Yann Shukor
asked on
Aironet Wifi clients not getting IP addresses from Cisco router DHCP
Hi
I have just reconfigured a client's Cisco Aironet 1231 access points (from scratch because we didn't have any passwords)
The network is composed of a Cisco Router 1841 and a Catalyst 2960 switch
Both were setup to manage two vlans (Admin (1) and Clients (2)) ...I'm not sure why this is necessary, but I'll assume that it is to keep the clients out of the network management sphere
I have tried to rebuild a configuration with all this in mind
I haven't altered any functional parameters on the 1841 or the 2960, I just reset their passwords
I have created a vlan 1 in native mode and a vlan 2
If I associate the client SSID to vlan 1 then the clients obtain an IP address from the admin subnet.
When associated with vlan2 the clients don't get any IP addresses
Aironet 1231:
Router 1841:
Catalyst 2960:
I have just reconfigured a client's Cisco Aironet 1231 access points (from scratch because we didn't have any passwords)
The network is composed of a Cisco Router 1841 and a Catalyst 2960 switch
Both were setup to manage two vlans (Admin (1) and Clients (2)) ...I'm not sure why this is necessary, but I'll assume that it is to keep the clients out of the network management sphere
I have tried to rebuild a configuration with all this in mind
I haven't altered any functional parameters on the 1841 or the 2960, I just reset their passwords
I have created a vlan 1 in native mode and a vlan 2
If I associate the client SSID to vlan 1 then the clients obtain an IP address from the admin subnet.
When associated with vlan2 the clients don't get any IP addresses
Aironet 1231:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap1
!
enable secret 5 XXXXXXXXXXXXXXXXXX
!
ip subnet-zero
ip domain name xxxxxxxxxxxxxxx.wifi
!
!
no aaa new-model
dot11 vlan-name admin vlan 1
dot11 vlan-name hotspot vlan 2
!
dot11 ssid ADMIN
vlan 1
authentication open
!
dot11 ssid CLIENTS
vlan 2
authentication open
guest-mode
ip redirection host xxx.xxx.xxx.xxx
!
!
!
username xxxxxxxx privilege 15 password 7 XXXXXXXXXXXXXX
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid ADMIN
!
ssid CLIENTS
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface BVI1
ip address xxx.xxx.xxx.xxx 255.255.255.224
no ip route-cache
!
ip default-gateway xxx.xxx.xxx.xxx
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
Router 1841:
!
! Last configuration change at 11:21:56 MET Mon Feb 26 2018
!
version 12.4
no service pad
service timestamps debug datetime msec localtime year
service timestamps log datetime msec localtime year
service password-encryption
!
hostname xxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 32000
enable secret 5 xxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius ssg-proxy
server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
!
aaa accounting suppress null-username
aaa accounting network DHCP start-stop group ssg-proxy
aaa accounting system default start-stop group ssg-proxy
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
ip dhcp bootp ignore
no ip dhcp conflict logging
ip dhcp excluded-address 10.62.161.1
!
ip dhcp pool hotspot_vlan2
network 10.62.161.0 255.255.255.128
default-router 10.62.161.1
dns-server 80.10.46.232
domain-name xxxxxxxxxxxxxxx.com
lease 0 0 30
update arp
accounting DHCP
!
!
no ip bootp server
no ip domain lookup
ip domain name xxxxxxxxxxxxx.wifi
multilink bundle-name authenticated
!
!
!
!
username xxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxx
archive
log config
hidekeys
!
!
ip ssh version 2
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
description Hotspot
no ip address
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/0.1
description vlan admin
encapsulation dot1Q 1 native
ip address 172.20.62.33 255.255.255.224
no ip redirects
no ip unreachables
no cdp enable
!
interface FastEthernet0/0.2
description vlan hotspot
encapsulation dot1Q 2
ip address 10.62.161.1 255.255.255.128
ip access-group 110 in
no ip redirects
no ip unreachables
no cdp enable
arp authorized
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
snmp trap link-status
pvc 8/35
oam-pvc manage
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1492
ip load-sharing per-packet
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxx
!
interface Dialer2
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1492
ip load-sharing per-packet
encapsulation ppp
no ip mroute-cache
dialer pool 2
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
!
ip radius source-interface FastEthernet0/0.1
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 deny any
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 deny any
access-list 110 remark controle flux hotspot
access-list 110 remark autorisation DISCOVER DHCP
access-list 110 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
access-list 110 remark autorisation RENEW DHCP
access-list 110 permit udp 10.0.0.0 0.255.255.255 eq bootpc 10.0.0.0 0.255.255.255 eq bootps
access-list 110 permit udp 172.16.0.0 0.15.255.255 eq bootpc 172.16.0.0 0.15.255.255 eq bootps
access-list 110 remark deny vers @IP RFC1918
access-list 110 deny ip any 10.0.0.0 0.255.255.255
access-list 110 deny ip any 172.16.0.0 0.15.255.255
access-list 110 deny ip any 192.168.0.0 0.0.255.255
access-list 110 remark deny vers @IP Loopback
access-list 110 deny ip any 127.0.0.0 0.255.255.255
access-list 110 remark flux clients depuis @IP privees
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
access-list 110 permit ip 172.16.0.0 0.15.255.255 any
access-list 110 remark deny pour log
access-list 110 deny ip any any
dialer-list 2 protocol ip permit
snmp-server community wlanread RO 20
snmp-server community wlanwrite RW 20
snmp-server ifindex persist
snmp-server location xxxxxxxxxxxxxx
snmp-server contact "Version 30"
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps atm subif
snmp-server enable traps cnpd
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server host xxx.xxx.xxx.xxx public
snmp-server host xxx.xxx.xxx.xxx public
!
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server timeout 1
radius-server deadtime 1
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
line con 0
exec-timeout 5 0
line aux 0
line vty 0 4
exec-timeout 5 0
transport input telnet ssh
transport output none
escape-character 5
!
scheduler allocate 20000 1000
ntp clock-period 17178360
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx prefer
end
Catalyst 2960:
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxxxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxxxx password 7 xxxxxxxxxxxxxxxxxx
no aaa new-model
clock timezone MET 1
clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00
system mtu routing 1500
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name xxxxxxxxxxxxx.wifi
!
!
!
!
!
!
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
!
!
interface FastEthernet0/1
description AP1
switchport trunk allowed vlan 1,2
switchport mode trunk
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/2
description AP2
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/3
description AP3
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/4
description AP4
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/5
description AP5
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/6
description AP
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/7
description AP7
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/8
description AP8
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/9
description AP9
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/10
description AP10
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/11
description AP11
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/12
description AP12
switchport trunk allowed vlan 1,2
switchport mode trunk
switchport protected
speed 100
duplex full
!
interface FastEthernet0/13
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/14
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/15
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/16
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/17
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/18
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/19
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/20
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/21
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/22
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/23
shutdown
speed 100
duplex full
no cdp enable
!
interface FastEthernet0/24
shutdown
speed 100
duplex full
no cdp enable
!
interface GigabitEthernet0/1
description routeur
switchport trunk allowed vlan 1,2
switchport mode trunk
media-type rj45
speed 100
duplex full
no cdp enable
!
interface GigabitEthernet0/2
shutdown
!
interface Vlan1
ip address 172.20.62.34 255.255.255.224
no ip route-cache
shutdown
!
ip default-gateway 172.20.62.33
no ip http server
no ip http secure-server
access-list 3 remark Controle acces admin
access-list 3 permit xxx.xxx.xxx.xxx0.0.0.255
access-list 3 deny any
access-list 20 remark Controle acces SNMP
access-list 20 permit xxx.xxx.xxx.xxx 0.0.0.7
access-list 20 permit xxx.xxx.xxx.xxx 0.0.0.15
access-list 20 permit xxx.xxx.xxx.xxx 0.0.0.15
access-list 20 deny any
snmp-server community wlanread RO 20
snmp-server community wlanwrite RW 20
snmp-server location xxxxxxxxxxx
snmp-server contact "Version 30"
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature
snmp-server enable traps config
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host xxx.xxx.xxx.xxx public
snmp-server host xxx.xxx.xxx.xxx public
!
control-plane
!
line con 0
exec-timeout 5 0
login local
line vty 0 4
access-class 3 in
exec-timeout 5 0
login local
transport input telnet ssh
transport output none
escape-character 5
line vty 5 15
login
!
ntp clock-period 36028930
ntp server 10.163.123.6
ntp server 10.163.123.5 prefer
end
ASKER
The untouched Aironets operate fine with the current setup of the switch and router
It is only the newly reconfigured Aironets that are having the DHCP issue
It is only the newly reconfigured Aironets that are having the DHCP issue
Remove ACL 110 from the interface and see if that works. It doesn't look right to me.
Also, remove the arp authorized command from the Fa0/0.2 interface. That will break unicast reachability without static ARP entries on the router.
Also, remove the arp authorized command from the Fa0/0.2 interface. That will break unicast reachability without static ARP entries on the router.
ASKER
Ok, thanks Craig
Like I said these Aironets were working quite fine before I intervened which is why I suspect that it must be my configuration of the access points which isn't totally up to snuff.
Like I said these Aironets were working quite fine before I intervened which is why I suspect that it must be my configuration of the access points which isn't totally up to snuff.
ASKER
Craig; when you say remove ACL 110, are we talking about the whole ACL 110 set of rules or just the line blocking 10.0.0.0/24 ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open in new window
For what it is worth, it is an easy thing to miss. I still sometimes do.