Options
AIR-AP1142N-A-K9 configuration issue for guest ssid and BVI1 down
Route->This
Member Posts: 32 ■■□□□□□□□□
in CCNP
I'm trying to get the guest ssid working any help would be greatly appreciated. I was frustrated so saved my old config and wiped out everything on this AP. Now my interface bvi1 does not come online. It previously worked but don’t know why it doesn’t now.
ap#sh ip int bri
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.2.249 YES NVRAM down down
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio0.50 unassigned YES unset up up
Dot11Radio0.51 unassigned YES unset up up
Dot11Radio1 unassigned YES NVRAM administratively down down
GigabitEthernet0 unassigned YES NVRAM up up
GigabitEthernet0.50 unassigned YES unset up up
GigabitEthernet0.51 unassigned YES unset up up
ap#
ap#sh int bvi
*May 6 15:05:24.611: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]1
BVI1 is down, line protocol is down
Hardware is BVI, address is 003a.99eb.8d00 (bia b862.1fe9.9af0)
Internet address is 192.168.2.249/24
MTU 1500 bytes, BW 54000 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3 packets output, 180 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
ap#
I have a private vlan 50 and the public vlan 51. The private ssid seems to work and allow connectivity to the internet but I don't understand with the same configuration the Public ssid doesn't seem to work.
I get this output when trying to connect with my cell phone.
*May 6 15:00:37.288: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:00:42.935: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:01:13.913: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:01:17.281: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:01:48.181: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:01:51.583: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:02:22.500: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:03:41.852: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
SSID [PUBLIC] :
MAC Address IP address Device Name Parent State
847a.8835.4f22 0.0.0.0 ccx-client - self Assoc
ap#
ap#show run
Building configuration...
Current configuration : 2746 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid PRIVATE
vlan 50
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 01150F035E050E0A2D
!
dot11 ssid PUBLIC
vlan 51
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 045D02010A2F444B05
!
!
!
username Admin privilege 15 password 7 0526071D3545175840
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 50 mode ciphers aes-ccm
!
encryption vlan 51 mode ciphers aes-ccm
!
encryption mode ciphers aes-ccm tkip
!
ssid PRIVATE
!
ssid PUBLIC
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.50
encapsulation dot1Q 50 native
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
!
interface Dot11Radio0.51
encapsulation dot1Q 51
no ip route-cache
bridge-group 51
bridge-group 51 subscriber-loop-control
bridge-group 51 block-unknown-source
no bridge-group 51 source-learning
no bridge-group 51 unicast-flooding
bridge-group 51 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.50
encapsulation dot1Q 50 native
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
!
interface GigabitEthernet0.51
encapsulation dot1Q 51
no ip route-cache
bridge-group 51
no bridge-group 51 source-learning
bridge-group 51 spanning-disabled
!
interface BVI1
ip address 192.168.2.249 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.2.1
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
switch config:
interface FastEthernet1/0/46
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 50,51
switchport mode trunk
end
ap#sh ip int bri
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.2.249 YES NVRAM down down
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio0.50 unassigned YES unset up up
Dot11Radio0.51 unassigned YES unset up up
Dot11Radio1 unassigned YES NVRAM administratively down down
GigabitEthernet0 unassigned YES NVRAM up up
GigabitEthernet0.50 unassigned YES unset up up
GigabitEthernet0.51 unassigned YES unset up up
ap#
ap#sh int bvi
*May 6 15:05:24.611: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]1
BVI1 is down, line protocol is down
Hardware is BVI, address is 003a.99eb.8d00 (bia b862.1fe9.9af0)
Internet address is 192.168.2.249/24
MTU 1500 bytes, BW 54000 Kbit, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3 packets output, 180 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
ap#
I have a private vlan 50 and the public vlan 51. The private ssid seems to work and allow connectivity to the internet but I don't understand with the same configuration the Public ssid doesn't seem to work.
I get this output when trying to connect with my cell phone.
*May 6 15:00:37.288: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:00:42.935: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:01:13.913: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:01:17.281: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:01:48.181: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:01:51.583: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:02:22.500: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:03:41.852: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
SSID [PUBLIC] :
MAC Address IP address Device Name Parent State
847a.8835.4f22 0.0.0.0 ccx-client - self Assoc
ap#
ap#show run
Building configuration...
Current configuration : 2746 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid PRIVATE
vlan 50
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 01150F035E050E0A2D
!
dot11 ssid PUBLIC
vlan 51
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 045D02010A2F444B05
!
!
!
username Admin privilege 15 password 7 0526071D3545175840
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 50 mode ciphers aes-ccm
!
encryption vlan 51 mode ciphers aes-ccm
!
encryption mode ciphers aes-ccm tkip
!
ssid PRIVATE
!
ssid PUBLIC
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.50
encapsulation dot1Q 50 native
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
!
interface Dot11Radio0.51
encapsulation dot1Q 51
no ip route-cache
bridge-group 51
bridge-group 51 subscriber-loop-control
bridge-group 51 block-unknown-source
no bridge-group 51 source-learning
no bridge-group 51 unicast-flooding
bridge-group 51 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
!
interface GigabitEthernet0.50
encapsulation dot1Q 50 native
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
!
interface GigabitEthernet0.51
encapsulation dot1Q 51
no ip route-cache
bridge-group 51
no bridge-group 51 source-learning
bridge-group 51 spanning-disabled
!
interface BVI1
ip address 192.168.2.249 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.2.1
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end
switch config:
interface FastEthernet1/0/46
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 50,51
switchport mode trunk
end
Comments
-
OptionsRoute->This
Member Posts: 32 ■■□□□□□□□□
Sorry ignore that..I copied it after I shut it down set the duplex and speed to auto and reopened the port.
-
OptionsRoute->This
Member Posts: 32 ■■□□□□□□□□
This is a question for the wireless guys. I realized for the issue with bvi1 being down its because there aren't any bridge group 1 associating it. I verified by configuring a logical interface bvi50 and it went up. I'm not 100% familiar with cisco access points do the vlans created for the ssids in the AP have to be identical to the vlans created in the switch? I know the bridge-groups have to be identical to the sub interface number and vlan number. My private vlan is 50 and if I add bridge-group 1 on that it throws everything out of whack. According to the console I can't configure bridge 50 for routing
ap(config)#bridge 50 route ip
%command not allowed, route ip only allowed on bridge group 1
ap(config)#
