What's Missing?

Configuring Wireless Cisco Networks and Wireless Controllers.
Guest

What's Missing?

Post by Guest » Thu Sep 17, 2009 6:00 am


no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname WirelessN!enable secret 5 $1$Xlx.$p9k7g168kCt4I8SQiZS.y0!aaa new-model!!aaa authentication login default local!aaa session-id commonip domain name nua.com!!ip ssh version 2!dot11 ssid nuaWireless   vlan 30   authentication open   guest-mode!power inline negotiation prestandard source!!username cisco password 7 030752180500username ngarciait password 7 03080B1D5503715A1Dusername scurry password 7 110A0C17131D0C5456!bridge irb!!interface Dot11Radio0 no ip address no ip route-cache ! ssid nuaWireless ! station-role root bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled!interface Dot11Radio0.1 encapsulation dot1Q 30 no ip route-cache shutdown bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding bridge-group 2 spanning-disabled!interface GigabitEthernet0 ip address 10.1.1.15 255.255.0.0 no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled!interface GigabitEthernet0.1 encapsulation dot1Q 30 no ip route-cache bridge-group 2 no bridge-group 2 source-learning bridge-group 2 spanning-disabled!interface BVI1 ip address 10.1.1.10 255.255.0.0 no ip route-cache!ip http serverno ip http secure-serverip http help-path http://www.cisco.com/warp/public/779/sm ... /eagbridge 1 route ip!!banner motd ^C*****************************************************You Will Be Prosecuted For Unauthorized Access*****************************************************^C!line con 0 password 7 104D580A0647line vty 0 4 password 7 020555480856 transport input ssh!endI'm trying a basic setup here. I created an SSID, bound it to a VLAN, created an ethernet sub interface and a radio dot11 sub interface, both have the same encapsulation, and both are under the same bridge group. I have open authentication. I can authenticate and associate, but I can't pass traffic. I tried adding the SSID under the radio to bridge-group 2 as well and I get this error:Configuration of vLAN subinterfaces and maininterface within the same bridge group is not permitted Not sure what that means.

Guest

Re:What's Missing?

Post by Guest » Thu Sep 17, 2009 7:35 am


When using subinterfaces, you won't use a bridge-group on the physical interfaces.  You should also be using bridge-group 1 on whatever VLAN your management interface is on.  This is why you use BVI1 as opposed to, say, BVI2.  BVI1 oversees bridge-group 1.Try the following config:int dot0.1bridge-group 1int gig0.1bridge-group 1That should eliminate bridge-group 1 from the interface and replace bridge-group 2.  Make sure it does that.What is your switchport configuration?  I assume that VLAN 30 is your native VLAN.  If not, your configuration is correct.  If it is, you should add the "native" keyword to your config:int dot0.1encapsulation dot1q 30 nativeint gig0.1encapsulation dot1q 30 nativeAlso, activate your dot0.1 with the "no shut" command:int gig0.1no shutIf that still doesn't work, please post your updated config as well as your switchport configuration.  Thanks!Jeff

Guest

Re:What's Missing?

Post by Guest » Thu Sep 17, 2009 8:20 am


So what happens when I have multiple SSIDs? If I were to add another SSID and VLAN, I would have:SSID TESTVLAN 40Bridge-Group 3int Gigabit 0.3int dot0.3All of this of course being under bridge-group 3. Is this correct? Would I need another BVI interface for this?I don't seem to quite understand the function of the BVI interface.Right now, I have an IP address assigned to the actual gigabit 0 interface and it's what I use to SSH into my AP, instead of using the BVI interface's IP address.As far as my switchport goes, I have it set as a regular access port on VLAN 30 because I'm only using one SSID or VLAN on the access point. I know if I wanted to pass more VLANs I would have to turn the switchport into a trunk, right?

Guest

Re:What's Missing?

Post by Guest » Thu Sep 17, 2009 8:36 am


There was another topic a while ago where someone asked about some of these concepts.  Read through this thread if you have a few minutes:http://forums.cisco.com/eforum/servlet/ ... cd4a100You only ever need one BVI interface, and this is traditionally the interface that you place the IP address on.  The problem with using an IP address on either the Gig or Radio interface is that the AP becomes unreachable if you shut one of them down.  This is rarely an issue with placing the IP on the Gig interface since you likely lose power to the AP if it becomes shutdown.  But most implementations use the BVI1 as your management interface.Each SSID has its own VLAN, and each VLAN gets its own pair of subinterfaces (radio and gig).  The number used for the pair doesn't matter (could be dot0.1 and gig0.11 if you want...), what matters is that they're on the same bridge-group and have the same VLAN assigned to them.Now, you're using an access port on your switch, so you actually shouldn't be using subinterfaces.  Subinterfaces imply trunking, and the AP will think it's connected to a trunk if you use them.  You can still use them if you configure them to use VLAN 30 natively, which means that no tagging will be used (allowing it to talk to your access port).  But the best thing to do would be to wipe out the subinterfaces and place bridge-group 1 directly on the physical interfaces.If you want to configure multiple SSIDs, you'll need to create a new pair of subinterfaces for each one as described above.  Make sure you match the native VLAN with what's on your switch config (defaults to VLAN 1 on the switch).  Additionally, bridge-group 1 should always be used on your native VLAN subinterfaces.  Traditionally, the bridge-group number will match the VLAN number (which traditionally matches the subinterface number).  This keeps things clean and easy to read when the number on these three config lines match each other (other than the native using bridge-group 1).Sorry to make things so complicated.  One other note based on your example config in the above post, but SSIDs are never configured for a bridge-group.  They are matched to the bridge-group via the VLAN.  So configure it like this:SSID TESTauthentication openvlan 40int gig0.40encapsulation dot1q 40bridge-group 40int dot0.40encapsulation dot1q 40bridge-group 40Again, using "40" for everything makes it clean and easy to read.  You'll then need to configure your switchport as a trunk (with VLAN 30 as native):interface gigX/Xswitchport encapsulation dot1qswitchport mode trunkswitchport trunk native vlan 30Make sense?Jeff

Guest

Re:What's Missing?

Post by Guest » Thu Sep 17, 2009 10:08 am


Exactly that I needed. Thanks for all your help and for your time, Jeff. Very much Appreciated.-Nelson

Post Reply