Access point single VLAN

Similar Messages

• Cisco Access point management vlan

  Hi All, 
  I have  all my switches configured to run on native vlan 500 and management on vlan 10 
  with the cisco access point , if I make 500 native or another word trunk untagged vlan then I can't access the router using the BVI interface which is meant to have ip from vlan 10.
  vlan 10 is the management network across our business and all management ips are on that range.
  what are the possible solutions?

  When you connect the access point to the wired LAN, the access point links to the network using a bridge virtual interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the access point's Ethernet and radio ports, the network uses the BVI.
  When you assign an IP address to the access point using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the access point's BVI:
  Step 1 
  configure terminal
  Enter global configuration mode.
  Step 2 
  interface bvi1
  Enter interface configuration mode for the BVI.
  Step 3 
  ip address address
  mask
  Assign an IP address and address mask to the BVI. Note If you are connected to the access point using a Telnet session, you lose your connection to the access point when you assign a new IP address to the BVI. If you need to continue configuring the access point using Telnet, use the new IP address to open another Telnet session to the access point.

• 1240AG Access Point/Native VLAN/VLAN Problem

  Need to setup several SSID's with different Encryption levels. The access point connects to a plain D-link switch, not able to define a truck on the switch which is causing problems when only one of the SSID's is set for Native VLAN (DHCP server cannot be contacted with the other SSID's).
  Anyway to get around this problem !!!!

  Nope.... you need to be able to define the vlans on the switch. You need a switch where you can configure a dot1q trunck and then you can make this work. Right now, you can only have one.

• Unable to connect to Access Point over VLAN

  I have a Cisco Aironet 1142 that I am unable to ping or connect to in order to manage and unable to connect to the SSIDs .  I have changed the native VLAN to 318 on the 1142.  I have also set the port on my 3750X to trunk with the native VLAN set at 318.  The 1142 can ping its IP address but not the Default Gateway.  The switch is able to ping the Default Gateway but not the 1142.  Any suggestions based upon the configs included below?  Many thanks!
  Aironet 1142:
  interface Dot11Radio0.318
   encapsulation dot1Q 318 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface Dot11Radio1.318
   encapsulation dot1Q 318 native
   no ip route-cache
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
   bridge-group 1 spanning-disabled
  interface GigabitEthernet0.318
   encapsulation dot1Q 318 native
   no ip route-cache
   bridge-group 1
   no bridge-group 1 source-learning
   bridge-group 1 spanning-disabled
  interface BVI1
   ip address 172.17.18.200 255.255.255.0
   no ip route-cache
  ip default-gateway 172.17.18.1
  3750X:
  interface GigabitEthernet1/0/30
   switchport trunk encapsulation dot1q
   switchport trunk native vlan 318
   switchport trunk allowed vlan 3,318,956
   switchport mode trunk
   switchport nonegotiate
   switchport voice vlan 220
   srr-queue bandwidth share 1 30 35 5
   priority-queue out
   mls qos trust device cisco-phone
   mls qos trust cos
   auto qos voip cisco-phone
   spanning-tree portfast
   service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

  Yes, unable to ping 172.17.18.1.  BVI interface is up
  #sh int bvi1
  BVI1 is up, line protocol is up
    Hardware is BVI, address is e8b7.48f5.0f7e (bia e8ba.70e7.d430)
    Internet address is 172.17.18.200/24
    MTU 1500 bytes, BW 54000 Kbit/sec, DLY 5000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 03:18:25, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       133 packets input, 9926 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       1610 packets output, 189086 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out

• Dynamic VLAN on Access Point using RADIUS

  Hi.
  I am using a single Cisco 1130AG authenticating to RADIUS on Microsoft IAS (I do NOT have a WLC)
  I was wondering is it possible to use one flat SSID in my network and then dynamically assign VLANs to users based on matching of RADIUS Policy and RADIUS Return attributes?
  I have configured the attributes on radius as per documentation;
  * IETF 64 (Tunnel Type)—Set this to VLAN.
  * IETF 65 (Tunnel Medium Type)—Set this to 802.
  * IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
  The returned VLAN ID exists on the Access Point and direct connection to the SSID without the return value works okay.
  Each time I connect the VLAN just defaults to the native VLAN for the SSID
  I think it may be impossible without WLC!
  HELP!!

  From what I found when using MBSSID it appears you cannot use dynamic VLANs.
  However you can use a single broadcasted SSID and various non-broadcast SSIDs with dynamic VLANs.
  Ideally a single SSID and dynamic VLANs via dot1x would be fine for my setup.
  However I have a specific wireless device which cannot use dot1x/EAP and therefore I need an second broadcast SSID to use for this. Which then causes the dynamic VLAN setup not to work.

• Can an Aironet WiFi Access Point bridge multiple internal VLANs?

  I have Cisco Aironet 2700e access points.  Historically they were configured with a single SSID on both radios with WEP 128bit security.
  I now need to add new WiFi devices to the network that have limited flexibility.  They must be associated only with a specific radio (2.4ghz or 5ghz) and WPA2PSK security.
  My thought was to create two additional SSIDs on the 2700 access points, one for 2.4gz WPA2PSK and the other for 5ghz WPA2PSK.  The pre-existing SSID will continue to use 128bit WEP.  To do that  I need to use VLANs on the 2700e.
  I have no other VLANS on my network.  I only need VLANs on the 2700e because I have different physical devices that support different WiFi frequencies and security options.  I don't need to segment the network.
  How do I bridge the VLANs on the 2700e?
  Devices that connect to the non-native VLANs appear to be isolated from the rest of the network (as I would suspect with VLANs).  But that's not what I want .  I'm only using VLANs because I need multiple SSIDs, and I need multiple SSIDs because I have different physical devices that want different WiFI access point configurations.  I can't seem to find any way to configure the 2700e to bridge the VLANs for the multiple SSIDs.
  Any guidance would be appreciated.  I could buy additional access points but that seems to be defeating the purpose of having a device like the 2700e.
  Any help would be appreciated.
  Thank you.

  I made these changes to the example here:
  https://supportforums.cisco.com/document/55561/multiple-ssid-multiple-vlans-configuration-example-cisco-aironet-aps
  and it seems to be working.  (By "working" I mean that I can now ping to/from devices connected on different SSIDs.) I had to make these changes from the CLI.  There does not seem to be a way to make these changes from the GUI.  Is that correct? If there is a way to make these changes from the GUI please let me know.
  The changes I made were to make the sub interface for Dot11 radio 0 on the VLANs part of bridge-group 1.  So assuming the config in the example:
  ap(config)#interface Dot11Radio0.2
  ap(config-subif)#no bridge-group 2
  ap(config-subif)#bridge-group 1
  ap(config-subif)#exit
  ap(config)#interface Dot11Radio0.3
  ap(config-subif)#no bridge-group 3
  ap(config-subif)#bridge-group 1
  ap(config-subif)#exit
  I did not change the bridge group on the Ethernet interface.
  Questions:
  1. Did I create any new problems making this change? It seems to work, but am I going to get myself in trouble somewhere else?  Intuitively it makes sense to me: the VLANs are now part of the same bridge group (1, the native VLAN).  So all traffic should be bridged together.  Correct?
  2. I didn't change the Ethernet sub interfaces.  I don't seem to need to make that change.  I also don't like things sitting out there that I don't understand.  Should I do anything to clean up the Ethernet interfaces?
  3. The original configuration was made entirely from the GUI.  This change needs to be made from the CLI.  Can it be done from the GUI?  I can't seem to find a way to change bridge groups for a sub interface from the GUI. It worried me that it can't be done from the GUI.
  Thank you.
  Larry

• Single access point with multiple ssids and single channel possible?

  Hi everybody.
  I have this silly question.
  Let say we have three vlans, vlan1,2,3  and they are mapped to wlans as follows:
  Vlan 1  ssid1
  Vlan 2 ssid2
  Vlan3 ssid 3
                    AP --------trunk------Switchted network.
  Our Ap  has mobile devices in three wlans, i.e ssid1ssid2 and ssid3
  Since AP uses half duplex mode,  mobile devices need positive ack from ap  before they can send data,  therefore once channel let say channel 3( assuming 802.11b is used) can be shared by all mobile devices in three wlans.  
  Is  my understanding correct?
  Thanks and have a great weekend.

  Hii ,
  Yes ,that is pretty much possible as suggested by other experts on board. Depending on your access point you will have 1 (2.4 GHz) or  both 2.4 & 5GHz radios.
  You can configure multiple SSIDs (up to 16 ) known as MBSSID mode in autonomous environment. In Controller based architecture you can configure up to 512 WLAN (SSID) and transmit any 16 of them per AP (using AP group feature). However , it is recommended to keep multiple SSID count below 8 as for each SSID separate beacon will be sent on air which consumes more air time.
  Hope this helps
  Thanks
  Vinay

• Strange VLAN issue on aironet access points

  I'm setting up some access points for WPA. I've ran into a strange issue. The client VLAN (VLAN that the users will be put into) is 1, and the native VLAN is 10. The RADIUS server is in VLAN 1 (but I have a test RADIUS server in VLAN 10 as well). I can connect from the access point to a RADIUS server in either VLAN, and from the RADIUS servers to the access point as well. When I point to a RADIUS server in VLAN10 authentication works fine. If I point to a RADIUS server that is located in VLAN1, and I put the wireless clients in VLAN10 it works fine. But for some reason when I have the RADIUS server and the clients in VLAN (1) and the native (BVI1) interface in VLAN 10 the authentication packets never seem to get to the RADIUS server. It is as if the authentication is being sources out of the wrong VLAN. I can?t find any docs to say that this isn?t a supported configuration.

  Hi Shannon,
  have a look here:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#apconfig
  - - - Snipp - - -
  Significance of Native VLAN
  When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the "native VLAN" for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. Therefore, when an AP is connected to the switchport, the native VLAN configured on the AP must match the native VLAN configured on the switchport.
  Note: If there is a mismatch in the native VLANs, the frames are dropped.
  This scenario is better explained with an example. If the native VLAN on the switchport is configured as VLAN 12 and on the AP, the native VLAN is configured as VLAN 1, then when the AP sends a frame on its native VLAN to the switch, the switch considers the frame as belonging to VLAN 12 since the frames from the native VLAN of the AP are untagged. This causes confusion in the network and results in connectivity problems. The same happens when the switchport forwards a frame from its native VLAN to the AP.
  - - - Snapp - - -
  Best regards,
  Frank

• Light weight access point, vlans, multiple ssids

  Hi everybody
  Let say we have an light weight access point ap1.  Ap1 is broadcasting two ssids:
  cisco1  which is mapped to vlan 1
  cisco 2  which is mapped to vlan 2
  If ap1 is using channel 6 for cisco 1, does it mean ap1 will also use same channel i.e channel 6 for cisco2?
  thanks and have a great weekend.

  sarahr202 wrote:Hi everybodyLet say we have an light weight access point ap1.  Ap1 is broadcasting two ssids:cisco1  which is mapped to vlan 1cisco 2  which is mapped to vlan 2If ap1 is using channel 6 for cisco 1, does it mean ap1 will also use same channel i.e channel 6 for cisco2?thanks and have a great weekend.
  Lightweight WAP right?  As in controller-based WAP?
  If this is the case, then the answer is both a yes and a no.
  Let me explain:
  Throw away the notion that you can set the channel down.  I mean, if you have a controller-based WAP, the last thing you want to do is "micro-manage" which channels your WAPs operate on.   I mean, you can but as a rule-of-thumb, you don't and let the controller sort things out.
  So, going back to your question:  You whave multiple WAPs and two SSID:  1 and 2.  Let's presume that you've configured that all your WAPs will be broadcasting SSID 1 and SSID 2.
  The decision about what channels each WAP will be operating on falls squarely on the Wireless LAN Controller (WLC).  The WLC makes this decision based on a blah-blah-blah algorythm.  If, for example, WAP A and, say, WAP R can "hear" each other on the same channel, the WLC will make the decision and say, "Hey WAP R, since you and WAP A are operating in the same channel and both of you can hear each other, why don't you, WAP R, operate in channel 11.".
  However, if WAP A and WAP R can't see each other then both of them can operate in the same channel.
  NOW, here's comes the tricky question ... Here's the scenario:  You have SSID 1 and SSID 2.  You want all your WAPs to broadcast both SSID.  HOWEVER, you want SSID 1 to operate at, say, 1 Mbps rate only while SSID 2 can operate at all other data rates.
  Yes, this can be done using RF Profile and AP Groups.
  Is this what you are asking?

• VLANs thru a 350 Access Point

  I'm considering use of 350 access points connected to Catalyst 4000 switches with a few Symbol phones & Call Manager. There may also be some (few) wireless PC cards also connecting thru the same APs. On my wired network, the phones, gateways, etc are on separate VLANs than the data devices. Is this possible using wireless APs? Do APs know anything about trunking or VLANs or is this strictly up to the switch port to which they are connected?

  Is that true?
  I had that question too before. I did call Cisco Tac, but they confirm me that was not supported.Because the Vlan trunk frame is a little difference with normal ethernet frame, so the AP doesn't recogonize it ,and will drop it.
  Actaully it is simmilar as you put a hub between a trunk line, the trunk doesn't work with that.
  In theory , it is reasonable not to work with vlan trunk, but I didn't do any lab to test it.
  Icarr , are you really sure it works? There is not any problem ?
  Thanks

• Access point VLANS and IP Addresses for RADIUS servers

  Hi, i would like to have my IAS radius server authenticate clients. I have done that, so my question is about routing and VLANS and incorporating into my existing network.
  What VLAN does the access point communicate to the RADIUS server on? I need to tell the access point to communicate on VLAN1, any other VLAN will not goto the radius server. The access point only has one setable ip address through the http config, is this for management or communication with the radius server?
  Thanks in advance,
  Chris

  Hello,
  Would you mind sharing how you configured both the AP and IAS to work together? I'm not finding anything in the Cisco documentation that shows how to do that and I need to use my IAS server to authenticate clients who connect to the inside SSID on my AP.
  By the way, I have successfully configured an AP with two SSIDs - one for guests that connects those clients to the guest VLAN (a DMZ on my PIX), and one for trusted users that connects them to the VLAN for my inside, secure network). If you haven't got that working, I'd be glad to help.

• Requirement for Native VLAN on Flexconnect Access Point

  Hi All,
  Just looking at AP configuration using 5508 WLC.
  We have APs deployed at all branch sites connected over a corporate L3 WAN to a Data Centre which houses the WLC(s)
  When setting the AP for Flexconnect mode there is a requirement that one native VLAN must be configured for each FlexConnect AP. If the AP is attached to a L2 switch and I want to enable multiple VLAN Mappings then I would need to add these VLANs to the allowed VLAN list on a trunk link between the AP and the switch (802.1Q) on the branch site.
  Normally if I configured a trunk link I would never add the Native VLAN to the trunk and never use it for any traffic. In this case it would appear that I MUST use the native VLAN (which seems to go against my better judgement). So my question (after all this) is: What must the AP use the Native VLAN?
  Thanks All.

  This has always been a standard practice for access points that has to connect to a trunk port. This goes back to the autonomous access points and also with FlexConnect and Mesh if your setting up Ethernet bridging.  Wired side is different from the wireless side as you have noticed. 
  Please rate helpful post and Cisco Support Community will donate to Kiva
  Scotty

• Access Point management in VLAN other than native

  Hi all,
  I'm using VLAN 2 in my network as management VLAN. All network devices have the management IP address in this VLAN. I have some problems though to connect to 2 access points 1602. I set up VLAN 2 and configure the subinterface Gi0.2 and the bridge group 2. Then, I configure the BVI2 with the managemente IP address, I enable "bridge 2 route ip" and it works. However, when I reload the AP I cannont connect any more to the IP address. If I erase the configuration, reload and paste the previous running-configuration, it works again (until I reload).
  Any clue why this happen?
  Thanks,
  Andres

  When you connect the access point to the wired LAN, the access point links to the network using a bridge virtual interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the access point's Ethernet and radio ports, the network uses the BVI.
  When you assign an IP address to the access point using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the access point's BVI:
  Step 1 
  configure terminal
  Enter global configuration mode.
  Step 2 
  interface bvi1
  Enter interface configuration mode for the BVI.
  Step 3 
  ip address address
  mask
  Assign an IP address and address mask to the BVI. Note If you are connected to the access point using a Telnet session, you lose your connection to the access point when you assign a new IP address to the BVI. If you need to continue configuring the access point using Telnet, use the new IP address to open another Telnet session to the access point.

• SSIDs and VLAN on access points

  The commands to map an SSID to a VLAN on an IOS access point are basically like this:
  [snip]
  dot11 ssid MYSSID
  vlan 5
  interface Dot11Radio0
  ssid MYSSID
  interface Dot11Radio0.5
  encapsulation dot1q 5
  bridge-group 5
  interface FastEthernet0
  interface FastEthernet0.5
  encapsulation dot1q 5
  bridge-group 5
  [snip]
  My question is this: what does the command "vlan 5" actually do? Does it map MYSSID to bridge-group 5, which is then mapped to 802.1q tag 5 by the subinterface configurations (so that the tag number is arbitrary), or does it map MYSSID to 802.1q tag 5 on the radio interface, which is then bridged to the appropriate dot1q subinterface on the wired side by the bridge group (so that the bridge group number is arbitrary)?

  Vlan tag is tied to SSID and Bridge group is also tagged to appropriate vlan mentioned as bridge group number

• Management vlan on access point

  Hello
  If I connect my access point (1130) to a switch trunk port (because I need different VLANs on different SSIDs) how can I define on which VLAN the APs IP address is?
  Must it be the native VLAN? If so, where do I have to define it?
  Thanks
  Thomas

  you will need to add the management ip on the native vlan via BVI1
  interface BVI1
  ip address 172.16.10.28 255.255.255.192
  no ip route-cache
  do a conf t
  then in bvi1
  ip add xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
  where x is the IP and y is the netmask