Link to home
Start Free TrialLog in
Avatar of Yann Shukor
Yann ShukorFlag for France

asked on

Aironet Wifi clients not getting IP addresses from Cisco router DHCP

Hi

I have just reconfigured a client's Cisco Aironet 1231 access points (from scratch because we didn't have any passwords)

The network is composed of a Cisco Router 1841 and a Catalyst 2960 switch
Both were setup to manage two vlans (Admin (1) and Clients (2)) ...I'm not sure why this is necessary, but I'll assume that it is to keep the clients out of the network management sphere
I have tried to rebuild a configuration with all this in mind
I haven't altered any functional parameters on the 1841 or the 2960, I just reset their passwords

I have created a vlan 1 in native mode and a vlan 2

If I associate the client SSID to vlan 1 then the clients obtain an IP address from the admin subnet.
When associated with vlan2 the clients don't get any IP addresses

Aironet 1231:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap1
!
enable secret 5 XXXXXXXXXXXXXXXXXX
!
ip subnet-zero
ip domain name xxxxxxxxxxxxxxx.wifi
!
!
no aaa new-model
dot11 vlan-name admin vlan 1
dot11 vlan-name hotspot vlan 2
!
dot11 ssid ADMIN
   vlan 1
   authentication open
!
dot11 ssid CLIENTS
   vlan 2
   authentication open
   guest-mode
   ip redirection host xxx.xxx.xxx.xxx
!
!
!
username xxxxxxxx privilege 15 password 7 XXXXXXXXXXXXXX
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 ssid ADMIN
 !
 ssid CLIENTS
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root access-point
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
 bridge-group 2 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 hold-queue 160 in
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
 no bridge-group 2 source-learning
 bridge-group 2 spanning-disabled
!
interface BVI1
 ip address xxx.xxx.xxx.xxx 255.255.255.224
 no ip route-cache
!
ip default-gateway xxx.xxx.xxx.xxx
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
end

Open in new window


Router 1841:
!
! Last configuration change at 11:21:56 MET Mon Feb 26 2018
!
version 12.4
no service pad
service timestamps debug datetime msec localtime year
service timestamps log datetime msec localtime year
service password-encryption
!
hostname xxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 32000
enable secret 5 xxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius ssg-proxy
 server xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813
!
aaa accounting suppress null-username
aaa accounting network DHCP start-stop group ssg-proxy
aaa accounting system default start-stop group ssg-proxy
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp binding cleanup interval 10
ip dhcp bootp ignore
no ip dhcp conflict logging
ip dhcp excluded-address 10.62.161.1
!
ip dhcp pool hotspot_vlan2
   network 10.62.161.0 255.255.255.128
   default-router 10.62.161.1
   dns-server 80.10.46.232
   domain-name xxxxxxxxxxxxxxx.com
   lease 0 0 30
   update arp
   accounting DHCP
!
!
no ip bootp server
no ip domain lookup
ip domain name xxxxxxxxxxxxx.wifi
multilink bundle-name authenticated
!
!
!
!
username xxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxx
archive
 log config
  hidekeys
!
!
ip ssh version 2
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
!
!
!
interface Loopback0
 no ip address
!
interface FastEthernet0/0
 description Hotspot
 no ip address
 speed 100
 full-duplex
 no cdp enable
!
interface FastEthernet0/0.1
 description vlan admin
 encapsulation dot1Q 1 native
 ip address 172.20.62.33 255.255.255.224
 no ip redirects
 no ip unreachables
 no cdp enable
!
interface FastEthernet0/0.2
 description vlan hotspot
 encapsulation dot1Q 2
 ip address 10.62.161.1 255.255.255.128
 ip access-group 110 in
 no ip redirects
 no ip unreachables
 no cdp enable
 arp authorized
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface ATM0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
 snmp trap link-status
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
 snmp trap link-status
 pvc 8/35
  oam-pvc manage
  encapsulation aal5mux ppp dialer
  dialer pool-member 2
 !
!
interface Dialer1
 ip address negotiated
 no ip redirects
 no ip unreachables
 ip mtu 1492
 ip load-sharing per-packet
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxxxxxx
!
interface Dialer2
 ip address negotiated
 no ip redirects
 no ip unreachables
 ip mtu 1492
 ip load-sharing per-packet
 encapsulation ppp
 no ip mroute-cache
 dialer pool 2
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
!
ip radius source-interface FastEthernet0/0.1
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 permit xxx.xxx.xxx.xxx
access-list 10 deny   any
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 permit xxx.xxx.xxx.xxx
access-list 20 deny   any
access-list 110 remark controle flux hotspot
access-list 110 remark autorisation DISCOVER DHCP
access-list 110 permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
access-list 110 remark autorisation RENEW DHCP
access-list 110 permit udp 10.0.0.0 0.255.255.255 eq bootpc 10.0.0.0 0.255.255.255 eq bootps
access-list 110 permit udp 172.16.0.0 0.15.255.255 eq bootpc 172.16.0.0 0.15.255.255 eq bootps
access-list 110 remark deny vers @IP RFC1918
access-list 110 deny   ip any 10.0.0.0 0.255.255.255
access-list 110 deny   ip any 172.16.0.0 0.15.255.255
access-list 110 deny   ip any 192.168.0.0 0.0.255.255
access-list 110 remark deny vers @IP Loopback
access-list 110 deny   ip any 127.0.0.0 0.255.255.255
access-list 110 remark flux clients depuis @IP privees
access-list 110 permit ip 10.0.0.0 0.255.255.255 any
access-list 110 permit ip 172.16.0.0 0.15.255.255 any
access-list 110 remark deny pour log
access-list 110 deny   ip any any
dialer-list 2 protocol ip permit
snmp-server community wlanread RO 20
snmp-server community wlanwrite RW 20
snmp-server ifindex persist
snmp-server location xxxxxxxxxxxxxx
snmp-server contact "Version 30"
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps atm subif
snmp-server enable traps cnpd
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server host xxx.xxx.xxx.xxx public
snmp-server host xxx.xxx.xxx.xxx public
!
radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
radius-server timeout 1
radius-server deadtime 1
radius-server vsa send accounting
radius-server vsa send authentication
!
control-plane
!
line con 0
 exec-timeout 5 0
line aux 0
line vty 0 4
 exec-timeout 5 0
 transport input telnet ssh
 transport output none
 escape-character 5
!
scheduler allocate 20000 1000
ntp clock-period 17178360
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx prefer
end

Open in new window


Catalyst 2960:
version 12.2
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxxxxxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
username xxxxxxxx password 7 xxxxxxxxxxxxxxxxxx
no aaa new-model
clock timezone MET 1
clock summer-time MET recurring last Sun Mar 2:00 last Sun Oct 3:00
system mtu routing 1500
ip subnet-zero
!
!
no ip domain-lookup
ip domain-name xxxxxxxxxxxxx.wifi
!
!
!
!
!
!
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip rcmd rcp-enable
ip rcmd rsh-enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
ip rcmd remote-host admWifi xxx.xxx.xxx.xxx admWifi enable
!
!
interface FastEthernet0/1
 description AP1
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/2
 description AP2
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/3
 description AP3
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/4
 description AP4
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/5
 description AP5
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/6
 description AP
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/7
 description AP7
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/8
 description AP8
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/9
 description AP9
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/10
 description AP10
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/11
 description AP11
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/12
 description AP12
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 switchport protected
 speed 100
 duplex full
!
interface FastEthernet0/13
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/14
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/15
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/16
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/17
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/18
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/19
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/20
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/21
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/22
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/23
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface FastEthernet0/24
 shutdown
 speed 100
 duplex full
 no cdp enable
!
interface GigabitEthernet0/1
 description routeur
 switchport trunk allowed vlan 1,2
 switchport mode trunk
 media-type rj45
 speed 100
 duplex full
 no cdp enable
!
interface GigabitEthernet0/2
 shutdown
!
interface Vlan1
 ip address 172.20.62.34 255.255.255.224
 no ip route-cache
 shutdown
!
ip default-gateway 172.20.62.33
no ip http server
no ip http secure-server
access-list 3 remark Controle acces admin
access-list 3 permit xxx.xxx.xxx.xxx0.0.0.255
access-list 3 deny   any
access-list 20 remark Controle acces SNMP
access-list 20 permit xxx.xxx.xxx.xxx 0.0.0.7
access-list 20 permit xxx.xxx.xxx.xxx 0.0.0.15
access-list 20 permit xxx.xxx.xxx.xxx 0.0.0.15
access-list 20 deny   any
snmp-server community wlanread RO 20
snmp-server community wlanwrite RW 20
snmp-server location xxxxxxxxxxx
snmp-server contact "Version 30"
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps cluster
snmp-server enable traps entity
snmp-server enable traps vtp
snmp-server enable traps vlancreate
snmp-server enable traps vlandelete
snmp-server enable traps flash insertion removal
snmp-server enable traps port-security
snmp-server enable traps envmon fan shutdown supply temperature
snmp-server enable traps config
snmp-server enable traps bridge newroot topologychange
snmp-server enable traps syslog
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps vlan-membership
snmp-server host xxx.xxx.xxx.xxx public
snmp-server host xxx.xxx.xxx.xxx public
!
control-plane
!
line con 0
 exec-timeout 5 0
 login local
line vty 0 4
 access-class 3 in
 exec-timeout 5 0
 login local
 transport input telnet ssh
 transport output none
 escape-character 5
line vty 5 15
 login
!
ntp clock-period 36028930
ntp server 10.163.123.6
ntp server 10.163.123.5 prefer
end

Open in new window

Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image

Does the L2 VLAN exist on the 2960 and your ruter? It isn't in the running-config.
conf t
vlan 2
name clients
exit
show vlan-switch

Open in new window


For what it is worth, it is an easy thing to miss. I still sometimes do.
Avatar of Yann Shukor

ASKER

The untouched Aironets operate fine with the current setup of the switch and router
It is only the newly reconfigured Aironets that are having the DHCP issue
Remove ACL 110 from the interface and see if that works.  It doesn't look right to me.

Also, remove the arp authorized command from the Fa0/0.2 interface.  That will break unicast reachability without static ARP entries on the router.
Ok, thanks Craig

Like I said these Aironets were working quite fine before I intervened which is why I suspect that it must be my configuration of the access points which isn't totally up to snuff.
Craig; when you say remove ACL 110, are we talking about the whole ACL 110 set of rules or just the line blocking 10.0.0.0/24 ?
ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial