OK Ralph, here are my findings.
nr.2 I don´t like to put the whole radio interface in a bridge group. I usually
try to go for the subinterfaces and bridge together. This gives you more
flexibility
But did you have a excersise that instructed this or was this just something
you made up ? At least I understand that this worked.
nr.3 I first tried your configuration unchanged. It didn´t work any better than
in your case. Something bugged me with native vlan 20 between the Aps. BVI
interface always goes with bridge group 1 and always sends untagged packets
over the wire. This doesn´t mean that you have to have your root on VLAN 1. It
can be put on any VLAN with different switchport trunk native vlan on the
switchport. But this is of course managment traffic. In my example that native
vlan on my switches is 20. However I was able to make this work with VLAN 20 as
native on both Aps and the client worked over VLAN150. However I could not do
pings between the BVI interfaces of Root and Repeater, but bridging of the 150
vlan was working fine. But I added an exra SSID with VLAN for the clients. I am
not sure how to make it work with the native in bridge group 20.
nr.4 I am without a clue :) But I have noticed when I configure EAP-fast with
root+WGB it takes about 10-15 sek to work if I don´t shut/no shut the radio
interfaces.
But yours is wpa-psk so it should be even simpler.
But back to 3:
So after this I took a look at my workbook and saw that the example used vlan1
as the infrastructure vlan. So I wonder if that is mandatory. When I changed
my configuration for vlan 1 and bridge-group 1 between the Aps I could ping
each other. So from what I understand is repeater infrastructure SSID always
has to be native (also for bridges with multiple vlans) and extra vlans
(ssids+vlans for clients for example) will be tagged at the repeater and the
native vlan will be used for
the Aps to communicate IAPP messages e.t.c for those extra SSIDs.
So if you like the Repeater to be on some special vlan, it has to go with the
Root AP. Aswell will the client in a single ssid setup. Even though you use
vlan1
between the Aps you can decide in your network what your native vlan trunk will
do. So you can set them in vlan 20 or whatever.
My configuration files are attached. A little explanation: Root 1 is with
infrastructure ssid BOB in vlan1 (this is only between them) and bridge group 1
- client can connect there too if they don´t mind the infrastructure SSId
setting. My ACU worked at least from the repeater. I created another VLAN 150
and SSID client that trunks vlan 150 out to the wired network. A L3 switch has
vlan 20 and vlan 150 with corresponding ip dhcp pools.
The Repeater has actually the same configuration exept for the station role
repeater. I created the fastethernet subinterfaces aswell. I decided to follow
my earlier configuration cause it worked last time. It might not make make
since the repeter ethernet interface is always down. But you can try to do
without them, it would be interesting to see if that worked too. I didn´t
bother to change subinterfaces names so don´t get confused ;)
So Jason or any Autonomous Rainman, any comments or rectifications ? :-)
regards. Kristjan
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Ralph Olsen
Sent: 31. janúar 2011 20:36
To: Kristján Ólafur Eðvarðsson
Cc: [email protected]
Subject: Re: IPX-WB1 LAB 3.8 - Repeater (Ralph Olsen)
Hi Kristjan,
I still haven't found a way to make it work with vlans on the radio interface.
My VLAN config is in the WLAN20native-WPA-RootAP.txt file.
I did 4 scenarios this evening.
1. Simple root ap with repeater ap all on native vlan 1 and bridge-group1. I
attached the 2 configs. Simple-WPA. This is as I see it as vanilla as it gets.
And it works perfectly.
2. Same config but the Root AP now has bridge group 20 assigned to the d0
interface and fas0.20 interface. Fa0.20 is dot1q vlan 20. I have attached the 2
files. (BridgeG20-d0-WPA). This also works but I did have to reboot the root-ap
as the mac of the laptop client was stuck in bridge 1 mac table.
3. The ssid on the root ap now has a VLAN 20 assigned to it and the
bridge-group 20 has been moved to interface d0.20. d0.20 is encap dot1 20
native. The Repeater AP and the client can associate with the Root AP and get
full IP traffic to VLAN 20. But when the client connects to the Repeater AP it
never gets an IP. The laptop client is simply not seen as a dot11 association
on the root ap. (Config VLAN20native)
4. This is the funny part. My saved config from step 2 is now copied into the
startup-config on both AP's and they are reloaded. They come up again and now
it doesn't work. Reload the laptop, try another. Nope just don't work. Start
pinging from the Repeater AP BVI1 to the Default Gateway in VLAN 20, and that
works fine. 30 seconds later the laptop gets an IP. So my note being..... you
need luck... :o)
/Ralph
2011/1/31 Kristján Ólafur Eðvarðsson <[email protected]>:
> I would be interesting to post your configurations for this.
> I remember having this at Bootcamp and made it work. There is one
> special think I remember. The AP-to-AP communication SSID+VLAN is
> always native. Others are tagged. The thing is that the communication
> goes over the native vlan but the Repeater and Root somehow bridge
> them over and put them on correct VLAN after the traffic is passed between
> the two.
> I don´t have IPX workbook, but I had a similar case in Fastlanes workbook.
> The user had a seperate SSID and repeater had another to communicate
> to Root on the native vlan.
>
> regards. Kristjan
> ------------------------------
>
> Message: 5
> Date: Sun, 30 Jan 2011 14:59:24 +0100
> From: Ralph Olsen <[email protected]>
> To: [email protected]
> Subject: Re: [CCIE Wireless] IPX-WB1 LAB 3.8 - Repeater
> Message-ID:
> <[email protected]>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Conclusion after looking deeper into this. You need luck to make it
> work. :o)
>
> I have tried a lot of different combos and boilded it down to a SSID
> with auth open. When the PC connect directly to the root AP it works
> fine and gets an IP from a different VLAN that bridge-group one (vlan
> 12 in the WB), but when it connects to the Repeater AP it doesn't
> work. When the PC is on the repeater AP the traffic is unidirectional
> only working from the PC -> repeater -> rootap -> Def.gw. Traffic in
> the other direction gets cut off at the rootap.
>
> Can someone else try to make 3.8 work?
>
> /Ralph
>
> 2011/1/28 Ralph Olsen <[email protected]>:
>> Hi Group,
>>
>> I just been looking into lab 3.8 in the IPX-WB1. Radio Roles - Repeater.
>>
>> Most of the things I have done works perfectly, the repeater AP
>> associates with the root AP and I can see that it is using LEAP WPA
>> as I wanted. ?Associated To AP AP1 001a.302e.4850 [LEAP WPA].
>>
>> But the part I can't get to work is: "Ensure that users would be able
>> to get a DHCP address in the 10.10.12.0/24 subnet. Do not configure
>> DHCP for this."
>>
>> In the DSG VLAN 12 on the AP1-d0 interface have been made native and
>> in my mind that would map it to the d0 interface on AP2. When I
>> connect with a client to AP1, I get the 10.10.12.0/24 DHCP offer
>> right away. When I connect to the AP2 I never get an offer (or see
>> request at the dhcp server).
>>
>> The ADU client associates fine with both AP1 and AP2: Interface
>> Dot11Radio0, Station WL02-LAPTOP 0040.96b1.8207 Associated
>> KEY_MGMT[WPA]
>>
>> Did Jason just become lucky in the DSG or is something missing?
>>
>> /Ralph
>>
>
>
> ------------------------------
>
> _______________________________________________
> CCIE_Wireless mailing list
> [email protected]
> http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless
>
>
> End of CCIE_Wireless Digest, Vol 22, Issue 41
> *********************************************
>
RootAP#sh run
Building configuration...
Current configuration : 2561 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RootAP
!
enable secret 5 $1$jd.R$Q4tcGQLg/BVae9z.n5OKH.
!
aaa new-model
!
!
aaa authentication login default local-case
!
aaa session-id common
no ip domain lookup
!
!
!
dot11 ssid BOB
vlan 1
authentication open
authentication key-management wpa
infrastructure-ssid
wpa-psk ascii 7 055A545C7519185E415C47
!
dot11 ssid client
vlan 150
authentication open
authentication key-management wpa
wpa-psk ascii 7 14141B180F0B6B282D3B303A
!
power inline negotiation injector 001e.beb0.e8e7
power inline negotiation prestandard source
!
!
username Cisco password 7 062506324F41
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 150 mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid BOB
!
ssid client
!
mbssid
channel 2462
station-role root
!
interface Dot11Radio0.20
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
bridge-group 150 subscriber-loop-control
bridge-group 150 block-unknown-source
no bridge-group 150 source-learning
no bridge-group 150 unicast-flooding
bridge-group 150 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface FastEthernet0.20
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
no bridge-group 150 source-learning
bridge-group 150 spanning-disabled
!
interface BVI1
ip address 192.168.1.14 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
privilege level 15
logging synchronous
line vty 0 4
!
end
RootAP#
*Mar 4 15:10:11.695: %DOT11-6-ADD: Interface Dot11Radio0, Station
0040.96a6.ec4f Associated to Parent e05f.b9e5.a02e
RootAP#
*Mar 4 15:10:34.864: %DOT11-6-DISASSOC: Interface Dot11Radio0,
Deauthenticating Station 0040.96a6.ec4f
RootAP#
*Mar 4 15:10:55.121: %DOT11-6-ADD: Interface Dot11Radio0, Station
0040.96a6.ec4f Associated to Parent e05f.b9e5.a02e
RootAP#so dh
RootAP#so do
RootAP#sh dot11 ass
802.11 Client Stations on Dot11Radio0:
SSID [BOB] :
MAC Address IP address Device Name Parent
State
0040.96a6.ec4f 192.168.20.2 Rptr-client DELLVARA e05f.b9e5.a02e
Assoc
e05f.b9e5.a02e 192.168.1.15 ap1240-Rptr RepeaterAP self
Assoc
RootAP#sh br
RootAP#sh bridge
Total of 300 station blocks, 296 free
Codes: P - permanent, S - self
Bridge Group 1:
Address Action Interface Age RX count TX count
e05f.b9e5.a02e forward Do0.20 P 18 15
Bridge Group 20:
Bridge Group 150:
0040.96a6.ec4f forward Vi0.150 P 50 7RepeaterAP#sh run
Building configuration...
Current configuration : 2511 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RepeaterAP
!
enable secret 5 $1$YtU7$vNA9np1Vsr.LW64QX4D0M0
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
no ip domain lookup
!
!
!
dot11 ssid BOB
vlan 1
authentication open
authentication key-management wpa
infrastructure-ssid
wpa-psk ascii 7 055A545C7519185E415C47
!
dot11 ssid client
vlan 150
authentication open
authentication key-management wpa
wpa-psk ascii 7 121A0C0411044D0723382727
!
power inline negotiation prestandard source
!
!
username Cisco password 7 032752180500
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 150 mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid BOB
!
ssid client
!
station-role repeater
!
interface Dot11Radio0.20
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
bridge-group 150 subscriber-loop-control
bridge-group 150 block-unknown-source
no bridge-group 150 source-learning
no bridge-group 150 unicast-flooding
bridge-group 150 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface FastEthernet0.20
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.150
encapsulation dot1Q 150
no ip route-cache
bridge-group 150
no bridge-group 150 source-learning
bridge-group 150 spanning-disabled
!
interface BVI1
ip address 192.168.1.15 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
!
end
RepeaterAP#sh do
RepeaterAP#sh dot11 ass
802.11 Client Stations on Dot11Radio0:
SSID [BOB] :
MAC Address IP address Device Name Parent
State
003a.9969.2c20 192.168.1.14 ap1240-Parent RootAP -
Assoc
SSID [client] :
MAC Address IP address Device Name Parent
State
0040.96a6.ec4f 192.168.20.2 CB21AG/PI21AG DELLVARA self
Assoc
RepeaterAP#sh br
RepeaterAP#sh bridge
Total of 300 station blocks, 296 free
Codes: P - permanent, S - self
Bridge Group 1:
Bridge Group 20:
Bridge Group 150:
Address Action Interface Age RX count TX count
0040.96a6.ec4f forward Do0.150 P 50 8
RepeaterAP#ping 192.168.1.14
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.14, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms
RepeaterAP#sh br
RepeaterAP#sh bridge
Total of 300 station blocks, 296 free
Codes: P - permanent, S - self
Bridge Group 1:
Bridge Group 20:
Bridge Group 150:
Address Action Interface Age RX count TX count
0040.96a6.ec4f forward Do0.150 P 50 8_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
