Multiple DHCP Scopes associated with VLANs

please post

1. show version

1. show run

2. conf t logging buffer 10000 debug exit wri mem

clear log

debug dhcp detail

! have wireless client assoicate to SSID an attempt to obtain DHCP address

undebug all

1. post output of "show log" after associate with AP

1. show version Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(7)JA2, RELEASE SOFTWARE (fc1) BOOTLDR: C1200 Boot Loader (C1200-BOOT-M) Version 12.2(8)JA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:12:00:9D:F3:60 Part Number : 73-8704-07 PCA Assembly Number : 800-23211-08 PCA Revision Number : A0 PCB Serial Number : FOC08350KSM Top Assembly Part Number : 800-23304-07 Top Assembly Serial Number : FCZ0841Z0YR Top Revision Number : B0 Product/Model Number : AIR-AP1231G-E-K9

1. show run ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname IPA2006_AP1 ! enable secret 5 $SmqK$SohoAaAZCXOxIzUeh5WOw/ ! ip subnet-zero ip dhcp excluded-address 10.1.0.1 ip dhcp excluded-address 10.0.0.1 10.0.0.3 ! ip dhcp pool INTERN network 10.1.0.0 255.255.255.240 lease 10 ! ip dhcp pool DEFAULT network 10.0.0.0 255.255.255.240 lease 10 ! ! no aaa new-model ! dot11 ssid intern vlan 250 authentication open ! ! ! username Cisco password 7 14341B180F0B ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption vlan 250 key 1 size 128bit 7 ED8B9B24F79337ABFC10BFF2126B transmit-key encryption vlan 250 mode wep mandatory ! ssid intern ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0

36.0 48.0 54.0 channel 2447 station-role root bridge-group 1 bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.250 encapsulation dot1Q 250 ip address 10.1.0.1 255.255.255.240 no ip route-cache bridge-group 250 bridge-group 250 subscriber-loop-control bridge-group 250 block-unknown-source no bridge-group 250 source-learning no bridge-group 250 unicast-flooding bridge-group 250 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.250 encapsulation dot1Q 250 no ip route-cache bridge-group 250 no bridge-group 250 source-learning bridge-group 250 spanning-disabled ! interface BVI1 ip address 10.0.0.2 255.255.255.240 no ip route-cache ! interface BVI250 ip address 10.1.0.2 255.255.255.240 no ip route-cache ! ip http server no ip http secure-server ip http help-path ! control-plane ! bridge 1 route ip ! ! ! line con 0 transport preferred all transport output all line vty 0 4 login local transport preferred all transport input all transport output all line vty 5 15 login transport preferred all transport input all transport output all ! end

1. turned on "debug dhcp detail", connected to the AP, the output goes like that:

*Mar 1 02:16:24.967: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0040.96a8.0737 Reason: Disassociated because sending station is leaving (or has left) BSS *Mar 1 02:16:26.254: DHCPD: checking for expired leases. *Mar 1 02:16:32.690: %DOT11-6-ASSOC: Interface Dot11Radio0, Station DEG-THO2 0040.96a8.0737 Associated KEY_MGMT[NONE]

nothing more after associate with AP

1. SSID "intern" needs to be configured to be part of VLNAN 250

see Cisco doc Configuring VLANS

1. disable encyption on SSID intern until the DHCP issue is addressed.

1. ensure wireless client has sucessfully assocaited show dot11 assoc client

2. check DHCP to see that DHCP discovery messages are being received from wirlesss client show ip dhcp binding show ip dhcp server statistics

1. Yes I have this document too, and I really wondered, why I can't to the following on my AP: IPA2006_AP1(config)#int IPA2006_AP1(config)#int do0 IPA2006_AP1(config-if)#ssi IPA2006_AP1(config-if)#ssid intern IPA2006_AP1(config-if)#vlan 250 ^ % Invalid input detected at '^' marker.

But in my config there's the section: dot11 ssid intern vlan 250 authentication open

So, I assume that the SSID 'intern' is configured to be part of VLAN

250. I checked DHCP but there's nothing that would help. It just happens nothing! Oh, and Yes, clients do associate successfully with the AP. Even the repeater does it.

Looks like Cisco may have change some command usage:

dot11 ssid

Use the dot11 ssid global configuration command to create a global SSID. The SSID is inactive until you use the ssid configuration interface command to assign the SSID to a specific radio interface.

dot11 ssid ssid

In Cisco IOS Release 12.3(4)JA, you can configure SSIDs globally or for a specific radio interface. However, when you create an SSID using the ssid configuration interface command, the access point stores the SSID in global configuration mode. Syntax Description

This command has no arguments or keywords. Defaults

This command has no defaults. Command Modes

Global configuration Command History Release

Modification

12.3(2)JA

This command was introduced.

Examples

This example shows how to:

=B7Create an SSID in global configuration mode

=B7Configure the SSID for RADIUS accounting

=B7Set the maximum number of client devices that can associate using this SSID to 15

=B7Assign the SSID to a VLAN

=B7Assign the SSID to a radio interface

AP# configure terminal

AP(config)# dot11 ssid batman

AP(config-ssid)# accounting accounting-method-list

AP(config-ssid)# max-associations 15

AP(config-ssid)# vlan 3762

AP(config-ssid)# exit

AP(config)# interface dot11radio 0

AP(config-if)# ssid batman

so try :

! configure SSId intern at global config command level

dot11 ssid intern vlan 250 authentication open exit exit

! apply the SSID internal to interface d0

int d0 ssid intern exit

You can't configure the same VLAN with two different IP subnets. If you want the radio and fast Ethernet to be on different subnets then change the VLAN number on the radio (or get ride of it completely) and delete the bridge config.

Scott

Yep, I see. But that's exactly the same I already have in my config, isn't it?

Well, I don't wanna configure the same VLAN with two different IP subnets. And I don't want the radio and the Ethernet to be on different subnets either.

The thing I want:

2 DHCP Pools (INTERN, EXTERN) 2 SSIDs (intern, extern) When you connect with SSID 'intern' you get an IP Address out of the INTERN Pool and vice versa.

Therefore I actually need 2 different VLANs associated with SSIDs.

My current running config:

! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname IPA2006_AP1 ! logging buffered 10000 debugging enable secret 5 $1$SmqK$SohoAaAZCXOxIzUeh5WOw/ ! ip subnet-zero ip dhcp excluded-address 10.1.0.1 ip dhcp excluded-address 10.0.0.1 10.0.0.4 ! ip dhcp pool INTERN network 10.1.0.0 255.255.255.240 default-router 10.1.0.1 dns-server 212.90.199.2 lease 10 ! ip dhcp pool EXTERN network 10.2.0.0 255.255.255.240 default-router 10.2.0.1 dns-server 212.90.199.2 lease 10 ! ip dhcp pool TESTPPOL network 10.0.0.0 255.255.255.240 lease 10 ! ! aaa new-model ! ! aaa group server radius rad_eap server 10.0.0.2 auth-port 1812 acct-port 1813 ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache ! aaa group server tacacs+ tac_admin cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa cache profile admin_cache all ! aaa session-id common dot11 vlan-name extern vlan 251 ! dot11 ssid extern vlan 251 authentication open ! dot11 ssid infrastructure vlan 1 authentication open infrastructure-ssid ! dot11 ssid intern vlan 250 authentication open mac-address mac_methods eap eap_methods authentication network-eap eap_methods authentication key-management wpa ! ! ! username Cisco password 7 14341B180F0B username 004096a80737 password 7 0256540F5B5F5920141E5E4A52 username 004096a80737 autocommand exit ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm tkip wep128 ! encryption vlan 250 mode ciphers aes-ccm tkip ! broadcast-key change 18000 ! broadcast-key vlan 250 change 18000 ! ! ssid extern ! ssid infrastructure ! ssid intern ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0

36.0 48.0 54.0 channel 2447 station-role root ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.250 encapsulation dot1Q 250 ip address 10.1.0.1 255.255.255.240 no ip route-cache ! interface Dot11Radio0.251 encapsulation dot1Q 251 ip address 10.2.0.1 255.255.255.240 no ip route-cache ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto hold-queue 160 in ! interface FastEthernet0.1 encapsulation dot1Q 1 native no ip route-cache bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface BVI1 ip address 10.0.0.2 255.255.255.240 no ip route-cache ! ip http server no ip http secure-server ip http help-path radius source-interface BVI1 ! radius-server local nas 10.0.0.2 key 7 071C244F5C0C0D user hstucki nthash 7 0558222D056918504E2140435D55540B7C7271616576312234525304010B050356 ! radius-server attribute 32 include-in-access-req format %h radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key 7 0518030C33495A radius-server vsa send accounting ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! ! ! line con 0 line vty 5 15 ! end

And still: When I connect to FaEth0 with a CAT5 Cable, I get an IP-Address out of the TESTPOOL. With enabled DHCP Debug Messages i see all the Choreography successfully.

When I connect over the WLAN Adapter with an SSID intern or extern, I don't see anything and I get the std. 169.x.x.x crap.

To carry VLAN 1 on 1Q trunk to upstream switch

interface FastEthernet0 no bridge-group 1

interface FastEthernet0.1 encapsulation dot1Q 1 native bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled exit

Make sure the BVI1 interface (10.0.0.2 ) is still pingable after this change

Please post output of show dot11 assoc client

show mac-address-table

show vlan

Ok, i didn't actually had to make any change. What you suggested,

interface FastEthernet0 no bridge-group 1

1. interface FastEthernet0.1 encapsulation dot1Q 1 native bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled exit

Is already active.

show dot11 asso output:

802.11 Client Stations on Dot11Radio0:

SSID [infrastructure] :

MAC Address IP address Device Name Parent State

000b.be81.8fcc 10.0.0.3 ap1100-Rptr IPA2006_AP2 self Assoc

SSID [intern] :

MAC Address IP address Device Name Parent State

0040.96a8.0737 127.0.0.1 CB21AG/PI21AG HOTSPOT-NB1053 self EAP-Assoc

1. show mac-address-table: can't find this command.

2. show vlans Virtual LAN ID: 1 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interfaces: Dot11Radio0.1 FastEthernet0.1 Virtual-Dot11Radio0.1

This is configured as native Vlan for the following interface(s) : Dot11Radio0 FastEthernet0 Virtual-Dot11Radio0

Protocols Configured: Address: Received: Transmitted: Bridging Bridge Group 1 3008 88 Other 0 436

2946 packets, 492649 bytes input 193 packets, 54302 bytes output Bridging Bridge Group 1 3012 88 Other 0 436 784 packets, 89513 bytes input 147 packets, 52412 bytes output Bridging Bridge Group 1 3013 88 Other 0 436 0 packets, 0 bytes input 187 packets, 54583 bytes output

Virtual LAN ID: 250 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interfaces: Dot11Radio0.250 Virtual-Dot11Radio0.250

Protocols Configured: Address: Received: Transmitted: IP 10.1.0.1 5 3 Other 0 18

76 packets, 11995 bytes input 15 packets, 1305 bytes output IP 10.1.0.1 Other 0 18 0 packets, 0 bytes input 6 packets, 592 bytes output

Virtual LAN ID: 251 (IEEE 802.1Q Encapsulation)

vLAN Trunk Interfaces: Dot11Radio0.251 Virtual-Dot11Radio0.251

Protocols Configured: Address: Received: Transmitted: IP 10.2.0.1 12 18 Other 0 18

138 packets, 34663 bytes input 30 packets, 1995 bytes output IP 10.2.0.1 Other 0 18 0 packets, 0 bytes input 6 packets, 592 bytes output

with a nicer formatting:

The formatted output was much easier to read

It does not look like you have any client PC's associated to the AP - is this correct ?

If this is the case can you have a PC associate and post output of show dot11 assoc client

Nope, that's not correct. I do have a Client associated:

with SSID intern, EAP-Associated.

With show dot11 assoc client it just shows only this line. (SSID [intern] : )

0040.96a8.0737 is the client PC under test ?

It looks like you have WEP configured.

We had a recent situation where a wireless client could not get a DHCP address because the WEP key number did not match that of the AP. So you mmay want to check that. If that does not work , then I would remove WEP encyption until the DHCP issue is resolved.

What is the version of the client software being used with the CB21AG ?

Please see my followup to your posting in "alt.internet.wireless". (FYI, if you want to post your article in two groups, please do it via a single posting (with multiple groups listed in the Newsgroups header), rather than via two independent postings.

Regards,

Aaron

Hi Aaron,

Thanks for the advice (Multiple Groups) I didn't realize you can actually do that. And, thank you for your time-saving follow-up in "alt.internet.wireless".

Kind Regards, Thomas