• Advertisement

What's Missing?

Configuring Wireless Cisco Networks and Wireless Controllers.

What's Missing?

Postby Guest » Thu Sep 17, 2009 6:00 am


no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname WirelessN

!

enable secret 5 $1$Xlx.$p9k7g168kCt4I8SQiZS.y0

!

aaa new-model

!

!

aaa authentication login default local

!

aaa session-id common

ip domain name nua.com

!

!

ip ssh version 2

!

dot11 ssid nuaWireless

   vlan 30

   authentication open

   guest-mode

!

power inline negotiation prestandard source

!

!

username cisco password 7 030752180500

username ngarciait password 7 03080B1D5503715A1D

username scurry password 7 110A0C17131D0C5456

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid nuaWireless

!

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.1

encapsulation dot1Q 30

no ip route-cache

shutdown

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface GigabitEthernet0

ip address 10.1.1.15 255.255.0.0

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.1

encapsulation dot1Q 30

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface BVI1

ip address 10.1.1.10 255.255.0.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

banner motd ^C

*****************************************************

You Will Be Prosecuted For Unauthorized Access

*****************************************************

^C

!

line con 0

password 7 104D580A0647

line vty 0 4

password 7 020555480856

transport input ssh

!

end

I'm trying a basic setup here. I created an SSID, bound it to a VLAN, created an ethernet sub interface and a radio dot11 sub interface, both have the same encapsulation, and both are under the same bridge group. I have open authentication. I can authenticate and associate, but I can't pass traffic.

I tried adding the SSID under the radio to bridge-group 2 as well and I get this error:

Configuration of vLAN subinterfaces and main

interface within the same bridge group is not permitted

Not sure what that means.

Guest
 

Advertisement

Re:What's Missing?

Postby Guest » Thu Sep 17, 2009 7:35 am


When using subinterfaces, you won't use a bridge-group on the physical interfaces.  You should also be using bridge-group 1 on whatever VLAN your management interface is on.  This is why you use BVI1 as opposed to, say, BVI2.  BVI1 oversees bridge-group 1.

Try the following config:

int dot0.1

bridge-group 1

int gig0.1

bridge-group 1

That should eliminate bridge-group 1 from the interface and replace bridge-group 2.  Make sure it does that.

What is your switchport configuration?  I assume that VLAN 30 is your native VLAN.  If not, your configuration is correct.  If it is, you should add the "native" keyword to your config:

int dot0.1

encapsulation dot1q 30 native

int gig0.1

encapsulation dot1q 30 native

Also, activate your dot0.1 with the "no shut" command:

int gig0.1

no shut

If that still doesn't work, please post your updated config as well as your switchport configuration.  Thanks!

Jeff

Guest
 

Re:What's Missing?

Postby Guest » Thu Sep 17, 2009 8:20 am


So what happens when I have multiple SSIDs?

If I were to add another SSID and VLAN, I would have:

SSID TEST

VLAN 40

Bridge-Group 3

int Gigabit 0.3

int dot0.3

All of this of course being under bridge-group 3.

Is this correct? Would I need another BVI interface for this?

I don't seem to quite understand the function of the BVI interface.

Right now, I have an IP address assigned to the actual gigabit 0 interface and it's what I use to SSH into my AP, instead of using the BVI interface's IP address.

As far as my switchport goes, I have it set as a regular access port on VLAN 30 because I'm only using one SSID or VLAN on the access point. I know if I wanted to pass more VLANs I would have to turn the switchport into a trunk, right?

Guest
 

Re:What's Missing?

Postby Guest » Thu Sep 17, 2009 8:36 am


There was another topic a while ago where someone asked about some of these concepts.  Read through this thread if you have a few minutes:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=WLAN%20Radio%20Standards&topicID=.ee6e8c2&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd4a100

You only ever need one BVI interface, and this is traditionally the interface that you place the IP address on.  The problem with using an IP address on either the Gig or Radio interface is that the AP becomes unreachable if you shut one of them down.  This is rarely an issue with placing the IP on the Gig interface since you likely lose power to the AP if it becomes shutdown.  But most implementations use the BVI1 as your management interface.

Each SSID has its own VLAN, and each VLAN gets its own pair of subinterfaces (radio and gig).  The number used for the pair doesn't matter (could be dot0.1 and gig0.11 if you want...), what matters is that they're on the same bridge-group and have the same VLAN assigned to them.

Now, you're using an access port on your switch, so you actually shouldn't be using subinterfaces.  Subinterfaces imply trunking, and the AP will think it's connected to a trunk if you use them.  You can still use them if you configure them to use VLAN 30 natively, which means that no tagging will be used (allowing it to talk to your access port).  But the best thing to do would be to wipe out the subinterfaces and place bridge-group 1 directly on the physical interfaces.

If you want to configure multiple SSIDs, you'll need to create a new pair of subinterfaces for each one as described above.  Make sure you match the native VLAN with what's on your switch config (defaults to VLAN 1 on the switch).  Additionally, bridge-group 1 should always be used on your native VLAN subinterfaces.  Traditionally, the bridge-group number will match the VLAN number (which traditionally matches the subinterface number).  This keeps things clean and easy to read when the number on these three config lines match each other (other than the native using bridge-group 1).

Sorry to make things so complicated.  One other note based on your example config in the above post, but SSIDs are never configured for a bridge-group.  They are matched to the bridge-group via the VLAN.  So configure it like this:

SSID TEST

authentication open

vlan 40

int gig0.40

encapsulation dot1q 40

bridge-group 40

int dot0.40

encapsulation dot1q 40

bridge-group 40

Again, using "40" for everything makes it clean and easy to read.  You'll then need to configure your switchport as a trunk (with VLAN 30 as native):

interface gigX/X

switchport encapsulation dot1q

switchport mode trunk

switchport trunk native vlan 30

Make sense?

Jeff

Guest
 

Re:What's Missing?

Postby Guest » Thu Sep 17, 2009 10:08 am


Exactly that I needed. Thanks for all your help and for your time, Jeff. Very much Appreciated.

-Nelson

Guest
 

Next


  • Advertisement


Similar topics


Return to Cisco Wireless

Who is online

Users browsing this forum: Bing [Bot] and 3 guests