Aironet 1262N - Access Point behind Non-Root Bridge possible?

Similar Messages

• Root Bridge+Clients with Non-Root Bridge+Clients Howto?

  Hi, i have two 1242AG access points. I would like to setup a bridge between the two to bridge ethernet lan segments, furthermore i would like to be able to connect wireless clients to either of the access points so i can get maximum range.
  I did what i thought was correct, created the first access point a 'root bridge with wireless clients', and assigned the ssid.
  I set the second access point to 'non-root bridge with wireless clients' amd set the same ssid as the first access point.
  I cant even get the root bridge to work, i turn it on, it brings the radio interface up but i cannot connect with my wireless clients, infact i cannot even see the SSID!
  Do i need to 'Set Single Guest Mode SSID' for the radios? What does that command do?
  Any ideas? A link to config example would be much apreciated.
  Thanks,
  Chris

  Hi, first, thanks for the help.
  Second, this incompatibility is only valid
  for RFC1042 or it is valid for 802.11g?
  Third, If I configure my 1242 as Acess Point, and the 340 series as Client or Brigde_only, they should not talk too?
  Sorry for the bad english...

• Can an Aironet WiFi Access Point bridge multiple internal VLANs?

  I have Cisco Aironet 2700e access points.  Historically they were configured with a single SSID on both radios with WEP 128bit security.
  I now need to add new WiFi devices to the network that have limited flexibility.  They must be associated only with a specific radio (2.4ghz or 5ghz) and WPA2PSK security.
  My thought was to create two additional SSIDs on the 2700 access points, one for 2.4gz WPA2PSK and the other for 5ghz WPA2PSK.  The pre-existing SSID will continue to use 128bit WEP.  To do that  I need to use VLANs on the 2700e.
  I have no other VLANS on my network.  I only need VLANs on the 2700e because I have different physical devices that support different WiFi frequencies and security options.  I don't need to segment the network.
  How do I bridge the VLANs on the 2700e?
  Devices that connect to the non-native VLANs appear to be isolated from the rest of the network (as I would suspect with VLANs).  But that's not what I want .  I'm only using VLANs because I need multiple SSIDs, and I need multiple SSIDs because I have different physical devices that want different WiFI access point configurations.  I can't seem to find any way to configure the 2700e to bridge the VLANs for the multiple SSIDs.
  Any guidance would be appreciated.  I could buy additional access points but that seems to be defeating the purpose of having a device like the 2700e.
  Any help would be appreciated.
  Thank you.

  I made these changes to the example here:
  https://supportforums.cisco.com/document/55561/multiple-ssid-multiple-vlans-configuration-example-cisco-aironet-aps
  and it seems to be working.  (By "working" I mean that I can now ping to/from devices connected on different SSIDs.) I had to make these changes from the CLI.  There does not seem to be a way to make these changes from the GUI.  Is that correct? If there is a way to make these changes from the GUI please let me know.
  The changes I made were to make the sub interface for Dot11 radio 0 on the VLANs part of bridge-group 1.  So assuming the config in the example:
  ap(config)#interface Dot11Radio0.2
  ap(config-subif)#no bridge-group 2
  ap(config-subif)#bridge-group 1
  ap(config-subif)#exit
  ap(config)#interface Dot11Radio0.3
  ap(config-subif)#no bridge-group 3
  ap(config-subif)#bridge-group 1
  ap(config-subif)#exit
  I did not change the bridge group on the Ethernet interface.
  Questions:
  1. Did I create any new problems making this change? It seems to work, but am I going to get myself in trouble somewhere else?  Intuitively it makes sense to me: the VLANs are now part of the same bridge group (1, the native VLAN).  So all traffic should be bridged together.  Correct?
  2. I didn't change the Ethernet sub interfaces.  I don't seem to need to make that change.  I also don't like things sitting out there that I don't understand.  Should I do anything to clean up the Ethernet interfaces?
  3. The original configuration was made entirely from the GUI.  This change needs to be made from the CLI.  Can it be done from the GUI?  I can't seem to find a way to change bridge groups for a sub interface from the GUI. It worried me that it can't be done from the GUI.
  Thank you.
  Larry

• 1310 Non-Root Bridge Accessing Different Subnets

  From this non-root 1310 bridge, we are connecting to an old BR500 root bridge via wireless.
  Clients inside the non-root bridge are able to access devices anywhere on the subnet (servers, workstations, etc.) via the bridge (wireless connection) with no problems. But, these clients cannot access the default gateway of the subnet or pass through the router (I can't even ping the default gateway router interface from the 1310 bridge; yet from the bridge, I can ping anything else on the same subnet).
  Of course, clients on the wired LAN are able to browse the Internet, etc. -- it is only clients behind this bridge that cannot seem to "get out" so to speak.
  This is a small LAN -- so everything is VLAN1 with a router at the boundary.
  I have even ran a "sh ip arp" on the 1310 to ensure that a MAC entry is in the table for the default gateway IP, and it is there.
  Any ideas?

  Make sure there is no access list confiugred on the router blocking the access. Save the configurations and restart the bridge .

• 1300 Root-Bridge and Non-Root Bridge setup

  I have two 1300s that I am trying to set up as Root Bridge and Non-Root Bridge, however, everytime i specify one of them as a Non-Root bridge, the radio0 interface becomes disabled. The only option that i am able to pick that enables the radio0 interface is "Access Point", which is what am trying to avoid it being.
  Can anybody help me figure out how to go about this

  A non-root's radio will show as disabled if it cannot find the root AP to associate to. Make sure you have "infrastructure-ssid" configured under the SSID on both the root and non-root bridges. Also depending on code versions you may have to configure the distance command under the radio interface on the root.

• Non-root bridge association problem

  I have an installation using Cisco 1242 Access Points (IOS) as bridges
  in 5Ghz band, and as AP in 2,4 GHz band. Sometimes I get problems
  with the non-root bridges, after mains outage, they will not
  associate to the root bridge. Command "dot11 do 1 carrier busy"
  issued to the non-root bridge helps, but sometimes I have to use it
  several times. Have anybody any idea about possible cause?
  Thanks

  Hi Frank,
  I think I have found the reason of my troubles. It is the following configuration command:
  (interface Dot11Radio1)
  world-mode dot11d country CZ outdoor
  which is not only not-needed on the non-root bridge AP, it prevents associating the non-root bridge to the root-bridge AP. It does not cause the troubles on each root non-root couple. The troubles are more frequent with IOS version 12.3(11)JA or 12.3(8)JEA than with 12.3(8)JA2.
  Regards
  Frantisek Opravil

• Root-Bridge and Non-Root Bridge Support

  I was wondering if the ISR Routers (Cisco 1811w) support the root-bridge and non-root-bridge feature. If not is there another device apart from the 1310 and 1410 bridges that support this feature?
  Thank You,
  VT

  Hi VT,
  The ISR AP supports both of these roles;
  Access Point Link Role Flexibility
  Access Point Link Role Flexibility allows access point radios to operate in a combination of radio roles,
  such as access point root, bridge root (with or without clients), bridge nonroot (with or without clients).
  This provides a more flexible deployment scheme to support the various applications requirement. Note
  that the ISR AP does not support access point repeater and WGB.
  Wireless Non-Root Bridge
  The wireless non-root bridge allows the access point radio to operate as the remote node in a point to
  point or point to multi-point network.
  Wireless Root Bridge
  The wireless root bridge role provides support for both point-to-point or point to multi-point bridging.
  http://www.cisco.com/en/US/docs/ios/12_4/12_4x/release/notes/rn1800xj.html
  Hope this helps!
  Rob

• Changing native VLAN on non-root bridges

  I have quite a few 1310 Bridges setup in point to multipoint configuration with a root bridge with a sector antenna at the campus network and remote sites connecting in. I have multiple VLANs trunked onto one SSID, this allows for having multiple vlans in use at the remote site. The problem is I want to configure some remote site bridges with a different native vlan than the standard allowing me to plug the client directly into the injector and eliminate the need for a vlan aware switch. I have tried to configure the the "encapsulation dot1q VLAN# native" but this swaps the bridge group on the subinterface to a bridge-group 1 .
  ! Last configuration change at 01:23:08 UTC Tue Sep 15 2009 by Cisco
  ! NVRAM config last updated at 01:23:09 UTC Tue Sep 15 2009 by Cisco
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  no aaa new-model
  dot11 ssid Cisco-24
  vlan 1
  authentication open
  authentication key-management wpa
  guest-mode
  infrastructure-ssid optional
  wpa-psk ascii test
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm tkip
  encryption vlan 1 mode ciphers aes-ccm tkip
  encryption vlan 901 mode ciphers aes-ccm tkip
  encryption vlan 902 mode ciphers aes-ccm tkip
  encryption vlan 904 mode ciphers aes-ccm tkip
  ssid Cisco-24
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0
  station-role non-root bridge
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.901
  encapsulation dot1Q 901
  no ip route-cache
  bridge-group 255
  bridge-group 255 spanning-disabled
  interface Dot11Radio0.902
  encapsulation dot1Q 902
  no ip route-cache
  bridge-group 254
  bridge-group 254 spanning-disabled
  interface Dot11Radio0.904
  encapsulation dot1Q 904
  no ip route-cache
  bridge-group 253
  bridge-group 253 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  hold-queue 80 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0.901
  encapsulation dot1Q 901
  no ip route-cache
  bridge-group 255
  bridge-group 255 spanning-disabled
  interface FastEthernet0.902
  encapsulation dot1Q 902
  no ip route-cache
  bridge-group 254
  bridge-group 254 spanning-disabled
  interface FastEthernet0.904
  encapsulation dot1Q 904
  no ip route-cache
  bridge-group 253
  bridge-group 253 spanning-disabled
  interface BVI1
  ip address 10.0.0.100 255.255.255.0
  no ip route-cache
  ip default-gateway 10.0.0.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  snmp-server community misdept RO
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  end

  Correct. As soon as you change it to 100, you will lose access to the devices since vlan 1 is used for management.  To shorten the down time, you can create vlan 100 and all the SVIs on all switches ahead of time and than change it form 1 to 100 in a maintenance window.
  HTH

• Can one Root Bridge support multiple non-root bridges?

  Hey gang,
  I have a pretty simple question here I think
  I have a wireless bridge currently setup to support a separate office building on our property about 200 yards away from the main building.  The wireless bridge has been working great and was a much cheaper solution when compared to the cost of making a fiber drop to this building.  The needs of our business have changed (go figure), to include a warehouse building also on the backside of the property.  It's not feasible to run a cable between these two building either.  So I need to create another wireless bridge to this back warehouse as well.  My question is can I just use another non-root bridge to link to the root bridge already in place, or does each wireless bridge require one root bridge and one non-root bridge?
  I have good LoS to both buildings from where the current root bridge is, so if two non-root bridges can talk to one root bridge I should be able to just an additional non-root bridge and be good to go.  But if wireless bridges are meant to be a one to one setup, then I'll need to setup an additional root bridge to link to the new non-root bridge?
  It seems like you should be able to have one root bridge link to multiple non-root bridges but I haven't been able to find any clear examples of this being done.
  Thanks in advance for the help!

  That was just too easy.
  I copied the configuration from the working non-root bridge to my laptop.  I changed out the ip address of the BVI interface.  I uploaded the configuration to the new 1300 bridge.  I plugged it in and pointed the yagi antenna in the general direction of the original root bridge and started pinging the new 1300.  Success!
  I'll use my spare 1300 to get service up and running in the warehouse by the end of the week and I'll just need to order one more 1300 to make sure I have spare on hand if needed.
  Thanks again!

• Root Bridge vs. Non-Root Bridge

  Hi,
  I want to understand the Root Bridge vs. the Non-Root Bidge when using Autonomous 1131 AP's on the same /24 network. Does that command matter in Autonomous? I have many devices working without issues on the same /24 network and all have the Root Bridge set,
  Clearly confused...
  Thanks,

  The command is used on point to point links deployments
  A non root bridge becomes a client and connect to another ap in order to do wireless bridging.
  Sent from Cisco Technical Support iPhone App

• Non-root bridges associating with each other.

  We have a point to multi-point bridge setup with 3 BR1310s. One is set to be a root bridge and the other two are set to be non-root bridges. From past experience (not to mention Cisco documentation) I would expect the 2 non-roots to associate to the root. What is happening is that one of the non-roots associates with the root and the other non-root associates with the first non-root. The good bit is that everything still works, the puzzling bit is why this is happening, the bridges are physically in a V pattern so there's no reason for the second non-root to behave as it is, even if we force it off the first non-root it just jumps right back in there again. Bridges are all running 12.3.4-JA.

  Configurations of both non-root bridges attached. I've just found out that the customer has mounted the second non-root bridge in such a way that there is probably no line of site to the root bridge (failing to follow clear instructions!) which explains why we can't get it to associate with the root bridge but doesn't explain how it can associate with the other non-root. The only thing I can think of is that both are "non-root with clients" and the second bridge is being accepted as a client rather than a bridge.

• Non-root bridge 1242AG with root 340 bridge series

  I have a configuration with a root bridge 340 series and about 5 non-root bridge 340 series. I want to add a 1242 non root bridge, but the new device can't see the others, and neither the others can see the 1242.
  Is there an issue in connecting these two devices in this configuration?

  Hi, first, thanks for the help.
  Second, this incompatibility is only valid
  for RFC1042 or it is valid for 802.11g?
  Third, If I configure my 1242 as Acess Point, and the 340 series as Client or Brigde_only, they should not talk too?
  Sorry for the bad english...

• Root-bridge non-root bridge security

  Using AP1231, I have a point-to-point configuration with the option "without wireless clients". I have enabled WPA2-PSK/AES-CCMP to the infrastructureSSID/nativeVLAN.
  Does this security automatically apply to the other SSID/VLAN I have configured? Or do I need to configure additional security on the other SSID/VLAN? Please advise. Thanks!

  From your diagram, AP3 is the root bridge because it is connected to ISP, so AP2 will be a repeater, but 1242 can't work both as repeater and AP. So the diagram won't work. you have 3 alternative options:
  1. not let AP2 to connect wireless clients, only configure AP2 as a repeater.
  2. If AP1 can connect to AP3 directly, then configure AP3 as root-bridge with wireless clients, configure both AP1 and AP2 as non-root bridge withe wireless clients.
  3. If AP1 can't connect to AP3 directly, you need to add an additional AP4 to have back-to-back connection with AP2, configure AP1 and AP4 as non-root bridge with wireless clients, configure AP2 and AP3 as root-bridge with wireless clients; ap1 peered with AP2, AP4 peered with AP3, AP2 and AP4 are interconnected by ethernet port.

• Aironet 350 Access Point needs security

  I have been asked to help a fledgling school lock down their wireless network.  The network is currently setup as 3 Aironet 350 Access Points with operating on the same subnet distributed around the school.
  These have NOT been updated or touched since the day they were installed, by all acounts.  I think they are running VXworks.  My issue is that most support links that might prove helpful seem to be broken.
  A few simple questions:
  Can the Aironet 350 be secured and then used with a simple shared key?  This link seems to say no, that you must have Cisco software on the user computer as well.  that certainly can't be right, can it?
  I'm clearly out of my comfort zone with these, but they just don't have anyone to do this for them.  It looks like they need to be flashed to IOS and then able to use WPA but not WPA2?  I'm having trouble finding a firmware lik for the 350 as well because it's EOL.
  Basically, any help or information is welcome!  I'm ready to just pull the plug on them and call them secure!

  350 APs (not bridges) can be converted to IOS.  Then they can do WPA-PSK TKIP.  Downside is they only have 802.11b radios.  The latest IOS they can run is old but could probably be setup with WDS using an internal RADIUS server on one.
  The upgrade tool and image are still available for download.  I'm attaching a .pdf of instructions.
  You need these files:
  Aironet-AP-Cisco-IOS-Conversion-Tool-v2.1.exe
  AP350-Cisco-IOS-Upgrade-Image-v2.img

• Securing Aironet 350 Access Point

  Hello -
  My small network is operating correctly using the Aironet 350 Access Point and multiple clients. However, the setup is not secure.
  How is it possible to secure access to our AP?
  Specifically: I would like to establish a WEP key, as some devices (i.e. pocket-pc's) do not support more advanced security schemes.
  Thanks,

  Extensible Authentication Protocol (EAP) authentication, also called 802.1x authentication, provides dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging, WEP keys.
  For more details on configuring both types of WEP refer the following document,
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i12215ja/i12215sc/s15wep.htm