Just wanted to stress this data point regarding trunked Cisco AP's
(Ranjit has it right):
Switch ports connected to APs that are trunking must be configured to
allow only those vlans that are configured on the AP. This is done
using the 'switchport trunk allowed' command on the switch port.
ex) switchport trunk allowed vlan 1,314,953
http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
(this page is for 1100 series, but applies to 1200 series as well)
(Not sure if this URL requires CCO login)
From that Cisco page:
"..If you ignore minor points in these concepts when you deploy VLANs
with Cisco Aironet wireless equipment, you will experience unexpected
performance, such as:
The failure to limit allowed VLANs on the trunk to those defined on the
wireless device If VLANs 1, 10, 20, 30 and 40 are defined on the switch,
but only VLANs 1, 10 and 30 are defined on the wireless equipment, you
must remove the others from the trunk switchport."
hope this helps.
Mike
***************************************************************
Michael Dickson Phone: 413-545-9639
Network Analyst Fax: 413-545-3203
University of Massachusetts Email: [EMAIL PROTECTED]
Network Systems and Services
***************************************************************
Ranjit Philip wrote:
Thank you all for the responses. The 'switchport mode trunk' actually did the
trick. Little mistakes...arrrgh
I am going to take out the 'spanning-tree portfast' command nonetheless as most
of you have suggested.
I however found out that when you have a port configured in trunk mode and you
try to enable 802.1x on that port it gives me this message:
(config-if)#dot1x port-control auto
Command rejected: Trunking enabled on one or more ports.
Dot1x is supported only on Ethernet interfaces configured in Access, Routed or
Private-vlan Host Mode.
(config-if)#
*Apr 4 12:16:02.104: %DOT1X-5-ERR_TRUNK: Dot1x can not be enabled on Trunk port
********************
This takes us into another subject, but, I was trying to configure the AP in such a way that it has one SSID tied to VLAN 168 which requires MAC based open authentication and no encryption and another SSID tied to VLAN 19 which requires 802.1x based authentication using EAP-PEAP with MS-CHAPv2 and WPA encryption. Do I need to have the port the AP is connected to set for 1x? How would I do it on a trunk port & if 1x is configured on the port wouldn't all the SSIDs on the AP require 802.1x based authentication?
Thank you.
Ranjit Philip
ITR Network Engineering
California State University, Northridge
---- Original message ----
Date: Wed, 14 Dec 2005 18:21:46 -0500
From: "Casey, J Bart" <[EMAIL PROTECTED]>
Subject: RE: [WIRELESS-LAN] Multiple VLANs configuration
To: <[EMAIL PROTECTED]>, <[email protected]>
First execute a couple of commands
1) sh int fa2/36 switchport
Look at the output from this and see if your interface is actually in
trunk mode
2) conf t
int fa2/36
switchport mode trunk
This will turn trunking on
Alternatively, you can do a switchport mode dynamic auto which sets
the
trunk negotiation to auto, or you can do a switchport mode dynamic
desirable which sets the trunk negotiation to desirable
3) no spanning-tree portfast
4) sh vtp stat
If you are using a VTP domain, You want to make sure your vtp domain
info
is correct as well
This should get you up and going
J. Bart Casey
Network Engineer
Wofford College
-----Original Message-----
From: Ranjit Philip [mailto:[EMAIL PROTECTED]
Sent: Wednesday, December 14, 2005 5:26 PM
To: [email protected]
Subject: [WIRELESS-LAN] Multiple VLANs configuration
We are currently testing setting up our Cisco Aironet 1100 and 1200
infrastructure with multiple VLANs
Our test device is statically configured for VLAN 168. We have another
test
VLAN 19 which we want to have trunked to the device.
The access point is connected to a port on a Cisco 4500 chassis running
native IOS.
The port configuration that is currently on is:
interface FastEthernet2/36
switchport access vlan 168
switchport trunk encapsulation dot1q
switchport trunk native vlan 168
switchport trunk allowed vlan 1,19,168,998,999,1001-4094
qos trust cos
no snmp trap link-status
tx-queue 3
priority high
spanning-tree portfast
****************************
If I do a 'sh vlan id 19' on the same switch it does not show the VLAN
active on the same port
Should I be configuring the port differently to carry multiple VLANs to
the
access point?
Any clues would be appreciated...
Ranjit Philip
ITR Network Engineering
California State University, Northridge
**********
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
