Skip navigation
Cisco Learning Home > Certifications > Wireless (CCNA Wireless) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts)
3425 Views 3 Replies Latest reply: Sep 17, 2011 5:46 AM by Paul RSS

Currently Being Moderated

Help with Aironet 1130AG VLANS

Sep 13, 2011 9:39 AM

Paul 2 posts since
Jan 17, 2011

Hello All,

 

I'm having a lot of headaches setting this up, should be pretty simple, but I'm missing something, somewhere.

 

I have a production network of 192.168.1.0/24

 

I bought Aironets wanting to create a private SSID for the production network, and a public SSID for guests, and never shall the two meet.


Here's the hardware I'm working with, I'm working with a budget, hence the lower end switch and firewall, but they claim to support VLAN.

 

3, Cisco 1130AG access points

1, Cisco SB SG200-08p POE Switch

1,Cisco SBPro SA520 Security Appliance.

 

---------------------------------------------------------------------------------------------------------------

 

 

The plan was use VLAN 1 for production network.

 

Create a VLAN 10 for guest/public wireless network with a subnet of 192.168.10.0/24.

 

On VLAN1 , DHCP for the production network will be handld by the SBS 2003 server

 

DHCP On VLAN 10 for the guest network would be handled by the by the SA520 firewall.

 

Secure both WLAN's using WPA2

 

 

 

 

I created a VLAN 10 on the firewall, and the POE Switch.

 

All of the ports on the POE switch are Trunk ports, default, out of the box. The port on the Firewall that connects to the POE switch is also a trunk port.

 

 

My challenges so far are :

 

 

Cannot secure the WLAN's using WPA on the Aironets if I try to put the SSID(s) on VLAN 1.

 

So, for testing, I created VLAN 2, and VLAN 10 , and put production SSID on VLAN 2, public SSID on VLAN 10.

 

Both networks were broadcasting SSID fine, and was able to authenticate to each respective WLAN using WPA2. Did all that from home, using the AC Adapter.

 

Brought the AP back to the office today, powered it up by connecting to POE switch, and none of the SSID's were broadcasting.

 

Plugged in AC Adapter, and now have SSID's broadcasting, but DHCP is not passing through to the public SSID.

 

 

Here's my config:

 

 

Building configuration...

 

Current configuration : 3214 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$8ZHx$elaFgIVI7rCx10HqABl3..

!

no aaa new-model

!

!

dot11 syslog

!

dot11 ssid CASPRIV

   vlan 2

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 06361D285A1C5948545451

!

dot11 ssid CASPUB

   vlan 10

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 15310A1F343F29676B

!

!

!

username Cisco password 7 032752180500

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 2 mode ciphers aes-ccm

!

encryption vlan 10 mode ciphers aes-ccm

!

ssid CASPRIV

!

ssid CASPUB

!

mbssid

channel 2412

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

bridge-group 10 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption vlan 2 mode ciphers aes-ccm

!

encryption vlan 10 mode ciphers aes-ccm

!

ssid CASPRIV

!

ssid CASPUB

!

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio1.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

bridge-group 10 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface FastEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

no bridge-group 10 source-learning

bridge-group 10 spanning-disabled

!

interface BVI1

ip address 192.168.1.4 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

  • CCNAMooky 59 posts since
    Jun 23, 2009
    Currently Being Moderated
    1. Sep 13, 2011 5:49 PM (in response to Paul)
    Re: Help with Aironet 1130AG VLANS

    Your switch supports upto 32w on 4 ports

     

    http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps11229/data_sheet_c78-634369.html

     

    Your 3 WAP's each use 12.2w. I'm thinking you may not have enough power, hence the radios might be shutting down.

     

    I would look through your error logs to find any clues.

     

    As for DHCP, could be you need to set helper address on the vlan interfaces on your layer device. It would be very important you get your native vlan correct across the board also.

     

    It would also be interesting to see what configuration you have on your switch.

  • chris reynolds 351 posts since
    Jun 8, 2009
    Currently Being Moderated
    2. Sep 14, 2011 11:58 AM (in response to Paul)
    Re: Help with Aironet 1130AG VLANS

    Have you verified that the VLAN itself is able to pass DHCP before going through your wireless? Set a port to access of XX vlan and plug your machine into it and see if you get a DHCP address first without the AP becoming a factor.

     

    I would probably start there to be sure that part of it is working properly as well.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)