I can tell you from experience that isn't the answer Don was looking for..or Eric either if he asks ;-]
-----Original Message----- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 18, 2011 7:09 PM To: NT System Admin Issues Subject: Re: RESOLVED: Re: Cisco 1240AG config problem Safely tucked away in Password Safe... Heh. On Tue, Jan 18, 2011 at 18:16, Don Ely <don....@gmail.com> wrote: > Where are the passwords? > > On Tue, Jan 18, 2011 at 5:46 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >> Glen, Michael, Brian, >> >> Thanks for your help in this. I do appreciate it. >> >> Been looking at this the whole time, in between interruptions galore... >> >> I got it finally - 'twas stupid target fixation on my part. I somehow >> got set on fa0.1 being the native VLAN, and on each subinterface being >> in its own bridge-group matching the VLAN number. Once I fixed that, >> it works just fine. >> >> For posterity, you have to make the management VLAN native (in this >> config it's VLAN 99 and fa0.99), and assign it to bridge-group 1, then >> assign the other VLANs to their own bridge-groups (and it's easiest, >> if not required) to make the bridge-group the same number as the >> VLAN). Then the IP address assigned for the WAP in the management VLAN >> has to be placed on the BVI1 interface. >> >> Lastly, always check layer 1 first. Just saying... >> >> Below are working WAP and HP switch configs, which assume that the WAP >> is in switch port 8, and that port 9 is the trunk port to the layer 3 >> switch: >> >> ----------Begin WAP Config---------- >> version 12.4 >> no service pad >> service timestamps debug datetime msec >> service timestamps log datetime msec >> service password-encryption >> ! >> hostname wap121-IT >> ! >> enable secret 5 (removed) >> ! >> no aaa new-model >> clock timezone -0800 -8 >> clock summer-time -0700 recurring >> ! >> ! >> dot11 vlan-name VLAN115 vlan 115 >> dot11 vlan-name VLAN120 vlan 120 >> ! >> dot11 ssid guest >> vlan 120 >> authentication open >> mbssid guest-mode dtim-period 2 >> ! >> dot11 ssid production >> vlan 115 >> authentication open >> authentication key-management wpa >> wpa-psk ascii 7 (removed) >> ! >> power inline negotiation prestandard source >> ! >> ! >> username Cisco privilege 15 password 7 (removed) >> username readonly password 7 (removed) >> username ifteam privilege 15 secret 5 (removed) >> ! >> bridge irb >> ! >> ! >> interface Dot11Radio0 >> no ip address >> no ip route-cache >> ! >> encryption mode ciphers tkip >> ! >> encryption vlan 115 mode ciphers tkip >> ! >> ssid guest >> ! >> ssid production >> ! >> antenna transmit right >> antenna receive right >> mbssid >> speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 >> power client 20 >> channel 2437 >> station-role root >> bridge-group 1 >> bridge-group 1 block-unknown-source >> no bridge-group 1 source-learning >> no bridge-group 1 unicast-flooding >> bridge-group 1 spanning-disabled >> ! >> interface Dot11Radio0.115 >> encapsulation dot1Q 115 >> no ip route-cache >> bridge-group 115 >> bridge-group 115 subscriber-loop-control >> bridge-group 115 block-unknown-source >> no bridge-group 115 source-learning >> no bridge-group 115 unicast-flooding >> ! >> interface Dot11Radio0.120 >> encapsulation dot1Q 120 >> no ip route-cache >> bridge-group 120 >> bridge-group 120 subscriber-loop-control >> bridge-group 120 block-unknown-source >> no bridge-group 120 source-learning >> no bridge-group 120 unicast-flooding >> bridge-group 120 spanning-disabled >> ! >> interface Dot11Radio1 >> no ip address >> no ip route-cache >> shutdown >> dfs band 3 block >> channel dfs >> station-role root >> bridge-group 1 >> bridge-group 1 subscriber-loop-control >> bridge-group 1 block-unknown-source >> no bridge-group 1 source-learning >> no bridge-group 1 unicast-flooding >> bridge-group 1 spanning-disabled >> ! >> interface FastEthernet0 >> no ip address >> no ip route-cache >> duplex auto >> speed auto >> ! >> interface FastEthernet0.99 >> encapsulation dot1Q 99 native >> no ip route-cache >> bridge-group 1 >> no bridge-group 1 source-learning >> bridge-group 1 spanning-disabled >> ! >> interface FastEthernet0.115 >> encapsulation dot1Q 115 >> no ip route-cache >> bridge-group 115 >> no bridge-group 115 source-learning >> bridge-group 115 spanning-disabled >> ! >> interface FastEthernet0.120 >> encapsulation dot1Q 120 >> no ip route-cache >> bridge-group 120 >> no bridge-group 120 source-learning >> bridge-group 120 spanning-disabled >> ! >> interface BVI1 >> ip address 192.168.99.121 255.255.255.0 >> no ip route-cache >> ! >> ip default-gateway 192.168.99.1 >> ip http server >> ip http authentication local >> no ip http secure-server >> ip http help-path >> http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag >> snmp-server view dot11view ieee802dot11 included >> snmp-server view ieee802dot11 ieee802dot11 included >> snmp-server community public RO >> snmp-server contact IFTeam >> bridge 1 route ip >> ! >> ! >> ! >> line con 0 >> login local >> line vty 0 4 >> login local >> ! >> sntp server 192.168.10.191 >> sntp broadcast client >> end >> ----------End WAP Config----------- >> >> -----------Begin Switch Config---------- >> hostname "HP PoE WAPs Server room 99.22" >> max-vlans 10 >> time timezone -480 >> time daylight-time-rule Continental-US-and-Canada >> ip default-gateway 192.168.99.1 >> sntp server 192.168.10.191 >> logging 192.168.10.225 >> snmp-server community "public" Operator >> snmp-server community "private" Operator Unrestricted >> vlan 1 >> name "DEFAULT_VLAN" >> untagged 1-8 >> ip address dhcp-bootp >> tagged 9 >> exit >> vlan 99 >> name "VLAN99" >> ip address 192.168.99.22 255.255.255.0 >> tagged 1-9 >> exit >> vlan 115 >> name "VLAN115" >> tagged 1-9 >> exit >> vlan 120 >> name "VLAN120" >> no ip address >> tagged 1-9 >> exit >> password manager >> password operator >> ----------End Switch Config---------- >> >> On Sat, Jan 15, 2011 at 15:39, Glen Johnson <gjohn...@vhcc.edu> wrote: >> > Kurt. >> > Just looked over my config and couldn't see why mine worked. >> > Found this on Cisco.com. >> > http://preview.tinyurl.com/6jongm >> > Section titled Significance of native vlan. >> > >> > The BVI1 interface maps to the native sub interface on the ethernet >> > trunk. >> > I think the config I sent you is wrong, but for yours to work you need >> > to set the native vlan on both the switch and wap to vlan 99 if that is >> > your >> > management vlan. >> > Pain in the back side to remember that but it does work. >> > Glen. >> > ________________________________________ >> > From: Kurt Buff [kurt.b...@gmail.com] >> > Sent: Saturday, January 15, 2011 3:41 PM >> > To: NT System Admin Issues >> > Subject: Re: Cisco 1240AG config problem >> > >> > You are correct, I don't want the clients to ping the WAP - I'm trying >> > to remove the 15.31 address, and use the 99.121 address, but once I do >> > that, I can't reach the WAP any more, in any way, until I pull power >> > from it. (I'm not saving the running-config, just so I can do that!) >> > >> > That's why the mangement vlan 99 isn't configured on the radio side, >> > only on the Ethernet side. >> > >> > I surely wouldn't mind a look at that config, though. >> > >> > Kurt >> > >> > On Sat, Jan 15, 2011 at 12:25, Glen Johnson <gjohn...@vhcc.edu> wrote: >> >> I don't think you "want" the wireless clients to ping the wap. They >> >> should be able to ping hosts on the same vlan as the SSID they are on. >> >> When we were using fat waps, the only ip address the wap had was on the >> >> management interface. For security, no wireless clients could get to that >> >> IP. >> >> Have since switched to a wireless lan controller and life is much >> >> simpler, but if you need more help, let me know as I should have a copy of >> >> the config that I'll be glad to share. >> >> >> >> -----Original Message----- >> >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >> >> Sent: Saturday, January 15, 2011 2:42 PM >> >> To: NT System Admin Issues >> >> Subject: Re: Cisco 1240AG config problem >> >> >> >> On Sat, Jan 15, 2011 at 10:41, Michael B. Smith <mich...@smithcons.com> >> >> wrote: >> >>> It's been a really really long time for me, but shouldn't the "ip >> >>> default-gateway" be an IP address on the BVI1 subnet? >> >> >> >> That seems to help somewhat. >> >> >> >> I updated as shown below, with the following results: >> >> - Another WAP on the same PoE switch as the WAP I'm configuring >> >> (all WAPs are on the 115 vlan but on different switches) can ping and >> >> telnet >> >> to 15.31 and to 15.1 and 99.1, but not to 99.121 - 15.1 and >> >> 99.1 are the addresses of the layer 3 switch. >> >> >> >> - A laptop wirelessly associated with 15.31 can ping the router >> >> address on the 99 and 115 vlans, but not WAP's addresses of 99.121and >> >> 15.31. >> >> The laptop gets 'destination host unreachable for the 99 address of the >> >> WAP, >> >> and alternating sequences of that and 'reply timed out' for the 15 address >> >> of the WAP (I've got four 'ping -t' prompts running on the laptop.) >> >> >> >> - No longer see on the WAP >> >> "% Unrecognized host or address, or protocol not running." >> >> when trying to ping from this WAP, nor the log errors >> >> " %IP_SNMP-3-SOCKET: can't open UDP socket" >> >> " Unable to open socket on port 161" >> >> >> >> - The WAP can ping itself on both addresses, and can ping the >> >> gateway on the 115 vlan (15.1), but not the gateway on the 99 vlan >> >> (99.1.) >> >> >> >> I also tried the config below except that I removed the 15.31 address >> >> from it entirely, and while the laptop remained associated and had the >> >> same >> >> access, I lost contact with the WAP, and the 99.121 address didn't come >> >> alive. >> >> >> >> Kurt >> >> >> >> ----------Begin updated conf snippet---------- interface >> >> FastEthernet0.99 encapsulation dot1Q 99 no ip route-cache bridge-group >> >> 99 >> >> no bridge-group 99 source-learning bridge-group 99 spanning-disabled ! >> >> interface FastEthernet0.115 >> >> encapsulation dot1Q 115 >> >> ip address 192.168.15.31 255.255.255.0 >> >> no ip route-cache >> >> bridge-group 115 >> >> no bridge-group 115 source-learning >> >> bridge-group 115 spanning-disabled >> >> ! >> >> interface BVI1 >> >> ip address 192.168.99.121 255.255.255.0 no ip route-cache ! >> >> ip default-gateway 192.168.99.1 >> >> ----------End updated conf snippet---------- >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> --- >> >> To manage subscriptions click here: >> >> http://lyris.sunbelt-software.com/read/my_forums/ >> >> or send an email to listmana...@lyris.sunbeltsoftware.com >> >> with the body: unsubscribe ntsysadmin >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> --- >> >> To manage subscriptions click here: >> >> http://lyris.sunbelt-software.com/read/my_forums/ >> >> or send an email to listmana...@lyris.sunbeltsoftware.com >> >> with the body: unsubscribe ntsysadmin >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > >> > --- >> > To manage subscriptions click here: >> > http://lyris.sunbelt-software.com/read/my_forums/ >> > or send an email to listmana...@lyris.sunbeltsoftware.com >> > with the body: unsubscribe ntsysadmin >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > >> > --- >> > To manage subscriptions click here: >> > http://lyris.sunbelt-software.com/read/my_forums/ >> > or send an email to listmana...@lyris.sunbeltsoftware.com >> > with the body: unsubscribe ntsysadmin >> > >> > >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin