[c-nsp] Can't pick up ip address--cisco 1200 ap

snort bsd snortbsd at yahoo.com.au
Sun Aug 2 19:44:54 EDT 2009 

Thanks for help!

Here is what I have:


internet <-> AP <-> VLAN aware switch <-> firewall <-> internal networks
             |
             |
             |
        wireless PCs (VLAN 10 or VLAN 20)

I have DHCP service configured on the AP, which means those wireless PCs should get their IP addresses from the DHCP server on the AP (I don't have separated DHCP server on the internal network). what I am trying to figure out how I can tie the right pool of DHCP IP addresses to the right interface. Right now the authenticated PCs could not get IP address at all.

here is my config relating to the diagram:

ip dhcp pool vlan20
   network 192.168.12.0 255.255.255.0
   subnet prefix-length 24
   default-router 192.168.12.1
   lease infinite
!
ip dhcp pool vlan10
   network 192.168.13.0 255.255.255.0
   subnet prefix-length 24
   default-router 192.16.13.1
   lease infinite
....
...
dot11 vlan-name ming vlan 20
dot11 vlan-name rest vlan 10
!
dot11 ssid lab vlan 20
   vlan 20
   max-associations 10
   authentication open
   authentication key-management wpa
   guest-mode
   mbssid guest-mode
   wpa-psk ascii 7 "whatever"
!
   information-element ssidl wps
!
dot11 ssid test vlan 10
   vlan 10
   max-associations 10
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 "whatever"
!
   information-element ssidl wps
....
...
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 10 mode ciphers aes-ccm tkip
 !
 encryption vlan 20 mode ciphers aes-ccm tkip
 !
 ssid lab vlan 20
 !
 ssid test vlan 10
 !
 mbssid
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.10
 encapsulation dot1Q 10 native
 no ip redirects
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
 bridge-group 10 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip redirects
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 port-protected
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
 encapsulation dot1Q 10
 ip address 192.168.13.10 255.255.255.0
 no ip redirects
 no ip route-cache
!
interface FastEthernet0.20
 encapsulation dot1Q 20
 ip address 192.168.12.10 255.255.255.0
 no ip redirects
 no ip route-cache
!


     
--- On Mon, 3/8/09, Graham Wooden <graham at g-rock.net> wrote:

> From: Graham Wooden <graham at g-rock.net>
> Subject: Re: [c-nsp] Can't pick up ip address--cisco 1200 ap
> To: "snort bsd" <snortbsd at yahoo.com.au>, "cisco-nsp" <cisco-nsp at puck.nether.net>
> Received: Monday, 3 August, 2009, 6:17 AM
> Well, without a VLAN aware switch you
> are dumping tagged VLAN traffic into
> an interface that won't do anything with it, and in turn
> won't pass you
> traffic to your "sub interfaces" on your AP.
> 
> So to move forward, you really need to have the AP plugged
> into a VLAN aware
> switch, with the port setup for dot1q and allowing these
> two vlans.
> Then set up some other ports on the switch to handle the
> untagged traffic
> for these two vlans and put your DHCP server(s) on
> it.  Or if you running
> your DHCP server on a router, you can sub interface out the
> router and make
> that switchport dot1q as well.
> 
> Make sense?  Again, without the proper handling of the
> traffic leaving the
> AP, traffic won't go in properlly as well.
> 
> HTH,
> 
> -graham
> 
> 
> >> From: snort bsd <snortbsd at yahoo.com.au>
> >> Subject: Re: [c-nsp] Can't pick up ip
> address--cisco 1200 ap
> >> To: "cisco-nsp" <cisco-nsp at puck.nether.net>,
> "Graham Wooden"
> >> <graham at g-rock.net>
> >> Received: Sunday, 2 August, 2009, 11:08 AM
> >> 
> >> Thanks for reply.
> >> 
> >> No, we have no VLAN aware switch connecting to it
> yet. We
> >> want to use it to replace the linksys wireless
> router we are
> >> using.
> >> 
> >> The idea is that some of mobile user connecting to
> VLAN 10
> >> via wireless and some  of mobile users connecting
> to
> >> VLAN 20. Users on both VLANs could get to internet
> but
> >> access different resources internally (with VLAN
> aware
> >> switches).
> >> 
> >> One problem a time...:)
> >> 
> >> _Dave
> >> 
> >> --- On Sun, 2/8/09, Graham Wooden <graham at g-rock.net>
> >> wrote:
> >> 
> >>> From: Graham Wooden <graham at g-rock.net>
> >>> Subject: Re: [c-nsp] Can't pick up ip
> address--cisco
> >> 1200 ap
> >>> To: "snort bsd" <snortbsd at yahoo.com.au>,
> >> "cisco-nsp" <cisco-nsp at puck.nether.net>
> >>> Received: Sunday, 2 August, 2009, 10:22 AM
> >>> Hi there,
> >>> 
> >>> Your switch port that the AP is connected to -
> is it
> >> in
> >>> trunk mode?
> >>> Like "switchport trunk encap dot1q" ?
> >>> 
> >>> 
> >>> On 8/1/09 4:52 PM, "snort bsd" <snortbsd at yahoo.com.au>
> >>> wrote:
> >>> 
> >>>> 
> >>>> Hi: all:
> >>>> 
> >>>> I got ciscoAP 1200 configured and can
> connect it
> >> via
> >>> wireless without
> >>>> problems. But the system connecting to the
> AP
> >> can't
> >>> pick up any IP address.
> >>>> 
> >>>> dot11 ssid lab vlan 20
> >>>>     vlan 20
> >>>>     max-associations 10
> >>>>     authentication open
> >>>>     authentication key-management wpa
> >>>>     guest-mode
> >>>>     mbssid guest-mode
> >>>>     wpa-psk ascii 7 "whatever key"
> >>>>     information-element ssidl wps
> >>>> !
> >>>> dot11 ssid test vlan 10
> >>>>     vlan 10
> >>>>     max-associations 10
> >>>>     authentication open
> >>>>     authentication key-management wpa
> >>>>     mbssid guest-mode
> >>>>     wpa-psk ascii 7 "whatever key"
> >>>>     information-element ssidl wps
> >>>> 
> >>>> what else I didn't do right?
> >>>> 
> >>>> Thanks
> >>>> 
> >>>> 
> >>>>        
> >>>> 
> >>> 
> >> 
> _____________________________________________________________________________>>
> _
> >>>> ______
> >>>> Access Yahoo!7 Mail on your mobile.
> Anytime.
> >>> Anywhere.
> >>>> Show me how: http://au.mobile.yahoo.com/mail
> >>>>
> _______________________________________________
> >>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>> 
> >>> 
> >>> 
> >> 
> >> 
> >>      
> >>
> _____________________________________________________________________________
> >> _______
> >> Access Yahoo!7 Mail on your mobile. Anytime.
> Anywhere.
> >> Show me how: http://au.mobile.yahoo.com/mail
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >> 
> > 
> > 
> >       
> >
> ______________________________________________________________________________
> > ______
> > Access Yahoo!7 Mail on your mobile. Anytime.
> Anywhere.
> > Show me how: http://au.mobile.yahoo.com/mail
> 
> 
> 


      ____________________________________________________________________________________
Access Yahoo!7 Mail on your mobile. Anytime. Anywhere.
Show me how: http://au.mobile.yahoo.com/mail

More information about the cisco-nsp mailing list