Glen, Michael, Brian, Thanks for your help in this. I do appreciate it.
Been looking at this the whole time, in between interruptions galore... I got it finally - 'twas stupid target fixation on my part. I somehow got set on fa0.1 being the native VLAN, and on each subinterface being in its own bridge-group matching the VLAN number. Once I fixed that, it works just fine. For posterity, you have to make the management VLAN native (in this config it's VLAN 99 and fa0.99), and assign it to bridge-group 1, then assign the other VLANs to their own bridge-groups (and it's easiest, if not required) to make the bridge-group the same number as the VLAN). Then the IP address assigned for the WAP in the management VLAN has to be placed on the BVI1 interface. Lastly, always check layer 1 first. Just saying... Below are working WAP and HP switch configs, which assume that the WAP is in switch port 8, and that port 9 is the trunk port to the layer 3 switch: ----------Begin WAP Config---------- version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname wap121-IT ! enable secret 5 (removed) ! no aaa new-model clock timezone -0800 -8 clock summer-time -0700 recurring ! ! dot11 vlan-name VLAN115 vlan 115 dot11 vlan-name VLAN120 vlan 120 ! dot11 ssid guest vlan 120 authentication open mbssid guest-mode dtim-period 2 ! dot11 ssid production vlan 115 authentication open authentication key-management wpa wpa-psk ascii 7 (removed) ! power inline negotiation prestandard source ! ! username Cisco privilege 15 password 7 (removed) username readonly password 7 (removed) username ifteam privilege 15 secret 5 (removed) ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers tkip ! encryption vlan 115 mode ciphers tkip ! ssid guest ! ssid production ! antenna transmit right antenna receive right mbssid speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 power client 20 channel 2437 station-role root bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.115 encapsulation dot1Q 115 no ip route-cache bridge-group 115 bridge-group 115 subscriber-loop-control bridge-group 115 block-unknown-source no bridge-group 115 source-learning no bridge-group 115 unicast-flooding ! interface Dot11Radio0.120 encapsulation dot1Q 120 no ip route-cache bridge-group 120 bridge-group 120 subscriber-loop-control bridge-group 120 block-unknown-source no bridge-group 120 source-learning no bridge-group 120 unicast-flooding bridge-group 120 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown dfs band 3 block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto ! interface FastEthernet0.99 encapsulation dot1Q 99 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.115 encapsulation dot1Q 115 no ip route-cache bridge-group 115 no bridge-group 115 source-learning bridge-group 115 spanning-disabled ! interface FastEthernet0.120 encapsulation dot1Q 120 no ip route-cache bridge-group 120 no bridge-group 120 source-learning bridge-group 120 spanning-disabled ! interface BVI1 ip address 192.168.99.121 255.255.255.0 no ip route-cache ! ip default-gateway 192.168.99.1 ip http server ip http authentication local no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag snmp-server view dot11view ieee802dot11 included snmp-server view ieee802dot11 ieee802dot11 included snmp-server community public RO snmp-server contact IFTeam bridge 1 route ip ! ! ! line con 0 login local line vty 0 4 login local ! sntp server 192.168.10.191 sntp broadcast client end ----------End WAP Config----------- -----------Begin Switch Config---------- hostname "HP PoE WAPs Server room 99.22" max-vlans 10 time timezone -480 time daylight-time-rule Continental-US-and-Canada ip default-gateway 192.168.99.1 sntp server 192.168.10.191 logging 192.168.10.225 snmp-server community "public" Operator snmp-server community "private" Operator Unrestricted vlan 1 name "DEFAULT_VLAN" untagged 1-8 ip address dhcp-bootp tagged 9 exit vlan 99 name "VLAN99" ip address 192.168.99.22 255.255.255.0 tagged 1-9 exit vlan 115 name "VLAN115" tagged 1-9 exit vlan 120 name "VLAN120" no ip address tagged 1-9 exit password manager password operator ----------End Switch Config---------- On Sat, Jan 15, 2011 at 15:39, Glen Johnson <gjohn...@vhcc.edu> wrote: > Kurt. > Just looked over my config and couldn't see why mine worked. > Found this on Cisco.com. > http://preview.tinyurl.com/6jongm > Section titled Significance of native vlan. > > The BVI1 interface maps to the native sub interface on the ethernet trunk. > I think the config I sent you is wrong, but for yours to work you need to set > the native vlan on both the switch and wap to vlan 99 if that is your > management vlan. > Pain in the back side to remember that but it does work. > Glen. > ________________________________________ > From: Kurt Buff [kurt.b...@gmail.com] > Sent: Saturday, January 15, 2011 3:41 PM > To: NT System Admin Issues > Subject: Re: Cisco 1240AG config problem > > You are correct, I don't want the clients to ping the WAP - I'm trying > to remove the 15.31 address, and use the 99.121 address, but once I do > that, I can't reach the WAP any more, in any way, until I pull power > from it. (I'm not saving the running-config, just so I can do that!) > > That's why the mangement vlan 99 isn't configured on the radio side, > only on the Ethernet side. > > I surely wouldn't mind a look at that config, though. > > Kurt > > On Sat, Jan 15, 2011 at 12:25, Glen Johnson <gjohn...@vhcc.edu> wrote: >> I don't think you "want" the wireless clients to ping the wap. They should >> be able to ping hosts on the same vlan as the SSID they are on. >> When we were using fat waps, the only ip address the wap had was on the >> management interface. For security, no wireless clients could get to that >> IP. >> Have since switched to a wireless lan controller and life is much simpler, >> but if you need more help, let me know as I should have a copy of the config >> that I'll be glad to share. >> >> -----Original Message----- >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >> Sent: Saturday, January 15, 2011 2:42 PM >> To: NT System Admin Issues >> Subject: Re: Cisco 1240AG config problem >> >> On Sat, Jan 15, 2011 at 10:41, Michael B. Smith <mich...@smithcons.com> >> wrote: >>> It's been a really really long time for me, but shouldn't the "ip >>> default-gateway" be an IP address on the BVI1 subnet? >> >> That seems to help somewhat. >> >> I updated as shown below, with the following results: >> - Another WAP on the same PoE switch as the WAP I'm configuring (all >> WAPs are on the 115 vlan but on different switches) can ping and telnet to >> 15.31 and to 15.1 and 99.1, but not to 99.121 - 15.1 and >> 99.1 are the addresses of the layer 3 switch. >> >> - A laptop wirelessly associated with 15.31 can ping the router address >> on the 99 and 115 vlans, but not WAP's addresses of 99.121and 15.31. The >> laptop gets 'destination host unreachable for the 99 address of the WAP, and >> alternating sequences of that and 'reply timed out' for the 15 address of >> the WAP (I've got four 'ping -t' prompts running on the laptop.) >> >> - No longer see on the WAP >> "% Unrecognized host or address, or protocol not running." >> when trying to ping from this WAP, nor the log errors >> " %IP_SNMP-3-SOCKET: can't open UDP socket" >> " Unable to open socket on port 161" >> >> - The WAP can ping itself on both addresses, and can ping the gateway on >> the 115 vlan (15.1), but not the gateway on the 99 vlan >> (99.1.) >> >> I also tried the config below except that I removed the 15.31 address from >> it entirely, and while the laptop remained associated and had the same >> access, I lost contact with the WAP, and the 99.121 address didn't come >> alive. >> >> Kurt >> >> ----------Begin updated conf snippet---------- interface FastEthernet0.99 >> encapsulation dot1Q 99 no ip route-cache bridge-group 99 no bridge-group >> 99 source-learning bridge-group 99 spanning-disabled ! >> interface FastEthernet0.115 >> encapsulation dot1Q 115 >> ip address 192.168.15.31 255.255.255.0 >> no ip route-cache >> bridge-group 115 >> no bridge-group 115 source-learning >> bridge-group 115 spanning-disabled >> ! >> interface BVI1 >> ip address 192.168.99.121 255.255.255.0 no ip route-cache ! >> ip default-gateway 192.168.99.1 >> ----------End updated conf snippet---------- >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin