All,
It's been a long time since I configured any Cisco equipment, and
never with vlans. These WAPS have been around a long time, and the
vendor did the original config, with no vlans - I've just been
googling around and figuring all of this out, with minor help from a
conslutant. I'm configuring the WAP above my desk first, with the
intent that once it's working, the config will be rolled out to the 14
other units, and then I'll announce the guest wireless publicly.
With the config showed below, I have a sort-of working setup on this
WAP. For clarity,
- vlan 1 is native and not used
- vlan 99 is the management vlan, and is not intended to extend
to the wireless side of the WAP (I use this vlan to manage all of the
switches, which are HP Procurves)
- vlan 115 is the production wireless vlan, and is available for
wireless connection for company equipment
- vlan 120 is the guest wireless vlan, and is going to be
available for wireless connection for guest/personal equipment, once I
have this working on all 15 WAPs
The guest network (vlan 120) does have connectivity to the world, and
you can't ping to it or from it via the production network (vlan 115
or the wired vlans), and I have a seperate DHCP server on the guest
vlan, so that's all happy, AFAICT.
I can connect with wireless devices to either of the two wireless
vlans, no problem.
The problems I'm seeing are:
1) I can telnet to the WAP on either IP address, but I can't ping
from the WAP to anything, including addresses assigned to the WAP - I
get the error
"% Unrecognized host or address, or protocol not running."
2) I'm seeing the following error lines in the logs on the WAP:
"%IP_SNMP-3-SOCKET: can't open UDP socket"
and
"Unable to open socket on port 161"
3) After I finished configuring the WAP Thursday afternoon and
confirming connection on both SSIDs, on Friday I couldn't connect
anything to the production SSID, until I did a reload - that seems to
have cleared, but that is troubling.
My googling reveals that the error messages are supposedly caused by
the lack of an IP address on any interface. However, as you can see
from the config below I have addresses configured on two interfaces,
and can telnet to either one.
I have even tried putting an address on int BVI1, but I may have done
that incorrectly, as it didn't seem to help.
Does anyone out there see what I've gotten wrong? I'm continuing my
searches, but if someone can short-circuit that with a good answer,
I'd really appreciate it.
Thanks,
Kurt
----------Begin config----------
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname wapc31.example.com
!
enable secret 5 (removed)
!
no aaa new-model
clock timezone -0800 -8
clock summer-time -0700 recurring
!
!
dot11 vlan-name VLAN115 vlan 115
dot11 vlan-name VLAN120 vlan 120
!
dot11 ssid guest
vlan 120
authentication open
mbssid guest-mode dtim-period 2
!
dot11 ssid production
vlan 115
authentication open
authentication key-management wpa
wpa-psk ascii 7 (removed)
!
power inline negotiation prestandard source
!
!
username Cisco privilege 15 password 7 (removed
username readonly password 7 (removed)
username ifteam privilege 15 secret 5 (removed)
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 115 mode ciphers tkip
!
ssid guest
!
ssid production
!
antenna transmit right
antenna receive right
mbssid
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
power client 20
channel 2437
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.115
encapsulation dot1Q 115
no ip route-cache
bridge-group 115
bridge-group 115 subscriber-loop-control
bridge-group 115 block-unknown-source
no bridge-group 115 source-learning
no bridge-group 115 unicast-flooding
bridge-group 115 spanning-disabled
!
interface Dot11Radio0.120
encapsulation dot1Q 120
no ip route-cache
bridge-group 120
bridge-group 120 subscriber-loop-control
bridge-group 120 block-unknown-source
no bridge-group 120 source-learning
no bridge-group 120 unicast-flooding
bridge-group 120 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.99
encapsulation dot1Q 99
ip address 192.168.99.121 255.255.255.0
no ip route-cache
bridge-group 99
no bridge-group 99 source-learning
bridge-group 99 spanning-disabled
!
interface FastEthernet0.115
encapsulation dot1Q 115
no ip route-cache
bridge-group 115
no bridge-group 115 source-learning
bridge-group 115 spanning-disabled
!
interface FastEthernet0.120
encapsulation dot1Q 120
no ip route-cache
bridge-group 120
no bridge-group 120 source-learning
bridge-group 120 spanning-disabled
!
interface BVI1
ip address 192.168.15.31 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.99.1
ip http server
ip http authentication local
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server view dot11view ieee802dot11 included
snmp-server view ieee802dot11 ieee802dot11 included
snmp-server community zetpub RO
snmp-server contact IFTeam
bridge 1 route ip
!
!
!
line con 0
login local
line vty 0 4
login local
!
sntp server 192.168.10.191
sntp broadcast client
end
----------End Config----------
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
