Oh, I remember.... I was there too.
LOL. On Tue, Jan 18, 2011 at 21:49, Free, Bob <r...@pge.com> wrote: > I can tell you from experience that isn't the answer Don was looking for..or > Eric either if he asks ;-] > > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com] > Sent: Tuesday, January 18, 2011 7:09 PM > To: NT System Admin Issues > Subject: Re: RESOLVED: Re: Cisco 1240AG config problem > > Safely tucked away in Password Safe... > > Heh. > > On Tue, Jan 18, 2011 at 18:16, Don Ely <don....@gmail.com> wrote: >> Where are the passwords? >> >> On Tue, Jan 18, 2011 at 5:46 PM, Kurt Buff <kurt.b...@gmail.com> wrote: >>> >>> Glen, Michael, Brian, >>> >>> Thanks for your help in this. I do appreciate it. >>> >>> Been looking at this the whole time, in between interruptions galore... >>> >>> I got it finally - 'twas stupid target fixation on my part. I somehow >>> got set on fa0.1 being the native VLAN, and on each subinterface being >>> in its own bridge-group matching the VLAN number. Once I fixed that, >>> it works just fine. >>> >>> For posterity, you have to make the management VLAN native (in this >>> config it's VLAN 99 and fa0.99), and assign it to bridge-group 1, then >>> assign the other VLANs to their own bridge-groups (and it's easiest, >>> if not required) to make the bridge-group the same number as the >>> VLAN). Then the IP address assigned for the WAP in the management VLAN >>> has to be placed on the BVI1 interface. >>> >>> Lastly, always check layer 1 first. Just saying... >>> >>> Below are working WAP and HP switch configs, which assume that the WAP >>> is in switch port 8, and that port 9 is the trunk port to the layer 3 >>> switch: >>> >>> ----------Begin WAP Config---------- >>> version 12.4 >>> no service pad >>> service timestamps debug datetime msec >>> service timestamps log datetime msec >>> service password-encryption >>> ! >>> hostname wap121-IT >>> ! >>> enable secret 5 (removed) >>> ! >>> no aaa new-model >>> clock timezone -0800 -8 >>> clock summer-time -0700 recurring >>> ! >>> ! >>> dot11 vlan-name VLAN115 vlan 115 >>> dot11 vlan-name VLAN120 vlan 120 >>> ! >>> dot11 ssid guest >>> vlan 120 >>> authentication open >>> mbssid guest-mode dtim-period 2 >>> ! >>> dot11 ssid production >>> vlan 115 >>> authentication open >>> authentication key-management wpa >>> wpa-psk ascii 7 (removed) >>> ! >>> power inline negotiation prestandard source >>> ! >>> ! >>> username Cisco privilege 15 password 7 (removed) >>> username readonly password 7 (removed) >>> username ifteam privilege 15 secret 5 (removed) >>> ! >>> bridge irb >>> ! >>> ! >>> interface Dot11Radio0 >>> no ip address >>> no ip route-cache >>> ! >>> encryption mode ciphers tkip >>> ! >>> encryption vlan 115 mode ciphers tkip >>> ! >>> ssid guest >>> ! >>> ssid production >>> ! >>> antenna transmit right >>> antenna receive right >>> mbssid >>> speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 >>> power client 20 >>> channel 2437 >>> station-role root >>> bridge-group 1 >>> bridge-group 1 block-unknown-source >>> no bridge-group 1 source-learning >>> no bridge-group 1 unicast-flooding >>> bridge-group 1 spanning-disabled >>> ! >>> interface Dot11Radio0.115 >>> encapsulation dot1Q 115 >>> no ip route-cache >>> bridge-group 115 >>> bridge-group 115 subscriber-loop-control >>> bridge-group 115 block-unknown-source >>> no bridge-group 115 source-learning >>> no bridge-group 115 unicast-flooding >>> ! >>> interface Dot11Radio0.120 >>> encapsulation dot1Q 120 >>> no ip route-cache >>> bridge-group 120 >>> bridge-group 120 subscriber-loop-control >>> bridge-group 120 block-unknown-source >>> no bridge-group 120 source-learning >>> no bridge-group 120 unicast-flooding >>> bridge-group 120 spanning-disabled >>> ! >>> interface Dot11Radio1 >>> no ip address >>> no ip route-cache >>> shutdown >>> dfs band 3 block >>> channel dfs >>> station-role root >>> bridge-group 1 >>> bridge-group 1 subscriber-loop-control >>> bridge-group 1 block-unknown-source >>> no bridge-group 1 source-learning >>> no bridge-group 1 unicast-flooding >>> bridge-group 1 spanning-disabled >>> ! >>> interface FastEthernet0 >>> no ip address >>> no ip route-cache >>> duplex auto >>> speed auto >>> ! >>> interface FastEthernet0.99 >>> encapsulation dot1Q 99 native >>> no ip route-cache >>> bridge-group 1 >>> no bridge-group 1 source-learning >>> bridge-group 1 spanning-disabled >>> ! >>> interface FastEthernet0.115 >>> encapsulation dot1Q 115 >>> no ip route-cache >>> bridge-group 115 >>> no bridge-group 115 source-learning >>> bridge-group 115 spanning-disabled >>> ! >>> interface FastEthernet0.120 >>> encapsulation dot1Q 120 >>> no ip route-cache >>> bridge-group 120 >>> no bridge-group 120 source-learning >>> bridge-group 120 spanning-disabled >>> ! >>> interface BVI1 >>> ip address 192.168.99.121 255.255.255.0 >>> no ip route-cache >>> ! >>> ip default-gateway 192.168.99.1 >>> ip http server >>> ip http authentication local >>> no ip http secure-server >>> ip http help-path >>> http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag >>> snmp-server view dot11view ieee802dot11 included >>> snmp-server view ieee802dot11 ieee802dot11 included >>> snmp-server community public RO >>> snmp-server contact IFTeam >>> bridge 1 route ip >>> ! >>> ! >>> ! >>> line con 0 >>> login local >>> line vty 0 4 >>> login local >>> ! >>> sntp server 192.168.10.191 >>> sntp broadcast client >>> end >>> ----------End WAP Config----------- >>> >>> -----------Begin Switch Config---------- >>> hostname "HP PoE WAPs Server room 99.22" >>> max-vlans 10 >>> time timezone -480 >>> time daylight-time-rule Continental-US-and-Canada >>> ip default-gateway 192.168.99.1 >>> sntp server 192.168.10.191 >>> logging 192.168.10.225 >>> snmp-server community "public" Operator >>> snmp-server community "private" Operator Unrestricted >>> vlan 1 >>> name "DEFAULT_VLAN" >>> untagged 1-8 >>> ip address dhcp-bootp >>> tagged 9 >>> exit >>> vlan 99 >>> name "VLAN99" >>> ip address 192.168.99.22 255.255.255.0 >>> tagged 1-9 >>> exit >>> vlan 115 >>> name "VLAN115" >>> tagged 1-9 >>> exit >>> vlan 120 >>> name "VLAN120" >>> no ip address >>> tagged 1-9 >>> exit >>> password manager >>> password operator >>> ----------End Switch Config---------- >>> >>> On Sat, Jan 15, 2011 at 15:39, Glen Johnson <gjohn...@vhcc.edu> wrote: >>> > Kurt. >>> > Just looked over my config and couldn't see why mine worked. >>> > Found this on Cisco.com. >>> > http://preview.tinyurl.com/6jongm >>> > Section titled Significance of native vlan. >>> > >>> > The BVI1 interface maps to the native sub interface on the ethernet >>> > trunk. >>> > I think the config I sent you is wrong, but for yours to work you need >>> > to set the native vlan on both the switch and wap to vlan 99 if that is >>> > your >>> > management vlan. >>> > Pain in the back side to remember that but it does work. >>> > Glen. >>> > ________________________________________ >>> > From: Kurt Buff [kurt.b...@gmail.com] >>> > Sent: Saturday, January 15, 2011 3:41 PM >>> > To: NT System Admin Issues >>> > Subject: Re: Cisco 1240AG config problem >>> > >>> > You are correct, I don't want the clients to ping the WAP - I'm trying >>> > to remove the 15.31 address, and use the 99.121 address, but once I do >>> > that, I can't reach the WAP any more, in any way, until I pull power >>> > from it. (I'm not saving the running-config, just so I can do that!) >>> > >>> > That's why the mangement vlan 99 isn't configured on the radio side, >>> > only on the Ethernet side. >>> > >>> > I surely wouldn't mind a look at that config, though. >>> > >>> > Kurt >>> > >>> > On Sat, Jan 15, 2011 at 12:25, Glen Johnson <gjohn...@vhcc.edu> wrote: >>> >> I don't think you "want" the wireless clients to ping the wap. They >>> >> should be able to ping hosts on the same vlan as the SSID they are on. >>> >> When we were using fat waps, the only ip address the wap had was on the >>> >> management interface. For security, no wireless clients could get to >>> >> that >>> >> IP. >>> >> Have since switched to a wireless lan controller and life is much >>> >> simpler, but if you need more help, let me know as I should have a copy >>> >> of >>> >> the config that I'll be glad to share. >>> >> >>> >> -----Original Message----- >>> >> From: Kurt Buff [mailto:kurt.b...@gmail.com] >>> >> Sent: Saturday, January 15, 2011 2:42 PM >>> >> To: NT System Admin Issues >>> >> Subject: Re: Cisco 1240AG config problem >>> >> >>> >> On Sat, Jan 15, 2011 at 10:41, Michael B. Smith <mich...@smithcons.com> >>> >> wrote: >>> >>> It's been a really really long time for me, but shouldn't the "ip >>> >>> default-gateway" be an IP address on the BVI1 subnet? >>> >> >>> >> That seems to help somewhat. >>> >> >>> >> I updated as shown below, with the following results: >>> >> - Another WAP on the same PoE switch as the WAP I'm configuring >>> >> (all WAPs are on the 115 vlan but on different switches) can ping and >>> >> telnet >>> >> to 15.31 and to 15.1 and 99.1, but not to 99.121 - 15.1 and >>> >> 99.1 are the addresses of the layer 3 switch. >>> >> >>> >> - A laptop wirelessly associated with 15.31 can ping the router >>> >> address on the 99 and 115 vlans, but not WAP's addresses of 99.121and >>> >> 15.31. >>> >> The laptop gets 'destination host unreachable for the 99 address of the >>> >> WAP, >>> >> and alternating sequences of that and 'reply timed out' for the 15 >>> >> address >>> >> of the WAP (I've got four 'ping -t' prompts running on the laptop.) >>> >> >>> >> - No longer see on the WAP >>> >> "% Unrecognized host or address, or protocol not running." >>> >> when trying to ping from this WAP, nor the log errors >>> >> " %IP_SNMP-3-SOCKET: can't open UDP socket" >>> >> " Unable to open socket on port 161" >>> >> >>> >> - The WAP can ping itself on both addresses, and can ping the >>> >> gateway on the 115 vlan (15.1), but not the gateway on the 99 vlan >>> >> (99.1.) >>> >> >>> >> I also tried the config below except that I removed the 15.31 address >>> >> from it entirely, and while the laptop remained associated and had the >>> >> same >>> >> access, I lost contact with the WAP, and the 99.121 address didn't come >>> >> alive. >>> >> >>> >> Kurt >>> >> >>> >> ----------Begin updated conf snippet---------- interface >>> >> FastEthernet0.99 encapsulation dot1Q 99 no ip route-cache >>> >> bridge-group 99 >>> >> no bridge-group 99 source-learning bridge-group 99 spanning-disabled ! >>> >> interface FastEthernet0.115 >>> >> encapsulation dot1Q 115 >>> >> ip address 192.168.15.31 255.255.255.0 >>> >> no ip route-cache >>> >> bridge-group 115 >>> >> no bridge-group 115 source-learning >>> >> bridge-group 115 spanning-disabled >>> >> ! >>> >> interface BVI1 >>> >> ip address 192.168.99.121 255.255.255.0 no ip route-cache ! >>> >> ip default-gateway 192.168.99.1 >>> >> ----------End updated conf snippet---------- >>> >> >>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >>> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >> >>> >> --- >>> >> To manage subscriptions click here: >>> >> http://lyris.sunbelt-software.com/read/my_forums/ >>> >> or send an email to listmana...@lyris.sunbeltsoftware.com >>> >> with the body: unsubscribe ntsysadmin >>> >> >>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >> >>> >> --- >>> >> To manage subscriptions click here: >>> >> http://lyris.sunbelt-software.com/read/my_forums/ >>> >> or send an email to listmana...@lyris.sunbeltsoftware.com >>> >> with the body: unsubscribe ntsysadmin >>> > >>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> > >>> > --- >>> > To manage subscriptions click here: >>> > http://lyris.sunbelt-software.com/read/my_forums/ >>> > or send an email to listmana...@lyris.sunbeltsoftware.com >>> > with the body: unsubscribe ntsysadmin >>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> > >>> > --- >>> > To manage subscriptions click here: >>> > http://lyris.sunbelt-software.com/read/my_forums/ >>> > or send an email to listmana...@lyris.sunbeltsoftware.com >>> > with the body: unsubscribe ntsysadmin >>> > >>> > >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> --- >>> To manage subscriptions click here: >>> http://lyris.sunbelt-software.com/read/my_forums/ >>> or send an email to listmana...@lyris.sunbeltsoftware.com >>> with the body: unsubscribe ntsysadmin >>> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to listmana...@lyris.sunbeltsoftware.com >> with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin