3 Replies Latest reply: Sep 17, 2011 5:46 AM by Paul RSS

    Help with Aironet 1130AG VLANS

    Paul

      Hello All,

       

      I'm having a lot of headaches setting this up, should be pretty simple, but I'm missing something, somewhere.

       

      I have a production network of 192.168.1.0/24

       

      I bought Aironets wanting to create a private SSID for the production network, and a public SSID for guests, and never shall the two meet.


      Here's the hardware I'm working with, I'm working with a budget, hence the lower end switch and firewall, but they claim to support VLAN.

       

      3, Cisco 1130AG access points

      1, Cisco SB SG200-08p POE Switch

      1,Cisco SBPro SA520 Security Appliance.

       

      ---------------------------------------------------------------------------------------------------------------

       

       

      The plan was use VLAN 1 for production network.

       

      Create a VLAN 10 for guest/public wireless network with a subnet of 192.168.10.0/24.

       

      On VLAN1 , DHCP for the production network will be handld by the SBS 2003 server

       

      DHCP On VLAN 10 for the guest network would be handled by the by the SA520 firewall.

       

      Secure both WLAN's using WPA2

       

       

       

       

      I created a VLAN 10 on the firewall, and the POE Switch.

       

      All of the ports on the POE switch are Trunk ports, default, out of the box. The port on the Firewall that connects to the POE switch is also a trunk port.

       

       

      My challenges so far are :

       

       

      Cannot secure the WLAN's using WPA on the Aironets if I try to put the SSID(s) on VLAN 1.

       

      So, for testing, I created VLAN 2, and VLAN 10 , and put production SSID on VLAN 2, public SSID on VLAN 10.

       

      Both networks were broadcasting SSID fine, and was able to authenticate to each respective WLAN using WPA2. Did all that from home, using the AC Adapter.

       

      Brought the AP back to the office today, powered it up by connecting to POE switch, and none of the SSID's were broadcasting.

       

      Plugged in AC Adapter, and now have SSID's broadcasting, but DHCP is not passing through to the public SSID.

       

       

      Here's my config:

       

       

      Building configuration...

       

      Current configuration : 3214 bytes

      !

      version 12.4

      no service pad

      service timestamps debug datetime msec

      service timestamps log datetime msec

      service password-encryption

      !

      hostname ap

      !

      enable secret 5 $1$8ZHx$elaFgIVI7rCx10HqABl3..

      !

      no aaa new-model

      !

      !

      dot11 syslog

      !

      dot11 ssid CASPRIV

         vlan 2

         authentication open

         authentication key-management wpa

         mbssid guest-mode

         wpa-psk ascii 7 06361D285A1C5948545451

      !

      dot11 ssid CASPUB

         vlan 10

         authentication open

         authentication key-management wpa

         mbssid guest-mode

         wpa-psk ascii 7 15310A1F343F29676B

      !

      !

      !

      username Cisco password 7 032752180500

      !

      !

      bridge irb

      !

      !

      interface Dot11Radio0

      no ip address

      no ip route-cache

      !

      encryption vlan 2 mode ciphers aes-ccm

      !

      encryption vlan 10 mode ciphers aes-ccm

      !

      ssid CASPRIV

      !

      ssid CASPUB

      !

      mbssid

      channel 2412

      station-role root

      bridge-group 1

      bridge-group 1 block-unknown-source

      no bridge-group 1 source-learning

      no bridge-group 1 unicast-flooding

      bridge-group 1 spanning-disabled

      !

      interface Dot11Radio0.2

      encapsulation dot1Q 2

      no ip route-cache

      bridge-group 2

      bridge-group 2 subscriber-loop-control

      bridge-group 2 block-unknown-source

      no bridge-group 2 source-learning

      no bridge-group 2 unicast-flooding

      bridge-group 2 spanning-disabled

      !

      interface Dot11Radio0.10

      encapsulation dot1Q 10

      no ip route-cache

      bridge-group 10

      bridge-group 10 subscriber-loop-control

      bridge-group 10 block-unknown-source

      no bridge-group 10 source-learning

      no bridge-group 10 unicast-flooding

      bridge-group 10 spanning-disabled

      !

      interface Dot11Radio1

      no ip address

      no ip route-cache

      shutdown

      !

      encryption vlan 2 mode ciphers aes-ccm

      !

      encryption vlan 10 mode ciphers aes-ccm

      !

      ssid CASPRIV

      !

      ssid CASPUB

      !

      dfs band 3 block

      channel dfs

      station-role root

      bridge-group 1

      bridge-group 1 block-unknown-source

      no bridge-group 1 source-learning

      no bridge-group 1 unicast-flooding

      bridge-group 1 spanning-disabled

      !

      interface Dot11Radio1.2

      encapsulation dot1Q 2

      no ip route-cache

      bridge-group 2

      bridge-group 2 subscriber-loop-control

      bridge-group 2 block-unknown-source

      no bridge-group 2 source-learning

      no bridge-group 2 unicast-flooding

      bridge-group 2 spanning-disabled

      !

      interface Dot11Radio1.10

      encapsulation dot1Q 10

      no ip route-cache

      bridge-group 10

      bridge-group 10 subscriber-loop-control

      bridge-group 10 block-unknown-source

      no bridge-group 10 source-learning

      no bridge-group 10 unicast-flooding

      bridge-group 10 spanning-disabled

      !

      interface FastEthernet0

      no ip address

      no ip route-cache

      duplex auto

      speed auto

      bridge-group 1

      no bridge-group 1 source-learning

      bridge-group 1 spanning-disabled

      !

      interface FastEthernet0.2

      encapsulation dot1Q 2

      no ip route-cache

      bridge-group 2

      no bridge-group 2 source-learning

      bridge-group 2 spanning-disabled

      !

      interface FastEthernet0.10

      encapsulation dot1Q 10

      no ip route-cache

      bridge-group 10

      no bridge-group 10 source-learning

      bridge-group 10 spanning-disabled

      !

      interface BVI1

      ip address 192.168.1.4 255.255.255.0

      no ip route-cache

      !

      ip http server

      no ip http secure-server

      ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

      bridge 1 route ip

      !

      !

      !

      line con 0

      line vty 0 4

      login local

      !

      end

        • 1. Re: Help with Aironet 1130AG VLANS
          CCNAMooky

          Your switch supports upto 32w on 4 ports

           

          http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps11229/data_sheet_c78-634369.html

           

          Your 3 WAP's each use 12.2w. I'm thinking you may not have enough power, hence the radios might be shutting down.

           

          I would look through your error logs to find any clues.

           

          As for DHCP, could be you need to set helper address on the vlan interfaces on your layer device. It would be very important you get your native vlan correct across the board also.

           

          It would also be interesting to see what configuration you have on your switch.

          • 2. Re: Help with Aironet 1130AG VLANS
            chris reynolds

            Have you verified that the VLAN itself is able to pass DHCP before going through your wireless? Set a port to access of XX vlan and plug your machine into it and see if you get a DHCP address first without the AP becoming a factor.

             

            I would probably start there to be sure that part of it is working properly as well.

            • 3. Re: Help with Aironet 1130AG VLANS
              Paul

              I'm goint to have to use the POE Injectors.

               

              I was able to get what I want to accomplished going most of the way, but have another challenge due to main prod switch being unmanaged. I posted that in the Small Business forums found here:

               

              https://supportforums.cisco.com/message/3446295#3446295

               

               

              I'm so close, but just need to jump this last hurdle somehow without breaking the bank. Any input in the other thread is greatly appreciated.

               

              Here's a copy of one of my configs:

               

              Building configuration...

               

              Current configuration : 2737 bytes

              !

              version 12.4

              no service pad

              service timestamps debug datetime msec

              service timestamps log datetime msec

              service password-encryption

              !

              hostname WAP2

              !

              enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx

              !

              no aaa new-model

              no ip domain lookup

              !

              !

              dot11 syslog

              !

              dot11 ssid CASPRIV

                 vlan 10

                 authentication open

                 authentication key-management wpa

                 mbssid guest-mode

                 wpa-psk ascii 7 107E1B101345425A5D4769

              !

              dot11 ssid CASPUB

                 vlan 20

                 authentication open

                 authentication key-management wpa

                 mbssid guest-mode

                 wpa-psk ascii 7 132616013B19066968

              !

              !

              !

              username Cisco password 7 0802455D0A16

              !

              !

              bridge irb

              !

              !

              interface Dot11Radio0

              no ip address

              no ip route-cache

              !

              encryption vlan 20 mode ciphers aes-ccm

              !

              encryption vlan 10 mode ciphers aes-ccm

              !

              ssid CASPRIV

              !

              ssid CASPUB

              !

              mbssid

              channel 6

              station-role root

              bridge-group 1

              bridge-group 1 block-unknown-source

              no bridge-group 1 source-learning

              no bridge-group 1 unicast-flooding

              bridge-group 1 spanning-disabled

              !

              interface Dot11Radio0.10

              encapsulation dot1Q 10

              ip address 192.168.1.5 255.255.255.0

              no ip route-cache

              bridge-group 10

              bridge-group 10 subscriber-loop-control

              bridge-group 10 block-unknown-source

              no bridge-group 10 source-learning

              no bridge-group 10 unicast-flooding

              bridge-group 10 spanning-disabled

              !

              interface Dot11Radio0.20

              encapsulation dot1Q 20

              ip address 192.168.20.3 255.255.255.0

              no ip route-cache

              bridge-group 20

              bridge-group 20 subscriber-loop-control

              bridge-group 20 block-unknown-source

              no bridge-group 20 source-learning

              no bridge-group 20 unicast-flooding

              bridge-group 20 spanning-disabled

              !

              interface Dot11Radio1

              no ip address

              no ip route-cache

              shutdown

              !

              encryption mode ciphers aes-ccm

              !

              ssid CASPRIV

              !

              dfs band 3 block

              channel dfs

              station-role root

              bridge-group 1

              bridge-group 1 subscriber-loop-control

              bridge-group 1 block-unknown-source

              no bridge-group 1 source-learning

              no bridge-group 1 unicast-flooding

              bridge-group 1 spanning-disabled

              !

              interface FastEthernet0

              no ip address

              no ip route-cache

              duplex auto

              speed auto

              bridge-group 1

              no bridge-group 1 source-learning

              bridge-group 1 spanning-disabled

              !

              interface FastEthernet0.10

              encapsulation dot1Q 10

              no ip route-cache

              bridge-group 10

              no bridge-group 10 source-learning

              bridge-group 10 spanning-disabled

              !

              interface FastEthernet0.20

              encapsulation dot1Q 20

              no ip route-cache

              bridge-group 20

              no bridge-group 20 source-learning

              bridge-group 20 spanning-disabled

              !

              interface BVI1

              no ip address

              no ip route-cache

              !

              ip http server

              no ip http secure-server

              ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

              bridge 1 route ip

              !

              !

              !

              line con 0

              line vty 0 4

              login local

              !