Cisco aironet AP doesn't let dhcp through

roncro · ‎01-24-2024

I set an access point (aironet 1100) up like I have a few others but it doesn't seem to forward traffic, or dhcp is not working

I wonder if I missed something on the switch (Cisco 2960) or router (Cisco 2951)

Here is what I added to the switch and router:

Cisco 2960 switch:

interface GigabitEthernet1/0/24
switchport trunk native vlan 37
switchport trunk allowed vlan 9,37
switchport mode trunk

interface Vlan9
ip address 192.168.9.3 255.255.255.0

Cisco 2951 router:

ip dhcp pool VLAN9-EQUIPMENT-POOL
import all
origin file tftp://192.168.2.8/dhcp/static-bindings-hw-9
default-router 192.168.9.1
dns-server 192.168.1.1
domain-name localdomain
option 42 ip 192.168.1.1

interface GigabitEthernet0/1.9
encapsulation dot1Q 9
ip address 192.168.9.1 255.255.255.0
ip helper-address 192.168.1.1
ip directed-broadcast
ip nat inside
ip virtual-reassembly in

ip nat inside source list 109 interface GigabitEthernet0/0 overload

access-list 109 permit ip 192.168.9.0 0.0.0.255 any

roncro · ‎01-24-2024

oh and this is the aironet config:

#show run
Building configuration...

Current configuration : 1933 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-nata
!
no logging console
!
ip subnet-zero
ip domain name net.wichita.edu
ip name-server 156.26.1.30
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
!
dot11 ssid TM-NATA
vlan 9
authentication open
guest-mode
!
!
!
username admin privilege 15 password 7 08355F5B0718081E4358
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid TM-NATA
!
speed 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.9
encapsulation dot1Q 9
no ip route-cache
bridge-group 9
bridge-group 9 subscriber-loop-control
bridge-group 9 block-unknown-source
no bridge-group 9 source-learning
no bridge-group 9 unicast-flooding
bridge-group 9 spanning-disabled
!
interface Dot11Radio0.37
encapsulation dot1Q 37 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.9
encapsulation dot1Q 9
no ip route-cache
bridge-group 9
no bridge-group 9 source-learning
bridge-group 9 spanning-disabled
!
interface FastEthernet0.37
encapsulation dot1Q 37 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.37.22 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.37.1
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

ap-nata#

MHM Cisco World · ‎01-24-2024

access-list 100 permit ip host 0.0.0.0 host 255.255.255.255
debug ip packet detail 100

run this in SW to check if AP forward or not the DHCP packet
NOTE:- disable debug after your get capture some packet
NOTE:- use ACL with debug, the debug without ACL make SW run high CPU
MHM

roncro · ‎01-24-2024

I don't see any packets at all. I assume you wanted me to do a "debug ip packet detail 109" since is accesslist # 109?

roncro · ‎01-24-2024

oops, you meant on the switch.

roncro · ‎01-24-2024

I ssh-ed into the switch but don't see any packets

MHM Cisco World · ‎01-24-2024

NOW
AP receive the Wifi and tag the frame with 37 and send to SW and SW forward this tag frame with 37 to Router
the router have only subinterface for vlan 9 no subinterface for vlan 37 ?
you need to add subinterface in router for vlan 37
MHM

roncro · ‎01-24-2024

yes it does, I use it as the native vlan for all the APs I have.

interface GigabitEthernet0/1.37
encapsulation dot1Q 37
ip address 192.168.37.1 255.255.255.0
!

MHM Cisco World · ‎01-24-2024

NO the acl is use for capture only DHCP
the ACL is show in my previous comment not ACL you use in your config
MHM

roncro · ‎01-24-2024

I don't understand what you mean by using ACL with debug. I used the "access-list 100 permit ip host 0.0.0.0 host 255.255.255.255" on the switch and ran "debug ip packet detail 100" (the output probably goes to the console? I don't have a console for it.)

MHM Cisco World · ‎01-24-2024

Ok no need debug disable it

Now

Router have subinterface for 37 (native)

Can you share

Show ip dhcp server statistics

MHM

roncro · ‎01-24-2024

Oh DHCP is working, I have bunches of devices that boot using DHCP

#Show ip dhcp server statistics
Memory usage 101730
Address pools 9
Database agents 9
Automatic bindings 0
Manual bindings 116
Expired bindings 0
Malformed messages 0
Secure arp entries 0

Message Received
BOOTREQUEST 0
DHCPDISCOVER 3721
DHCPREQUEST 9061
DHCPDECLINE 0
DHCPRELEASE 416
DHCPINFORM 0

Message Sent
BOOTREPLY 0
DHCPOFFER 1318
DHCPACK 9057
DHCPNAK 4

MHM Cisco World · ‎01-24-2024

Yes it work and I return to your dhcp pool there is no network and default router is no in same subnet of vlan 37?

MHM

roncro · ‎01-24-2024

In vlan37 all devices, the APs, have the ip address (in 192.168.37.0) and netmask "hard coded" It works with all APs, I have a few Aironet 1200 and Aironet 1100

MHM Cisco World · ‎01-24-2024

I know get it
you need two dhcp pool
one for DHCP and you use hardcoded (via file) for AP IP
other for wifi client
MHM