Oh, I remember....

I was there too.

LOL.

On Tue, Jan 18, 2011 at 21:49, Free, Bob <r...@pge.com> wrote:
> I can tell you from experience that isn't the answer Don was looking for..or 
> Eric either  if he asks ;-]
>
> -----Original Message-----
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, January 18, 2011 7:09 PM
> To: NT System Admin Issues
> Subject: Re: RESOLVED: Re: Cisco 1240AG config problem
>
> Safely tucked away in Password Safe...
>
> Heh.
>
> On Tue, Jan 18, 2011 at 18:16, Don Ely <don....@gmail.com> wrote:
>> Where are the passwords?
>>
>> On Tue, Jan 18, 2011 at 5:46 PM, Kurt Buff <kurt.b...@gmail.com> wrote:
>>>
>>> Glen, Michael, Brian,
>>>
>>> Thanks for your help in this. I do appreciate it.
>>>
>>> Been looking at this the whole time, in between interruptions galore...
>>>
>>> I got it finally - 'twas stupid target fixation on my part. I somehow
>>> got set on fa0.1 being the native VLAN, and on each subinterface being
>>> in its own bridge-group matching the VLAN number. Once I fixed that,
>>> it works just fine.
>>>
>>> For posterity, you have to make the management VLAN native (in this
>>> config it's VLAN 99 and fa0.99), and assign it to bridge-group 1, then
>>> assign the other VLANs to their own bridge-groups (and it's easiest,
>>> if not required) to make the bridge-group the same number as the
>>> VLAN). Then the IP address assigned for the WAP in the management VLAN
>>> has to be placed on the BVI1 interface.
>>>
>>> Lastly, always check layer 1 first. Just saying...
>>>
>>> Below are working WAP and HP switch configs, which assume that the WAP
>>> is in switch port 8, and that port 9 is the trunk port to the layer 3
>>> switch:
>>>
>>> ----------Begin WAP Config----------
>>> version 12.4
>>> no service pad
>>> service timestamps debug datetime msec
>>> service timestamps log datetime msec
>>> service password-encryption
>>> !
>>> hostname wap121-IT
>>> !
>>> enable secret 5 (removed)
>>> !
>>> no aaa new-model
>>> clock timezone -0800 -8
>>> clock summer-time -0700 recurring
>>> !
>>> !
>>> dot11 vlan-name VLAN115 vlan 115
>>> dot11 vlan-name VLAN120 vlan 120
>>> !
>>> dot11 ssid guest
>>>   vlan 120
>>>   authentication open
>>>   mbssid guest-mode dtim-period 2
>>> !
>>> dot11 ssid production
>>>   vlan 115
>>>   authentication open
>>>   authentication key-management wpa
>>>   wpa-psk ascii 7 (removed)
>>> !
>>> power inline negotiation prestandard source
>>> !
>>> !
>>> username Cisco privilege 15 password 7 (removed)
>>> username readonly password 7 (removed)
>>> username ifteam privilege 15 secret 5 (removed)
>>> !
>>> bridge irb
>>> !
>>> !
>>> interface Dot11Radio0
>>>  no ip address
>>>  no ip route-cache
>>>  !
>>>  encryption mode ciphers tkip
>>>  !
>>>  encryption vlan 115 mode ciphers tkip
>>>  !
>>>  ssid guest
>>>  !
>>>  ssid production
>>>  !
>>>  antenna transmit right
>>>  antenna receive right
>>>  mbssid
>>>  speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
>>>  power client 20
>>>  channel 2437
>>>  station-role root
>>>  bridge-group 1
>>>  bridge-group 1 block-unknown-source
>>>  no bridge-group 1 source-learning
>>>  no bridge-group 1 unicast-flooding
>>>  bridge-group 1 spanning-disabled
>>> !
>>> interface Dot11Radio0.115
>>>  encapsulation dot1Q 115
>>>  no ip route-cache
>>>  bridge-group 115
>>>  bridge-group 115 subscriber-loop-control
>>>  bridge-group 115 block-unknown-source
>>>  no bridge-group 115 source-learning
>>>  no bridge-group 115 unicast-flooding
>>> !
>>> interface Dot11Radio0.120
>>>  encapsulation dot1Q 120
>>>  no ip route-cache
>>>  bridge-group 120
>>>  bridge-group 120 subscriber-loop-control
>>>  bridge-group 120 block-unknown-source
>>>  no bridge-group 120 source-learning
>>>  no bridge-group 120 unicast-flooding
>>>  bridge-group 120 spanning-disabled
>>> !
>>> interface Dot11Radio1
>>>  no ip address
>>>  no ip route-cache
>>>  shutdown
>>>  dfs band 3 block
>>>  channel dfs
>>>  station-role root
>>>  bridge-group 1
>>>  bridge-group 1 subscriber-loop-control
>>>  bridge-group 1 block-unknown-source
>>>  no bridge-group 1 source-learning
>>>  no bridge-group 1 unicast-flooding
>>>  bridge-group 1 spanning-disabled
>>> !
>>> interface FastEthernet0
>>>  no ip address
>>>  no ip route-cache
>>>  duplex auto
>>>  speed auto
>>> !
>>> interface FastEthernet0.99
>>>  encapsulation dot1Q 99 native
>>>  no ip route-cache
>>>  bridge-group 1
>>>  no bridge-group 1 source-learning
>>>  bridge-group 1 spanning-disabled
>>> !
>>> interface FastEthernet0.115
>>>  encapsulation dot1Q 115
>>>  no ip route-cache
>>>  bridge-group 115
>>>  no bridge-group 115 source-learning
>>>  bridge-group 115 spanning-disabled
>>> !
>>> interface FastEthernet0.120
>>>  encapsulation dot1Q 120
>>>  no ip route-cache
>>>  bridge-group 120
>>>  no bridge-group 120 source-learning
>>>  bridge-group 120 spanning-disabled
>>> !
>>> interface BVI1
>>>  ip address 192.168.99.121 255.255.255.0
>>>  no ip route-cache
>>> !
>>> ip default-gateway 192.168.99.1
>>> ip http server
>>> ip http authentication local
>>> no ip http secure-server
>>> ip http help-path
>>> http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
>>> snmp-server view dot11view ieee802dot11 included
>>> snmp-server view ieee802dot11 ieee802dot11 included
>>> snmp-server community public RO
>>> snmp-server contact IFTeam
>>> bridge 1 route ip
>>> !
>>> !
>>> !
>>> line con 0
>>>  login local
>>> line vty 0 4
>>>  login local
>>> !
>>> sntp server 192.168.10.191
>>> sntp broadcast client
>>> end
>>> ----------End WAP Config-----------
>>>
>>> -----------Begin Switch Config----------
>>> hostname "HP PoE WAPs Server room 99.22"
>>> max-vlans 10
>>> time timezone -480
>>> time daylight-time-rule Continental-US-and-Canada
>>> ip default-gateway 192.168.99.1
>>> sntp server 192.168.10.191
>>> logging 192.168.10.225
>>> snmp-server community "public" Operator
>>> snmp-server community "private" Operator Unrestricted
>>> vlan 1
>>>   name "DEFAULT_VLAN"
>>>   untagged 1-8
>>>   ip address dhcp-bootp
>>>   tagged 9
>>>   exit
>>> vlan 99
>>>   name "VLAN99"
>>>   ip address 192.168.99.22 255.255.255.0
>>>   tagged 1-9
>>>   exit
>>> vlan 115
>>>   name "VLAN115"
>>>   tagged 1-9
>>>   exit
>>> vlan 120
>>>   name "VLAN120"
>>>   no ip address
>>>   tagged 1-9
>>>   exit
>>> password manager
>>> password operator
>>> ----------End Switch Config----------
>>>
>>> On Sat, Jan 15, 2011 at 15:39, Glen Johnson <gjohn...@vhcc.edu> wrote:
>>> > Kurt.
>>> > Just looked over my config and couldn't see why mine worked.
>>> > Found this on Cisco.com.
>>> > http://preview.tinyurl.com/6jongm
>>> > Section titled Significance of native vlan.
>>> >
>>> > The BVI1 interface maps to the native sub interface on the ethernet
>>> > trunk.
>>> > I think the config I sent you is wrong, but for yours to work you need
>>> > to set the native vlan on both the switch and wap to vlan 99 if that is 
>>> > your
>>> > management vlan.
>>> > Pain in the back side to remember that but it does work.
>>> > Glen.
>>> > ________________________________________
>>> > From: Kurt Buff [kurt.b...@gmail.com]
>>> > Sent: Saturday, January 15, 2011 3:41 PM
>>> > To: NT System Admin Issues
>>> > Subject: Re: Cisco 1240AG config problem
>>> >
>>> > You are correct, I don't want the clients to ping the WAP - I'm trying
>>> > to remove the 15.31 address, and use the 99.121 address, but once I do
>>> > that, I can't reach the WAP any more, in any way, until I pull power
>>> > from it. (I'm not saving the running-config, just so I can do that!)
>>> >
>>> > That's why the mangement vlan 99 isn't configured on the radio side,
>>> > only on the Ethernet side.
>>> >
>>> > I surely wouldn't mind a look at that config, though.
>>> >
>>> > Kurt
>>> >
>>> > On Sat, Jan 15, 2011 at 12:25, Glen Johnson <gjohn...@vhcc.edu> wrote:
>>> >> I don't think you "want" the wireless clients to ping the wap.  They
>>> >> should be able to ping hosts on the same vlan as the SSID they are on.
>>> >> When we were using fat waps, the only ip address the wap had was on the
>>> >> management interface.  For security, no wireless clients could get to 
>>> >> that
>>> >> IP.
>>> >> Have since switched to a wireless lan controller and life is much
>>> >> simpler, but if you need more help, let me know as I should have a copy 
>>> >> of
>>> >> the config that I'll be glad to share.
>>> >>
>>> >> -----Original Message-----
>>> >> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>>> >> Sent: Saturday, January 15, 2011 2:42 PM
>>> >> To: NT System Admin Issues
>>> >> Subject: Re: Cisco 1240AG config problem
>>> >>
>>> >> On Sat, Jan 15, 2011 at 10:41, Michael B. Smith <mich...@smithcons.com>
>>> >> wrote:
>>> >>> It's been a really really long time for me, but shouldn't the "ip
>>> >>> default-gateway" be an IP address on the BVI1 subnet?
>>> >>
>>> >> That seems to help somewhat.
>>> >>
>>> >> I updated as shown below, with the following results:
>>> >>     - Another WAP on the same PoE switch as the WAP I'm configuring
>>> >> (all WAPs are on the 115 vlan but on different switches) can ping and 
>>> >> telnet
>>> >> to 15.31 and to 15.1 and 99.1, but not to 99.121 - 15.1 and
>>> >> 99.1 are the addresses of the layer 3 switch.
>>> >>
>>> >>     - A laptop wirelessly associated with 15.31 can ping the router
>>> >> address on the 99 and 115 vlans, but not WAP's addresses of 99.121and 
>>> >> 15.31.
>>> >> The laptop gets 'destination host unreachable for the 99 address of the 
>>> >> WAP,
>>> >> and alternating sequences of that and 'reply timed out' for the 15 
>>> >> address
>>> >> of the WAP (I've got four 'ping -t' prompts running on the laptop.)
>>> >>
>>> >>     - No longer see on the WAP
>>> >>          "% Unrecognized host or address, or protocol not running."
>>> >>       when trying to ping from this WAP, nor the log errors
>>> >>          " %IP_SNMP-3-SOCKET: can't open UDP socket"
>>> >>          " Unable to open socket on port 161"
>>> >>
>>> >>     - The WAP can ping itself on both addresses, and can ping the
>>> >> gateway on the 115 vlan (15.1), but not the gateway on the 99 vlan
>>> >> (99.1.)
>>> >>
>>> >> I also tried the config below except that I removed the 15.31 address
>>> >> from it entirely, and while the laptop remained associated and had the 
>>> >> same
>>> >> access, I lost contact with the WAP, and the 99.121 address didn't come
>>> >> alive.
>>> >>
>>> >> Kurt
>>> >>
>>> >> ----------Begin updated conf snippet---------- interface
>>> >> FastEthernet0.99  encapsulation dot1Q 99  no ip route-cache  
>>> >> bridge-group 99
>>> >>  no bridge-group 99 source-learning  bridge-group 99 spanning-disabled !
>>> >> interface FastEthernet0.115
>>> >>  encapsulation dot1Q 115
>>> >>  ip address 192.168.15.31 255.255.255.0
>>> >>  no ip route-cache
>>> >>  bridge-group 115
>>> >>  no bridge-group 115 source-learning
>>> >>  bridge-group 115 spanning-disabled
>>> >> !
>>> >> interface BVI1
>>> >>  ip address 192.168.99.121 255.255.255.0  no ip route-cache !
>>> >> ip default-gateway 192.168.99.1
>>> >> ----------End updated conf snippet----------
>>> >>
>>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>> >>
>>> >> ---
>>> >> To manage subscriptions click here:
>>> >> http://lyris.sunbelt-software.com/read/my_forums/
>>> >> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> >> with the body: unsubscribe ntsysadmin
>>> >>
>>> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>> >>
>>> >> ---
>>> >> To manage subscriptions click here:
>>> >> http://lyris.sunbelt-software.com/read/my_forums/
>>> >> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> >> with the body: unsubscribe ntsysadmin
>>> >
>>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>> >
>>> > ---
>>> > To manage subscriptions click here:
>>> > http://lyris.sunbelt-software.com/read/my_forums/
>>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>>> > with the body: unsubscribe ntsysadmin
>>> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>> >
>>> > ---
>>> > To manage subscriptions click here:
>>> > http://lyris.sunbelt-software.com/read/my_forums/
>>> > or send an email to listmana...@lyris.sunbeltsoftware.com
>>> > with the body: unsubscribe ntsysadmin
>>> >
>>> >
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to listmana...@lyris.sunbeltsoftware.com
>>> with the body: unsubscribe ntsysadmin
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to listmana...@lyris.sunbeltsoftware.com
>> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Reply via email to