Help with 876w config bridging wireless/lan

config looks okay to me

ensure that all firewalls are disabled on PC's during your connectivity testing

from each wireed and wireless PC pings its default gateway

from a wireless PC ping a PC on one of wired LAN ports or vice versa

post the output of

show version

sh int status

sh ip int brief

sh dot11 assoc

sh arp

sh mac-address-table dynamic

show bridge

show vlan

check the arp cache on the wireless PC and the wired PC to deterrmine if they are able to send and receive ARPs between wired and wireless segment.

If so then I would look to see if IP traffic on PC is being blocked by firewall of other security programs

No firewalls enabled/installed.

wireless default gw is the router (10.0.0.1) - ping works. wired doesn't give any reply. On the pc i can see the outgoing arp requests but no answer.

When connecting another device to the builtin lan switch, the devices can communicate with each other, but they can't access the router.

When configuring the ip address 10.0.0.1 on the "vlan 1" interface instead on the BVI, the router is accessible from the LAN but not from wireless (of course).

doesn't work. I any case i can see the outgoing arp requests on the source, but no reply and no incoming arp requests on the destination.

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version

12.4(15)T1, RELEASE SOFTWARE (fc2) Technical Support: (c) 1986-2007 by Cisco Systems, Inc. Compiled Wed 18-Jul-07 16:47 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

Router uptime is 5 hours, 54 minutes System returned to ROM by reload System image file is "flash:c870-advsecurityk9-mz.124-15.T1.bin" Last reload reason: Reload Command ... Cisco 876W (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of memory. Processor board ID FCZ112722B4 MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10

4 FastEthernet interfaces 1 ISDN Basic Rate interface 1 ATM interface 1 802.11 Radio 128K bytes of non-volatile configuration memory. 24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Port Name Status Vlan Duplex Speed Type Fa0 connected 1 a-full a-100

10/100BaseTX Fa1 connected 1 a-full a-100 10/100BaseTX Fa2 notconnect 1 auto auto 10/100BaseTX Fa3 notconnect 1 auto auto 10/100BaseTX

Interface IP-Address OK? Method Status Protocol FastEthernet0 unassigned YES unset up up FastEthernet1 unassigned YES unset up up FastEthernet2 unassigned YES unset up down FastEthernet3 unassigned YES unset up down BRI0 unassigned YES NVRAM administratively down down BRI0:1 unassigned YES unset administratively down down BRI0:2 unassigned YES unset administratively down down Dot11Radio0 unassigned YES NVRAM up up ATM0 unassigned YES NVRAM initializing down ATM0.1 unassigned YES unset initializing down Vlan1 unassigned YES manual up up NVI0 unassigned NO unset up up Dialer0 unassigned YES NVRAM up up BVI1 10.0.0.1 YES manual up up

802.11 Client Stations on Dot11Radio0:

SSID [blubber2007] :

MAC Address IP address Device Name Parent State

0018.de02.9b93 10.0.0.23 4500-radio abc self Assoc

Protocol Address Age (min) Hardware Addr Type Interface Internet 10.0.0.1 - 001b.d596.ae00 ARPA BVI1 Internet 10.0.0.23 1 0018.de02.9b93 ARPA BVI1

10.0.0.23 is the wireless client. At the same time i tried a ping from the device in the lan, but there's no entry for this one.

Non-static Address Table: Destination Address Address Type VLAN Destination Port

------------------- ------------ ---- --------------------

000e.a6b8.baaa Dynamic 1 FastEthernet0

This is the MAC of the client i used to try connecting to the router.

Total of 300 station blocks, 299 free Codes: P - permanent, S - self

Bridge Group 1:

Address Action Interface Age RX count TX count

0018.de02.9b93 forward Dot11Radio0 P 342 243

Router#show vlan % Ambiguous command: "show vlan"

Regards Markus

Looks like wired PC's ARP is not making it to BVI interface or ARP reply is not being generated or propogated back to Fa0 interface

you could try debug ip icmp and debug arp to see if any usefil info is produced

Suggest trying an older IOS version like 12.4(11)T3 to see if that makes a difference..

If not then open case with Cisco TAC

I just noticed that the PC on FA0 with MAC address 000e.a6b8.baaa is showing up in output of "sh mac-address-table dynamic " but is not showing in the output of "show bridge". This does not seem correct to me.

Can you send packets between the PC on FA 0 and the PC on FA 1 ?

OBTW add "bridge 1 protocol ieee" to your config to see if it has any effect.

post output of show bridge afte rmakig change and repeating ping tests.

Post output of the following commands:

show bridge verbose

show bridge group

show bridge vlan

Excuse my ignorance here, but I ask, why are the configurations in the manual not enough? What you are doing different -is it bridging three interface? as the example in the manual shows only for two. You said what is happening but not stated clearly what you want.

If it is bridging three interfaces is this even supported? Why have you not included the most basic of requirements as in the examples of bridging (pg 324).Is it an ethernet interface or Vlan1 interface? Is this supported as a third interface?

In the manual i was looking at - the Cisco 87x configuration guide - there's no example for what i'm looking at: Bridging between a wireless interface and the built-in lan switch. Two interfaces.

Later i had a look at the generic IOS configuration guide and the bridging stuff and configured everything so it should work - from my knowledge, which is not so much in case of Cisco & bridging. I couldn't see anything wrong with my config, so i asked...

Which document do you reference here?

Regards Markus

As has already been stated your config looks pretty decent.

One thing you have not mentioned is conf t bridge 1 protocol ieee

I do not see the DHCP configuration either? Maybe you decided to miss it out?

Please post the whole conifg (sanitised if required).

One way of at elast removing passwords is to use the "sh tech" command. This though produces a lot of output which you then have to deal with. Later IOS allows "sh tech xxxx". If xxxx is chosen to be a feature that you are not using then the output is considerably abbreviated. : -))

sh tech rsvp sh tech ipmulticast

Markus,

Your config is fine.

Add "bridge 1 protocol ieee" for good measure even thought spanning- tree has been disabled on the radio

Post output of the following commands:

show bridge verbose show bridge group show bridge vlan

What are the IP addresses of the PC's on FA 0 and FA 1 ?

Can these two PC's ping each other ?

Try removing " bridge-group 1 spanning-disabled" trom the vlan1 interface to see if that has any positive effect

conf t interface Vlan1 no bridge-group 1 spanning-disabled end

On Sep 8, 4:05 pm, Markus Marquardt wrote:

Hi,

i assume that you ommited part of your configuration; it would be better to post it all. Did you configure the router manually or via SDM? Do you have any access lists apllied to the interfaces? Anyway try using the config below which works fine for me:

!This is the running config of the router: 10.10.10.1 !---------------------------------------------------------------------------- !version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption service sequence-numbers ! hostname 'your_hostname' ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret 5 'your_password' ! no aaa new-model ! dot11 activity-timeout unknown default 600 ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.17 10.10.10.254 ! ip dhcp pool sdm-pool import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 dns-server 194.219.227.2 193.92.110.1 ! ! no ip bootp server ip name-server 194.219.227.2 ip name-server 193.92.110.1 ip inspect name FIREWALL cuseeme ip inspect name FIREWALL ftp ip inspect name FIREWALL h323 ip inspect name FIREWALL icmp ip inspect name FIREWALL netshow ip inspect name FIREWALL rcmd ip inspect name FIREWALL realaudio ip inspect name FIREWALL rtsp ip inspect name FIREWALL esmtp ip inspect name FIREWALL sqlnet ip inspect name FIREWALL streamworks ip inspect name FIREWALL tftp ip inspect name FIREWALL tcp ip inspect name FIREWALL udp ip inspect name FIREWALL vdolive ! ! ! username 'your_username' privilege 15 password 7 'your_password' ! ! ! bridge irb ! ! ! interface BRI0 no ip address encapsulation hdlc shutdown no cdp enable ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point no snmp trap link-status pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 no cdp enable ! interface FastEthernet1 no cdp enable ! interface FastEthernet2 no cdp enable ! interface FastEthernet3 no cdp enable ! interface Virtual-Template2 no ip address ! interface Dot11Radio0 no ip address ! encryption mode ciphers tkip ! ssid 'your_ssid' authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 'your_key' ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 basic-12.0

18.0 24.0 36.0 48.0 54.0 channel 2462 station-role root no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 no ip address bridge-group 1 ! interface Dialer0 description $FW_OUTSIDE$ ip address negotiated ip access-group 101 in ip nat outside ip inspect FIREWALL out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname 'your_hostname' ppp chap password 7 'your_password' ! interface BVI1 description $FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 ip access-group 100 in ip nat inside ip virtual-reassembly ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! no ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 5 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! logging 10.10.10.8 access-list 1 permit 10.10.10.0 0.0.0.255 access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 permit udp host 193.92.123.152 eq ntp any eq ntp access-list 101 permit udp host 193.92.110.1 eq domain any access-list 101 permit udp host 194.219.227.2 eq domain any access-list 101 deny ip 10.10.10.0 0.0.0.255 any access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 permit icmp any any unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log dialer-list 1 protocol ip permit no cdp run ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 101 ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip banner login ^C

----------------------------------------------------------------------- !!! AUTHORIZED ACCESS ONLY !!!

-----------------------------------------------------------------------

^C ! line con 0 login local no modem enable transport output all line aux 0 transport output all line vty 0 4 privilege level 15 login local transport input ssh transport output ssh ! scheduler max-task-time 5000 ! end

if you use it don't forget to change usernames, etc. Alternatively try to use the Output Interpreter Tool in cisco.com Hope this helps

Nikos