Kurt. Just looked over my config and couldn't see why mine worked. Found this on Cisco.com. http://preview.tinyurl.com/6jongm Section titled Significance of native vlan.
The BVI1 interface maps to the native sub interface on the ethernet trunk. I think the config I sent you is wrong, but for yours to work you need to set the native vlan on both the switch and wap to vlan 99 if that is your management vlan. Pain in the back side to remember that but it does work. Glen. ________________________________________ From: Kurt Buff [[email protected]] Sent: Saturday, January 15, 2011 3:41 PM To: NT System Admin Issues Subject: Re: Cisco 1240AG config problem You are correct, I don't want the clients to ping the WAP - I'm trying to remove the 15.31 address, and use the 99.121 address, but once I do that, I can't reach the WAP any more, in any way, until I pull power from it. (I'm not saving the running-config, just so I can do that!) That's why the mangement vlan 99 isn't configured on the radio side, only on the Ethernet side. I surely wouldn't mind a look at that config, though. Kurt On Sat, Jan 15, 2011 at 12:25, Glen Johnson <[email protected]> wrote: > I don't think you "want" the wireless clients to ping the wap. They should > be able to ping hosts on the same vlan as the SSID they are on. > When we were using fat waps, the only ip address the wap had was on the > management interface. For security, no wireless clients could get to that IP. > Have since switched to a wireless lan controller and life is much simpler, > but if you need more help, let me know as I should have a copy of the config > that I'll be glad to share. > > -----Original Message----- > From: Kurt Buff [mailto:[email protected]] > Sent: Saturday, January 15, 2011 2:42 PM > To: NT System Admin Issues > Subject: Re: Cisco 1240AG config problem > > On Sat, Jan 15, 2011 at 10:41, Michael B. Smith <[email protected]> wrote: >> It's been a really really long time for me, but shouldn't the "ip >> default-gateway" be an IP address on the BVI1 subnet? > > That seems to help somewhat. > > I updated as shown below, with the following results: > - Another WAP on the same PoE switch as the WAP I'm configuring (all WAPs > are on the 115 vlan but on different switches) can ping and telnet to 15.31 > and to 15.1 and 99.1, but not to 99.121 - 15.1 and > 99.1 are the addresses of the layer 3 switch. > > - A laptop wirelessly associated with 15.31 can ping the router address > on the 99 and 115 vlans, but not WAP's addresses of 99.121and 15.31. The > laptop gets 'destination host unreachable for the 99 address of the WAP, and > alternating sequences of that and 'reply timed out' for the 15 address of the > WAP (I've got four 'ping -t' prompts running on the laptop.) > > - No longer see on the WAP > "% Unrecognized host or address, or protocol not running." > when trying to ping from this WAP, nor the log errors > " %IP_SNMP-3-SOCKET: can't open UDP socket" > " Unable to open socket on port 161" > > - The WAP can ping itself on both addresses, and can ping the gateway on > the 115 vlan (15.1), but not the gateway on the 99 vlan > (99.1.) > > I also tried the config below except that I removed the 15.31 address from it > entirely, and while the laptop remained associated and had the same access, I > lost contact with the WAP, and the 99.121 address didn't come alive. > > Kurt > > ----------Begin updated conf snippet---------- interface FastEthernet0.99 > encapsulation dot1Q 99 no ip route-cache bridge-group 99 no bridge-group > 99 source-learning bridge-group 99 spanning-disabled ! > interface FastEthernet0.115 > encapsulation dot1Q 115 > ip address 192.168.15.31 255.255.255.0 > no ip route-cache > bridge-group 115 > no bridge-group 115 source-learning > bridge-group 115 spanning-disabled > ! > interface BVI1 > ip address 192.168.99.121 255.255.255.0 no ip route-cache ! > ip default-gateway 192.168.99.1 > ----------End updated conf snippet---------- > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
