Problem w/ Cisco WLAN APs and VLAN bridging
I'm having some problems deploying a WLAN site-to-site connection. Devices used is a pair of Cisco 1242AG access points, with the 5Ghz radio used for the link (2.4 is unused). I've set up these devices before for simple LAN bridging with only one (the default) VLAN, which worked fine. For this project, I need a somewhat more complex setup. I've tried several ways to get this to work, but somehow couldn't match any samples and docs to what I need ...
The central site has a VoIP server which is connected both to the data LAN (in the datacenter VLAN, and reachable from all LAN segments through a router which does Inter-VLAN routing) as to the VOICE VLAN (I used VLAN 50). Additionally, the central site has a management VLAN (172) in which all switches, routers etc. are reachable for administration.
The remote site has one data vlan (default 1, mustn't be bridged to the VLAN 1 at the central site), which currently also contains the management IP subnet due to limitations in the current interconnection (leased line/MPLS). Additionally, we've started setting up VLAN 50 for the VOIP telephones.
In essence, I need the following:
- the data vlan should be routed to the central site via the WLAN link. If necessary or way less complicated, I could set up a new VLAN to route using the central router.
- the voice VLAN 50 should be bridged between both sites if possible, though if necessary, I might settle for routing also
- the management IPs should be routed, with remote site moved to its own management VLAN again as originally intended.
- for debugging issues, the APs should be directly reachable between each other (e.g. telnet to one, from there to the other) as well as in their management VLANs.
This type of configuration seems to be well beyond the scope of most (all?) documents I've been able to find, both on Cisco's site as well as the internet. I've originally just set up the basic connection, which worked fine, expecting to just add the appropriate features after having them on site (yeah, I'm a fool to expect that to go rather smoothly). I will be setting up a lab on Monday in order to figure out the pitfalls and bugs without risking cutting myself off the device access ... anyway, due to the limited feature samples I'm not sure whether the intended setup is even technically possible, and what I need to do to get it working ... any help or pointers to appropriate docs is appreciated!
Concept1.png
The central site has a VoIP server which is connected both to the data LAN (in the datacenter VLAN, and reachable from all LAN segments through a router which does Inter-VLAN routing) as to the VOICE VLAN (I used VLAN 50). Additionally, the central site has a management VLAN (172) in which all switches, routers etc. are reachable for administration.
The remote site has one data vlan (default 1, mustn't be bridged to the VLAN 1 at the central site), which currently also contains the management IP subnet due to limitations in the current interconnection (leased line/MPLS). Additionally, we've started setting up VLAN 50 for the VOIP telephones.
In essence, I need the following:
- the data vlan should be routed to the central site via the WLAN link. If necessary or way less complicated, I could set up a new VLAN to route using the central router.
- the voice VLAN 50 should be bridged between both sites if possible, though if necessary, I might settle for routing also
- the management IPs should be routed, with remote site moved to its own management VLAN again as originally intended.
- for debugging issues, the APs should be directly reachable between each other (e.g. telnet to one, from there to the other) as well as in their management VLANs.
This type of configuration seems to be well beyond the scope of most (all?) documents I've been able to find, both on Cisco's site as well as the internet. I've originally just set up the basic connection, which worked fine, expecting to just add the appropriate features after having them on site (yeah, I'm a fool to expect that to go rather smoothly). I will be setting up a lab on Monday in order to figure out the pitfalls and bugs without risking cutting myself off the device access ... anyway, due to the limited feature samples I'm not sure whether the intended setup is even technically possible, and what I need to do to get it working ... any help or pointers to appropriate docs is appreciated!
Concept1.png
Craig Beck
I would make this a purely routed link. I would never bridge a Voice VLAN.
ASKER
If I wanted to do that (i.e, keep the data vlan routed, change voice and mgmt to routed), I ran into one other problem - if I configure an IP on additional bridge groups, the AP didn't reply to any pings/telnet. It did reply to the arp request, though. Is this just a limitation when running in combined routing/bridging mode? I do need to keep the voice VLANs separate on both sides ... will this work?
You can only have one management IP address on an Aironet bridge. This should be on the native VLAN (or in the case of a routed link, an address on the routed subnet).
You could both route and bridge however this could cause a loop so it's best avoided. Also you would be sending broadcast traffic over a wireless link which isn't recommended as it will reduce bandwidth.
You could both route and bridge however this could cause a loop so it's best avoided. Also you would be sending broadcast traffic over a wireless link which isn't recommended as it will reduce bandwidth.
ASKER
For routed links, can I still do something like this:
and configure routes in the different LAN segments using the both IPs above as the default router?
int fa0.50
encap dot1q 50
ip add 172.30.20.1 255.255.252.0
int fa0.172
encap dot1q 172
ip add 172.30.2.1 255.255.255.0and configure routes in the different LAN segments using the both IPs above as the default router?
No - routed links won't transport VLANs unless you do something like QinQ.
ASKER
So you're saying I shouldn't transport VOIP via Bridging, and you're saying I can't route it either ... !? (as for my previous posting - I meant just receiving the data from multiple VLANs, then forward via the WLAN link over a joint default VLAN link, then transmit on the other side again via dual VLANs ...)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well, for the central side, that wouldn't be a problem, there's a 2800 currently, and the Nexus 5500 will get its L3 card soon, taking care of the routing ... remote end only has a L2 switches (central 2960S stack), so no real L3 at the moment.
Guess the best thing for now is to bridge the Voice VLAN as planned, and move the data VLAN to a new VLAN ID instead of native untagged, terminating that on the central router as default GW. As the site had previously used a 2M link, and the bandwidth requirements for the applications aren't really that high (RDP/Citrix mainly), it should be good even with the unwanted broadcast traffic ... especially as the wireless link is only ~1/2mi distance and the full 54mbit (probably around 20-22 mbit effective rate)
Guess the best thing for now is to bridge the Voice VLAN as planned, and move the data VLAN to a new VLAN ID instead of native untagged, terminating that on the central router as default GW. As the site had previously used a 2M link, and the bandwidth requirements for the applications aren't really that high (RDP/Citrix mainly), it should be good even with the unwanted broadcast traffic ... especially as the wireless link is only ~1/2mi distance and the full 54mbit (probably around 20-22 mbit effective rate)
That sounds like a good plan until you get proper routing in place.
Just remember with the link though, the speed may be 54Mbit whilst there's nothing going over it, but under heavy load that might reduce.
Just remember with the link though, the speed may be 54Mbit whilst there's nothing going over it, but under heavy load that might reduce.
ASKER
OK, I'm out of ideas ...
I've started with two APs this morning, clean config. Set them up with regular point-to-point bridging without VLANs. Worked fine. Started putting the additional VLANs on it, and even though I can't see and differences to the sample configs provided by Cisco website (e.g. this document), the wireless link does not come up, with the non-root bridge complaining:
The Mac address is the one from the root bridge ... what am I missing here? Did I overlook something, or does the document from Cisco not mention something important?
Here's the configs from the two APs:
I've started with two APs this morning, clean config. Set them up with regular point-to-point bridging without VLANs. Worked fine. Started putting the additional VLANs on it, and even though I can't see and differences to the sample configs provided by Cisco website (e.g. this document), the wireless link does not come up, with the non-root bridge complaining:
*Mar 1 05:21:39.849: %DOT11-4-CANT_ASSOC: Interface Dot11Radio1, cannot associate: No Response
*Mar 1 05:21:41.849: %DOT11-4-CANT_ASSOC: Interface Dot11Radio1, cannot associate: Rcvd response from 40f4.ec56.bd00 channel 116 89562The Mac address is the one from the root bridge ... what am I missing here? Did I overlook something, or does the document from Cisco not mention something important?
Here's the configs from the two APs:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-central
!
logging rate-limit console 9
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
!
dot11 syslog
dot11 vlan-name DATA vlan 22
dot11 vlan-name MGMT vlan 172
dot11 vlan-name VOIP vlan 50
!
dot11 ssid LL-WL-5G
vlan 1
authentication open
authentication key-management wpa version 2
infrastructure-ssid
wpa-psk ascii 7 071B245F5A1D1C1603060E1F10
!
!
!
username [..]
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
ssid LL-WL-5G
!
antenna gain 0
no dfs band block
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel dfs
station-role root bridge
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
!
interface Dot11Radio1.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 spanning-disabled
!
interface Dot11Radio1.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 spanning-disabled
!
interface Dot11Radio1.172
encapsulation dot1Q 172
no ip route-cache
bridge-group 172
bridge-group 172 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
!
interface GigabitEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 spanning-disabled
!
interface GigabitEthernet0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 spanning-disabled
!
interface GigabitEthernet0.172
encapsulation dot1Q 172
no ip route-cache
bridge-group 172
bridge-group 172 spanning-disabled
!
interface BVI1
ip address 172.16.90.100 255.255.0.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ipversion 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-remote
!
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
ip domain name nethinks.com
ip name-server 212.218.212.3
!
!
dot11 syslog
dot11 vlan-name DATA vlan 22
dot11 vlan-name MGMT vlan 172
dot11 vlan-name VOIP vlan 50
!
dot11 ssid LL-WL-5G
vlan 1
authentication open
authentication key-management wpa version 2
infrastructure-ssid
wpa-psk ascii 7 03105E18121B245F5A1D1C1603
!
!
!
username nethinks privilege 15 secret 5 xxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm tkip
!
ssid LL-WL-5G
!
antenna gain 0
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role non-root bridge
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 spanning-disabled
!
interface Dot11Radio1.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 spanning-disabled
!
interface Dot11Radio1.172
encapsulation dot1Q 172
no ip route-cache
bridge-group 172
bridge-group 172 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 spanning-disabled
!
interface GigabitEthernet0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
bridge-group 50 spanning-disabled
!
interface GigabitEthernet0.172
encapsulation dot1Q 172
no ip route-cache
bridge-group 172
bridge-group 172 spanning-disabled
!
interface BVI1
ip address 172.16.90.101 255.255.0.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ipSOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
(meant " encryption mode ciphers aes-ccm tkip" had to get the "vlan" option added ... copy&paste error)
ASKER
Thanks, finally did manage to work out the quirks of the "official" docs, need to keep the caveats in mind ;)