VLANs thru a 350 Access Point

Similar Messages

• Securing Aironet 350 Access Point

  Hello -
  My small network is operating correctly using the Aironet 350 Access Point and multiple clients. However, the setup is not secure.
  How is it possible to secure access to our AP?
  Specifically: I would like to establish a WEP key, as some devices (i.e. pocket-pc's) do not support more advanced security schemes.
  Thanks,

  Extensible Authentication Protocol (EAP) authentication, also called 802.1x authentication, provides dynamic WEP keys to wireless users. Dynamic WEP keys are more secure than static, or unchanging, WEP keys.
  For more details on configuring both types of WEP refer the following document,
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i12215ja/i12215sc/s15wep.htm

• Aironet 350 Access Point needs security

  I have been asked to help a fledgling school lock down their wireless network.  The network is currently setup as 3 Aironet 350 Access Points with operating on the same subnet distributed around the school.
  These have NOT been updated or touched since the day they were installed, by all acounts.  I think they are running VXworks.  My issue is that most support links that might prove helpful seem to be broken.
  A few simple questions:
  Can the Aironet 350 be secured and then used with a simple shared key?  This link seems to say no, that you must have Cisco software on the user computer as well.  that certainly can't be right, can it?
  I'm clearly out of my comfort zone with these, but they just don't have anyone to do this for them.  It looks like they need to be flashed to IOS and then able to use WPA but not WPA2?  I'm having trouble finding a firmware lik for the 350 as well because it's EOL.
  Basically, any help or information is welcome!  I'm ready to just pull the plug on them and call them secure!

  350 APs (not bridges) can be converted to IOS.  Then they can do WPA-PSK TKIP.  Downside is they only have 802.11b radios.  The latest IOS they can run is old but could probably be setup with WDS using an internal RADIUS server on one.
  The upgrade tool and image are still available for download.  I'm attaching a .pdf of instructions.
  You need these files:
  Aironet-AP-Cisco-IOS-Conversion-Tool-v2.1.exe
  AP350-Cisco-IOS-Upgrade-Image-v2.img

• Strange VLAN issue on aironet access points

  I'm setting up some access points for WPA. I've ran into a strange issue. The client VLAN (VLAN that the users will be put into) is 1, and the native VLAN is 10. The RADIUS server is in VLAN 1 (but I have a test RADIUS server in VLAN 10 as well). I can connect from the access point to a RADIUS server in either VLAN, and from the RADIUS servers to the access point as well. When I point to a RADIUS server in VLAN10 authentication works fine. If I point to a RADIUS server that is located in VLAN1, and I put the wireless clients in VLAN10 it works fine. But for some reason when I have the RADIUS server and the clients in VLAN (1) and the native (BVI1) interface in VLAN 10 the authentication packets never seem to get to the RADIUS server. It is as if the authentication is being sources out of the wrong VLAN. I can?t find any docs to say that this isn?t a supported configuration.

  Hi Shannon,
  have a look here:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#apconfig
  - - - Snipp - - -
  Significance of Native VLAN
  When you use an IEEE 802.1Q trunk port, all frames are tagged except those on the VLAN configured as the "native VLAN" for the port. Frames on the native VLAN are always transmitted untagged and are normally received untagged. Therefore, when an AP is connected to the switchport, the native VLAN configured on the AP must match the native VLAN configured on the switchport.
  Note: If there is a mismatch in the native VLANs, the frames are dropped.
  This scenario is better explained with an example. If the native VLAN on the switchport is configured as VLAN 12 and on the AP, the native VLAN is configured as VLAN 1, then when the AP sends a frame on its native VLAN to the switch, the switch considers the frame as belonging to VLAN 12 since the frames from the native VLAN of the AP are untagged. This causes confusion in the network and results in connectivity problems. The same happens when the switchport forwards a frame from its native VLAN to the AP.
  - - - Snapp - - -
  Best regards,
  Frank

• SSIDs and VLAN on access points

  The commands to map an SSID to a VLAN on an IOS access point are basically like this:
  [snip]
  dot11 ssid MYSSID
  vlan 5
  interface Dot11Radio0
  ssid MYSSID
  interface Dot11Radio0.5
  encapsulation dot1q 5
  bridge-group 5
  interface FastEthernet0
  interface FastEthernet0.5
  encapsulation dot1q 5
  bridge-group 5
  [snip]
  My question is this: what does the command "vlan 5" actually do? Does it map MYSSID to bridge-group 5, which is then mapped to 802.1q tag 5 by the subinterface configurations (so that the tag number is arbitrary), or does it map MYSSID to 802.1q tag 5 on the radio interface, which is then bridged to the appropriate dot1q subinterface on the wired side by the bridge group (so that the bridge group number is arbitrary)?

  Vlan tag is tied to SSID and Bridge group is also tagged to appropriate vlan mentioned as bridge group number

• Access-Point going up/down

  Hello All
  We got Issue with One Access Point [ model - AP1242AG ] - it goes up/down.  Users connected on this Access Point get disconnected or time-out connecting to Server. The access-point was installed around 3-4 weeks back. We checked the cable connecting to the Access Point but didnt notice like disconnected or time-out.
  [ Access Point was configured with these options ]
  AP Name -  JD1
  status - Enabled
  AP mode - Local
  IP address - Static
  No of Radio Interface - 2
  802.11 b/g/n
  802.11 a/n
  which debug command will help to identify the issue or GUI option
  thanks in advance
  Cisco Kid

  Hi All
  I restarted the Access Point and will see what happens. Our Access Point and WLC are in the Same VLAN.
  WLC is connected to Layer3 switch and the port is configured as Trunk port with additional command switchport trunk native vlan 12.
  The access point ports configured are also configured as
  switchport mode trunk
  swichport trunk native vlan 12
  Are these configuration correct for controller and Access Point.
  The following is the show interface output where the AP is connected
  sh interfaces fastEthernet 0/9
  FastEthernet0/9 is up, line protocol is up (connected)
    Hardware is Fast Ethernet, address is 0021.a1d2.ee09 (bia 0021.a1d2.ee09)
    Description: **AP3**
    MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ARPA, loopback not set
    Keepalive set (10 sec)
    Full-duplex, 100Mb/s, media type is 10/100BaseTX
    input flow-control is off, output flow-control is unsupported
    ARP type: ARPA, ARP Timeout 04:00:00
    Last input 00:00:40, output 00:00:00, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 518000 bits/sec, 130 packets/sec
       25673274 packets input, 5670744879 bytes, 0 no buffer
       Received 2413785 broadcasts (0 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 557119 multicast, 0 pause input
       0 input packets with dribble condition detected
       16665439077 packets output, 10663148678995 bytes, 0 underruns
       0 output errors, 0 collisions, 1 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 PAUSE output
       0 output buffer failures, 0 output buffers swapped out

• Security and Management of Wireless Access Points

  We have a network of eight (8) Cisco 350 Access Points.
  We would like to enable security through WEP and designating specific MAC (Hardware) addresses.
  Please advise as to the most efficient manner of inputting hardware addresses into all of our access points and managing many access points.

  Hmmm....all these replies, with good information, and no one answered your question!
  You can't cut and paste a list of MACs into a Cisco AP (how come, I don't know). What you need to do is enter one MAC address. Then download a non-default config file out of the AP. Then find the lines that changed, and you have your template for adding MAC address lists in one fell swoop. I made a little excel spreadsheet to let me paste in a list of MACs, then spit out the config file lines that you can add as an "additional configuration file" via the web gui.
  You could also add the list via SNMP.
  There's also an import utility in the cli for the ACS server that will let you suck in MAC addresses.
  Hope this helps.
  Just remembered, the APs for some reason convert the hex format of a MAC into dotted decimal. So, when you paste your list in, you need to convert it from hex to dotted decimal, produce your config lines with those, and then shoot those config lines to the AP. I couldn't find anyone in the TAC that could explain why adding a list of MACs was such a chore.

• Access Point Switchport configuration for OOB NAC

  Hello.
  Here we have to implement Out of Band with WLC and NAC, I have already checked this guide:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
  But I have a little doubt. On the document showed above does not specific which vlan should be configured on switch's access port facing access points. Should I configure this with trusted or untrusted VLAN? I know all traffic from wireless clients go to WLC through a CAPWAP tunnel, but I am not really sure on the Out of Band deployment which access vlan should be for access points.
  Greettings.

  Just to add again to another one of Steve's post:)  You don't want to put the AP traffic through NAC, but only the traffic for the wireless clients which egress out of the WLC.  So if your wireless clients are being placed in VLAN30 (just an example), you can have an untrusted layer 2 vlan VLAN29 which hit the NAC untrusted and if remediation id good, then placed in VLAN30.  Makes sense?
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Cisco's Options For A Ruggedized Access Point

  I'm looking for a wireless solution for an open plant environment. I know Cisco sold ruggedized 350 access points. I also see they are discontinuing the 350. What is Cisco's ruggedized solution currently for 802.11b/g?

  I beleive the 1200 were for outdoor but you may want to use a NEMA enclosure for the 1200. check out fabcorp and ydi for info and prices.

• Light weight access point, vlans, multiple ssids

  Hi everybody
  Let say we have an light weight access point ap1.  Ap1 is broadcasting two ssids:
  cisco1  which is mapped to vlan 1
  cisco 2  which is mapped to vlan 2
  If ap1 is using channel 6 for cisco 1, does it mean ap1 will also use same channel i.e channel 6 for cisco2?
  thanks and have a great weekend.

  sarahr202 wrote:Hi everybodyLet say we have an light weight access point ap1.  Ap1 is broadcasting two ssids:cisco1  which is mapped to vlan 1cisco 2  which is mapped to vlan 2If ap1 is using channel 6 for cisco 1, does it mean ap1 will also use same channel i.e channel 6 for cisco2?thanks and have a great weekend.
  Lightweight WAP right?  As in controller-based WAP?
  If this is the case, then the answer is both a yes and a no.
  Let me explain:
  Throw away the notion that you can set the channel down.  I mean, if you have a controller-based WAP, the last thing you want to do is "micro-manage" which channels your WAPs operate on.   I mean, you can but as a rule-of-thumb, you don't and let the controller sort things out.
  So, going back to your question:  You whave multiple WAPs and two SSID:  1 and 2.  Let's presume that you've configured that all your WAPs will be broadcasting SSID 1 and SSID 2.
  The decision about what channels each WAP will be operating on falls squarely on the Wireless LAN Controller (WLC).  The WLC makes this decision based on a blah-blah-blah algorythm.  If, for example, WAP A and, say, WAP R can "hear" each other on the same channel, the WLC will make the decision and say, "Hey WAP R, since you and WAP A are operating in the same channel and both of you can hear each other, why don't you, WAP R, operate in channel 11.".
  However, if WAP A and WAP R can't see each other then both of them can operate in the same channel.
  NOW, here's comes the tricky question ... Here's the scenario:  You have SSID 1 and SSID 2.  You want all your WAPs to broadcast both SSID.  HOWEVER, you want SSID 1 to operate at, say, 1 Mbps rate only while SSID 2 can operate at all other data rates.
  Yes, this can be done using RF Profile and AP Groups.
  Is this what you are asking?

• Dynamic VLAN on Access Point using RADIUS

  Hi.
  I am using a single Cisco 1130AG authenticating to RADIUS on Microsoft IAS (I do NOT have a WLC)
  I was wondering is it possible to use one flat SSID in my network and then dynamically assign VLANs to users based on matching of RADIUS Policy and RADIUS Return attributes?
  I have configured the attributes on radius as per documentation;
  * IETF 64 (Tunnel Type)—Set this to VLAN.
  * IETF 65 (Tunnel Medium Type)—Set this to 802.
  * IETF 81 (Tunnel Private Group ID)—Set this to VLAN ID.
  The returned VLAN ID exists on the Access Point and direct connection to the SSID without the return value works okay.
  Each time I connect the VLAN just defaults to the native VLAN for the SSID
  I think it may be impossible without WLC!
  HELP!!

  From what I found when using MBSSID it appears you cannot use dynamic VLANs.
  However you can use a single broadcasted SSID and various non-broadcast SSIDs with dynamic VLANs.
  Ideally a single SSID and dynamic VLANs via dot1x would be fine for my setup.
  However I have a specific wireless device which cannot use dot1x/EAP and therefore I need an second broadcast SSID to use for this. Which then causes the dynamic VLAN setup not to work.

• Access point VLANS and IP Addresses for RADIUS servers

  Hi, i would like to have my IAS radius server authenticate clients. I have done that, so my question is about routing and VLANS and incorporating into my existing network.
  What VLAN does the access point communicate to the RADIUS server on? I need to tell the access point to communicate on VLAN1, any other VLAN will not goto the radius server. The access point only has one setable ip address through the http config, is this for management or communication with the radius server?
  Thanks in advance,
  Chris

  Hello,
  Would you mind sharing how you configured both the AP and IAS to work together? I'm not finding anything in the Cisco documentation that shows how to do that and I need to use my IAS server to authenticate clients who connect to the inside SSID on my AP.
  By the way, I have successfully configured an AP with two SSIDs - one for guests that connects those clients to the guest VLAN (a DMZ on my PIX), and one for trusted users that connects them to the VLAN for my inside, secure network). If you haven't got that working, I'd be glad to help.

• Requirement for Native VLAN on Flexconnect Access Point

  Hi All,
  Just looking at AP configuration using 5508 WLC.
  We have APs deployed at all branch sites connected over a corporate L3 WAN to a Data Centre which houses the WLC(s)
  When setting the AP for Flexconnect mode there is a requirement that one native VLAN must be configured for each FlexConnect AP. If the AP is attached to a L2 switch and I want to enable multiple VLAN Mappings then I would need to add these VLANs to the allowed VLAN list on a trunk link between the AP and the switch (802.1Q) on the branch site.
  Normally if I configured a trunk link I would never add the Native VLAN to the trunk and never use it for any traffic. In this case it would appear that I MUST use the native VLAN (which seems to go against my better judgement). So my question (after all this) is: What must the AP use the Native VLAN?
  Thanks All.

  This has always been a standard practice for access points that has to connect to a trunk port. This goes back to the autonomous access points and also with FlexConnect and Mesh if your setting up Ethernet bridging.  Wired side is different from the wireless side as you have noticed. 
  Please rate helpful post and Cisco Support Community will donate to Kiva
  Scotty

• Cisco Access point management vlan

  Hi All, 
  I have  all my switches configured to run on native vlan 500 and management on vlan 10 
  with the cisco access point , if I make 500 native or another word trunk untagged vlan then I can't access the router using the BVI interface which is meant to have ip from vlan 10.
  vlan 10 is the management network across our business and all management ips are on that range.
  what are the possible solutions?

  When you connect the access point to the wired LAN, the access point links to the network using a bridge virtual interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the access point's Ethernet and radio ports, the network uses the BVI.
  When you assign an IP address to the access point using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the access point's BVI:
  Step 1 
  configure terminal
  Enter global configuration mode.
  Step 2 
  interface bvi1
  Enter interface configuration mode for the BVI.
  Step 3 
  ip address address
  mask
  Assign an IP address and address mask to the BVI. Note If you are connected to the access point using a Telnet session, you lose your connection to the access point when you assign a new IP address to the BVI. If you need to continue configuring the access point using Telnet, use the new IP address to open another Telnet session to the access point.

• Can an Aironet WiFi Access Point bridge multiple internal VLANs?

  I have Cisco Aironet 2700e access points.  Historically they were configured with a single SSID on both radios with WEP 128bit security.
  I now need to add new WiFi devices to the network that have limited flexibility.  They must be associated only with a specific radio (2.4ghz or 5ghz) and WPA2PSK security.
  My thought was to create two additional SSIDs on the 2700 access points, one for 2.4gz WPA2PSK and the other for 5ghz WPA2PSK.  The pre-existing SSID will continue to use 128bit WEP.  To do that  I need to use VLANs on the 2700e.
  I have no other VLANS on my network.  I only need VLANs on the 2700e because I have different physical devices that support different WiFi frequencies and security options.  I don't need to segment the network.
  How do I bridge the VLANs on the 2700e?
  Devices that connect to the non-native VLANs appear to be isolated from the rest of the network (as I would suspect with VLANs).  But that's not what I want .  I'm only using VLANs because I need multiple SSIDs, and I need multiple SSIDs because I have different physical devices that want different WiFI access point configurations.  I can't seem to find any way to configure the 2700e to bridge the VLANs for the multiple SSIDs.
  Any guidance would be appreciated.  I could buy additional access points but that seems to be defeating the purpose of having a device like the 2700e.
  Any help would be appreciated.
  Thank you.

  I made these changes to the example here:
  https://supportforums.cisco.com/document/55561/multiple-ssid-multiple-vlans-configuration-example-cisco-aironet-aps
  and it seems to be working.  (By "working" I mean that I can now ping to/from devices connected on different SSIDs.) I had to make these changes from the CLI.  There does not seem to be a way to make these changes from the GUI.  Is that correct? If there is a way to make these changes from the GUI please let me know.
  The changes I made were to make the sub interface for Dot11 radio 0 on the VLANs part of bridge-group 1.  So assuming the config in the example:
  ap(config)#interface Dot11Radio0.2
  ap(config-subif)#no bridge-group 2
  ap(config-subif)#bridge-group 1
  ap(config-subif)#exit
  ap(config)#interface Dot11Radio0.3
  ap(config-subif)#no bridge-group 3
  ap(config-subif)#bridge-group 1
  ap(config-subif)#exit
  I did not change the bridge group on the Ethernet interface.
  Questions:
  1. Did I create any new problems making this change? It seems to work, but am I going to get myself in trouble somewhere else?  Intuitively it makes sense to me: the VLANs are now part of the same bridge group (1, the native VLAN).  So all traffic should be bridged together.  Correct?
  2. I didn't change the Ethernet sub interfaces.  I don't seem to need to make that change.  I also don't like things sitting out there that I don't understand.  Should I do anything to clean up the Ethernet interfaces?
  3. The original configuration was made entirely from the GUI.  This change needs to be made from the CLI.  Can it be done from the GUI?  I can't seem to find a way to change bridge groups for a sub interface from the GUI. It worried me that it can't be done from the GUI.
  Thank you.
  Larry