Where are the passwords? On Tue, Jan 18, 2011 at 5:46 PM, Kurt Buff <[email protected]> wrote:
> Glen, Michael, Brian, > > Thanks for your help in this. I do appreciate it. > > Been looking at this the whole time, in between interruptions galore... > > I got it finally - 'twas stupid target fixation on my part. I somehow > got set on fa0.1 being the native VLAN, and on each subinterface being > in its own bridge-group matching the VLAN number. Once I fixed that, > it works just fine. > > For posterity, you have to make the management VLAN native (in this > config it's VLAN 99 and fa0.99), and assign it to bridge-group 1, then > assign the other VLANs to their own bridge-groups (and it's easiest, > if not required) to make the bridge-group the same number as the > VLAN). Then the IP address assigned for the WAP in the management VLAN > has to be placed on the BVI1 interface. > > Lastly, always check layer 1 first. Just saying... > > Below are working WAP and HP switch configs, which assume that the WAP > is in switch port 8, and that port 9 is the trunk port to the layer 3 > switch: > > ----------Begin WAP Config---------- > version 12.4 > no service pad > service timestamps debug datetime msec > service timestamps log datetime msec > service password-encryption > ! > hostname wap121-IT > ! > enable secret 5 (removed) > ! > no aaa new-model > clock timezone -0800 -8 > clock summer-time -0700 recurring > ! > ! > dot11 vlan-name VLAN115 vlan 115 > dot11 vlan-name VLAN120 vlan 120 > ! > dot11 ssid guest > vlan 120 > authentication open > mbssid guest-mode dtim-period 2 > ! > dot11 ssid production > vlan 115 > authentication open > authentication key-management wpa > wpa-psk ascii 7 (removed) > ! > power inline negotiation prestandard source > ! > ! > username Cisco privilege 15 password 7 (removed) > username readonly password 7 (removed) > username ifteam privilege 15 secret 5 (removed) > ! > bridge irb > ! > ! > interface Dot11Radio0 > no ip address > no ip route-cache > ! > encryption mode ciphers tkip > ! > encryption vlan 115 mode ciphers tkip > ! > ssid guest > ! > ssid production > ! > antenna transmit right > antenna receive right > mbssid > speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 > power client 20 > channel 2437 > station-role root > bridge-group 1 > bridge-group 1 block-unknown-source > no bridge-group 1 source-learning > no bridge-group 1 unicast-flooding > bridge-group 1 spanning-disabled > ! > interface Dot11Radio0.115 > encapsulation dot1Q 115 > no ip route-cache > bridge-group 115 > bridge-group 115 subscriber-loop-control > bridge-group 115 block-unknown-source > no bridge-group 115 source-learning > no bridge-group 115 unicast-flooding > ! > interface Dot11Radio0.120 > encapsulation dot1Q 120 > no ip route-cache > bridge-group 120 > bridge-group 120 subscriber-loop-control > bridge-group 120 block-unknown-source > no bridge-group 120 source-learning > no bridge-group 120 unicast-flooding > bridge-group 120 spanning-disabled > ! > interface Dot11Radio1 > no ip address > no ip route-cache > shutdown > dfs band 3 block > channel dfs > station-role root > bridge-group 1 > bridge-group 1 subscriber-loop-control > bridge-group 1 block-unknown-source > no bridge-group 1 source-learning > no bridge-group 1 unicast-flooding > bridge-group 1 spanning-disabled > ! > interface FastEthernet0 > no ip address > no ip route-cache > duplex auto > speed auto > ! > interface FastEthernet0.99 > encapsulation dot1Q 99 native > no ip route-cache > bridge-group 1 > no bridge-group 1 source-learning > bridge-group 1 spanning-disabled > ! > interface FastEthernet0.115 > encapsulation dot1Q 115 > no ip route-cache > bridge-group 115 > no bridge-group 115 source-learning > bridge-group 115 spanning-disabled > ! > interface FastEthernet0.120 > encapsulation dot1Q 120 > no ip route-cache > bridge-group 120 > no bridge-group 120 source-learning > bridge-group 120 spanning-disabled > ! > interface BVI1 > ip address 192.168.99.121 255.255.255.0 > no ip route-cache > ! > ip default-gateway 192.168.99.1 > ip http server > ip http authentication local > no ip http secure-server > ip http help-path > http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag > snmp-server view dot11view ieee802dot11 included > snmp-server view ieee802dot11 ieee802dot11 included > snmp-server community public RO > snmp-server contact IFTeam > bridge 1 route ip > ! > ! > ! > line con 0 > login local > line vty 0 4 > login local > ! > sntp server 192.168.10.191 > sntp broadcast client > end > ----------End WAP Config----------- > > -----------Begin Switch Config---------- > hostname "HP PoE WAPs Server room 99.22" > max-vlans 10 > time timezone -480 > time daylight-time-rule Continental-US-and-Canada > ip default-gateway 192.168.99.1 > sntp server 192.168.10.191 > logging 192.168.10.225 > snmp-server community "public" Operator > snmp-server community "private" Operator Unrestricted > vlan 1 > name "DEFAULT_VLAN" > untagged 1-8 > ip address dhcp-bootp > tagged 9 > exit > vlan 99 > name "VLAN99" > ip address 192.168.99.22 255.255.255.0 > tagged 1-9 > exit > vlan 115 > name "VLAN115" > tagged 1-9 > exit > vlan 120 > name "VLAN120" > no ip address > tagged 1-9 > exit > password manager > password operator > ----------End Switch Config---------- > > On Sat, Jan 15, 2011 at 15:39, Glen Johnson <[email protected]> wrote: > > Kurt. > > Just looked over my config and couldn't see why mine worked. > > Found this on Cisco.com. > > http://preview.tinyurl.com/6jongm > > Section titled Significance of native vlan. > > > > The BVI1 interface maps to the native sub interface on the ethernet > trunk. > > I think the config I sent you is wrong, but for yours to work you need to > set the native vlan on both the switch and wap to vlan 99 if that is your > management vlan. > > Pain in the back side to remember that but it does work. > > Glen. > > ________________________________________ > > From: Kurt Buff [[email protected]] > > Sent: Saturday, January 15, 2011 3:41 PM > > To: NT System Admin Issues > > Subject: Re: Cisco 1240AG config problem > > > > You are correct, I don't want the clients to ping the WAP - I'm trying > > to remove the 15.31 address, and use the 99.121 address, but once I do > > that, I can't reach the WAP any more, in any way, until I pull power > > from it. (I'm not saving the running-config, just so I can do that!) > > > > That's why the mangement vlan 99 isn't configured on the radio side, > > only on the Ethernet side. > > > > I surely wouldn't mind a look at that config, though. > > > > Kurt > > > > On Sat, Jan 15, 2011 at 12:25, Glen Johnson <[email protected]> wrote: > >> I don't think you "want" the wireless clients to ping the wap. They > should be able to ping hosts on the same vlan as the SSID they are on. > >> When we were using fat waps, the only ip address the wap had was on the > management interface. For security, no wireless clients could get to that > IP. > >> Have since switched to a wireless lan controller and life is much > simpler, but if you need more help, let me know as I should have a copy of > the config that I'll be glad to share. > >> > >> -----Original Message----- > >> From: Kurt Buff [mailto:[email protected]] > >> Sent: Saturday, January 15, 2011 2:42 PM > >> To: NT System Admin Issues > >> Subject: Re: Cisco 1240AG config problem > >> > >> On Sat, Jan 15, 2011 at 10:41, Michael B. Smith <[email protected]> > wrote: > >>> It's been a really really long time for me, but shouldn't the "ip > default-gateway" be an IP address on the BVI1 subnet? > >> > >> That seems to help somewhat. > >> > >> I updated as shown below, with the following results: > >> - Another WAP on the same PoE switch as the WAP I'm configuring (all > WAPs are on the 115 vlan but on different switches) can ping and telnet to > 15.31 and to 15.1 and 99.1, but not to 99.121 - 15.1 and > >> 99.1 are the addresses of the layer 3 switch. > >> > >> - A laptop wirelessly associated with 15.31 can ping the router > address on the 99 and 115 vlans, but not WAP's addresses of 99.121and 15.31. > The laptop gets 'destination host unreachable for the 99 address of the WAP, > and alternating sequences of that and 'reply timed out' for the 15 address > of the WAP (I've got four 'ping -t' prompts running on the laptop.) > >> > >> - No longer see on the WAP > >> "% Unrecognized host or address, or protocol not running." > >> when trying to ping from this WAP, nor the log errors > >> " %IP_SNMP-3-SOCKET: can't open UDP socket" > >> " Unable to open socket on port 161" > >> > >> - The WAP can ping itself on both addresses, and can ping the > gateway on the 115 vlan (15.1), but not the gateway on the 99 vlan > >> (99.1.) > >> > >> I also tried the config below except that I removed the 15.31 address > from it entirely, and while the laptop remained associated and had the same > access, I lost contact with the WAP, and the 99.121 address didn't come > alive. > >> > >> Kurt > >> > >> ----------Begin updated conf snippet---------- interface > FastEthernet0.99 encapsulation dot1Q 99 no ip route-cache bridge-group 99 > no bridge-group 99 source-learning bridge-group 99 spanning-disabled ! > >> interface FastEthernet0.115 > >> encapsulation dot1Q 115 > >> ip address 192.168.15.31 255.255.255.0 > >> no ip route-cache > >> bridge-group 115 > >> no bridge-group 115 source-learning > >> bridge-group 115 spanning-disabled > >> ! > >> interface BVI1 > >> ip address 192.168.99.121 255.255.255.0 no ip route-cache ! > >> ip default-gateway 192.168.99.1 > >> ----------End updated conf snippet---------- > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
