[c-nsp] HELP!!!!Aironet 1200 Problem Routing
Kristofer Sigurdsson
ks at rhi.hi.is
Mon May 2 07:25:42 EDT 2005
Hi,
Based on your config, I believe one or more of the following
is causing your problems:
1. Since Fa0/24 is the only trunk port on your switch, where does
vlan 2 get it's L3 connectivity?
2. I think I'm right in assuming you are using two IP networks,
101.0.0.0/24 and 10.254.254.0/24. Both of these network's gateway
addresses are configured at the same L3 interface on your gateway.
What you have to do is:
1. Configure a trunk between your switch and your router.
2. Configure two L3 interfaces on your router, one for each VLAN.
On Fri, 2005-04-29 at 19:19 +0200, Eusebio López wrote:
> Hello Kristofer,
>
> I have followed your indications and me they have been helpful.
>
> I already can do routing with any IP if I use the user of vlan1 (prueba14), but when I use the user of vlan2 (prueba15), this it is registered in the AP but it is not able to routing
I'm not sure what you mean by "routing", but I'm assuming you get IP
connectivity.
>
> I believe that the problem is in the configuration of switch.
>
> I send you the configurations of my AP and my Switch in case you could help me.
>
> The AP is connected to fastethernet0/24 of my Catalyst
>
> The configuration of my AP is:
>
> version 12.2
> no service pad
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname local
> !
> logging queue-limit 100
> enable secret 5 $1$OsRM$3ur6Yn4yA9s1Yz86eMD6J.
> !
> username Cisco password 7 02250D480809
> ip subnet-zero
> !
> !
> aaa new-model
> !
> !
> aaa group server radius rad_eap
> server 101.0.0.147 auth-port 1812 acct-port 1813
> !
> aaa group server radius rad_acct
> !
> aaa group server radius rad_admin
> !
> aaa group server tacacs+ tac_admin
> !
> aaa group server radius rad_pmip
> !
> aaa group server radius dummy
> !
> aaa group server radius rad_mac
> !
> aaa authentication login eap_methods group rad_eap
> aaa authentication login mac_methods local
> aaa authorization exec default local
> aaa authorization ipmobile default group rad_pmip
> aaa accounting network acct_methods start-stop group rad_acct
> aaa session-id common
> !
> !
> bridge irb
> !
> !
> interface Dot11Radio0
> no ip address
> no ip route-cache
> !
> encryption mode ciphers tkip
> !
> encryption vlan 1 mode ciphers tkip
> !
> ssid prueba14
> vlan 1
> authentication open eap eap_methods
> authentication key-management wpa
> guest-mode
> infrastructure-ssid optional
> !
> ssid prueba15
> vlan 2
> authentication open
> !
> speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
> rts threshold 2312
> channel 2412
> station-role root
> !
> interface Dot11Radio0.1
> encapsulation dot1Q 1 native
> no ip route-cache
> bridge-group 1
> bridge-group 1 subscriber-loop-control
> bridge-group 1 block-unknown-source
> no bridge-group 1 source-learning
> no bridge-group 1 unicast-flooding
> bridge-group 1 spanning-disabled
> !
> interface Dot11Radio0.2
> encapsulation dot1Q 2
> no ip route-cache
> bridge-group 2
> bridge-group 2 subscriber-loop-control
> bridge-group 2 block-unknown-source
> no bridge-group 2 source-learning
> no bridge-group 2 unicast-flooding
> !
> interface FastEthernet0
> no ip address
> no ip route-cache
> duplex auto
> speed auto
> !
> interface FastEthernet0.1
> encapsulation dot1Q 1 native
> no ip route-cache
> bridge-group 1
> no bridge-group 1 source-learning
> bridge-group 1 spanning-disabled
> !
> interface FastEthernet0.2
> encapsulation dot1Q 2
> no ip route-cache
> bridge-group 2
> no bridge-group 2 source-learning
> bridge-group 2 spanning-disabled
> !
> interface BVI1
> ip address 101.0.0.200 255.255.255.0
> no ip route-cache
> !
> ip default-gateway 101.0.0.147
> ip http server
> ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
> ip radius source-interface BVI1
> radius-server attribute 32 include-in-access-req format %h
> radius-server host 101.0.0.147 auth-port 1812 acct-port 1813 key 124311F13674B
> radius-server authorization permit missing Service-Type
> radius-server vsa send accounting
> bridge 1 protocol ieee
> bridge 1 route ip
> !
> !
> !
> line con 0
> line vty 5 15
> !
> end
>
>
>
> The configuration of my Switch is:
>
>
>
> version 12.1
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname unared
> !
> enable secret $Mexse638WrD.
> !
> username cisco privilege 15 password 0 311111
> ip subnet-zero
> !
> vtp mode transparent
> !
> spanning-tree mode pvst
> no spanning-tree optimize bpdu transmission
> spanning-tree extend system-id
> !
> !
> vlan 2
> !
> interface FastEthernet0/1
> !
> interface FastEthernet0/2
> !
> interface FastEthernet0/3
> !
> interface FastEthernet0/4
> !
> interface FastEthernet0/5
> !
> interface FastEthernet0/6
> !
> interface FastEthernet0/7
> !
> interface FastEthernet0/8
> !
> interface FastEthernet0/9
> !
> interface FastEthernet0/10
> !
> interface FastEthernet0/11
> !
> interface FastEthernet0/12
> !
> interface FastEthernet0/13
> !
> interface FastEthernet0/14
> !
> interface FastEthernet0/15
> !
> interface FastEthernet0/16
> !
> interface FastEthernet0/17
> !
> interface FastEthernet0/18
> !
> interface FastEthernet0/19
> !
> interface FastEthernet0/20
> !
> interface FastEthernet0/21
> !
> interface FastEthernet0/22
> !
> interface FastEthernet0/23
> !
> interface FastEthernet0/24
> switchport mode trunk
> !
> interface Vlan1
> ip address 10.254.254.254 255.255.255.0
> no ip route-cache
> !
> interface Vlan10
> no ip address
> no ip route-cache
> shutdown
> !
> ip default-gateway 10.254.254.177
> no ip http server
> !
> !
> line con 0
> exec-timeout 0 0
> stopbits 1
> line vty 0 4
> login
> line vty 5 15
> login
> !
> end
>
> Thank you very much by your aid.
>
> Sincerely yours
>
> Eusebio López Ruiz
> Técnico de Sistemas
> Palmanet Networking Services
> eusebio at palmanet.net
> http://www.palmanet.net
> Tel +34 957649199
> Fax +34 957644926
>
> -----Mensaje original-----
> De: Kristofer Sigurdsson [mailto:ks at rhi.hi.is]
> Enviado el: jueves, 28 de abril de 2005 20:20
> Para: Eusebio López
> CC: cisco-nsp at puck.nether.net
> Asunto: RE: [c-nsp] HELP!!!!Aironet 1200 Problem Routing
>
> Hi,
>
> On Thu, 2005-04-28 at 19:42 +0200, Eusebio López wrote:
> > thanks to help me
> >
> > I have solved the problem temporarily assign an IP from the secondary network as a secondary address on the default gateway.
> >
> > I like to separate the networks by means of Vlans. could you send me any example simple to create multiple SSIDs and assign a unique VLAN per SSID????
>
> Sure. There are two ways to do this. Since you are using IOS version
> 12.2 (according to the config you posted earlier), here comes a config sample (see the inline comments):
>
> This configuration uses your encryption/SSID (from your earlier posted
> config) and has a 802.1q trunk to the switch with native VLAN 1.
>
> Don't forget to configure a trunk from your switches to your gateway and configure the gateway to terminate them in different L3 interfaces (VLAN subinterfaces or SVI's).
>
> interface Dot11Radio0
> !
> ! Note - different encryption settings per SSID are implemented ! by configuring them per VLAN.
> !
> encryption vlan 1 mode ciphers tkip
> !
> ssid prueba14
> vlan 1
> authentication open eap eap_methods
> authentication key-management wpa
> guest-mode
> infrastructure-ssid optional
> !
> ssid AnotherNetwork
> vlan 2
> authentication open
> !
> !
> ! You have to create interfaces & bridging groups for each VLAN !
> interface Dot11Radio0.1
> encapsulation dot1Q 1 native
> bridge-group 1
> bridge-group 1 subscriber-loop-control
> bridge-group 1 block-unknown-source
> no bridge-group 1 source-learning
> no bridge-group 1 unicast-flooding
> bridge-group 1 spanning-disabled
> !
> interface Dot11Radio0.2
> encapsulation dot1Q 2
> bridge-group 2
> bridge-group 2 subscriber-loop-control
> bridge-group 2 block-unknown-source
> no bridge-group 2 source-learning
> no bridge-group 2 unicast-flooding
> bridge-group 2 spanning-disabled
> !
> interface FastEthernet0.1
> encapsulation dot1Q 1 native
> bridge-group 1
> no bridge-group 1 source-learning
> bridge-group 1 spanning-disabled
> !
> interface FastEthernet0.2
> encapsulation dot1Q 2
> bridge-group 2
> no bridge-group 2 source-learning
> bridge-group 2 spanning-disabled
> !
> end
>
> This should work for your box. However, this has one caveat. You cannot have more than one SSID set to "guest mode", i.e. only one of the AP's networks will show up in a standard laptop's network list.
> This is fixed in IOS 12.3-4JA, which uses a feature called Multiple Basic Service Set ID's (MBISSD). From this release on, there's an entirely different way to specify SSID's. It is no longer done on an interface level, but globally. So, if you want to have two active, usable networks (usable == usable by a standard (l)user), you want to upgrade to 12.3-4JA (which is currently the latest version), and configure this differently.
> If you do, keep your fastethernet/dot11radio sub-interface configs, but instead of specifying SSID's under the dot11radio0 interface config, do this (normal config mode):
>
> dot11 ssid prueba14
> vlan 1
> authentication open eap eap_methods
> authentication key-management wpa
> mbssid guest-mode
> infrastructure-ssid optional
> !
> dot11 ssid AnotherNetwork
> vlan 2
> authentication open
> mbssid guest-mode
> !
> interface Dot11Radio0
> !
> ! Note - you still set encryption here
> !
> encryption vlan 1 mode ciphers tkip
> !
> ssid prueba14
> !
> ssid AnotherNetwork
> !
> ! Enable MBSSID's!
> !
> mbssid
> !
>
> That should be it.
>
--
Kristófer Sigurðsson | Tel: +354 525 4103 / MSN: ks at rhi.hi.is
Netsérfr./Network specialist | Reiknistofnun HÍ/University of Iceland
More information about the cisco-nsp
mailing list