be encrypted ...
0
 
LVL 18

Author Comment

by:Garry Glendown
ID: 37056451
(meant " encryption mode ciphers aes-ccm tkip" had to get the "vlan" option added ... copy&paste error)
0
 
LVL 18

Author Closing Comment

by:Garry Glendown
ID: 37105803
Thanks, finally did manage to work out the quirks of the "official" docs, need to keep the caveats in mind ;)
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month19 days, 13 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question