Solved: Re: Can't ping VLAN interface from Aironet

tnayak · ‎02-16-2019

Hi,
Could someone please tell me what's wrong with my switch configuration. I cannot ping devices from my access point or access its web-browser interface.

IP address for vlan 10 interface on the switch is 10.x.x.2

IP address for BVI1 interface on access point is 10.x.x.5

Native VLAN on both the switch and access point is set to vlan 98

FROM THE ACCESS POINT

I cannot ping the switch 10.x.x.2

I cannot ping a device connected to the access point10.x.x.246

FROM THE SWITCH

I can ping a device connected to the access point 10.x.x.246

I can ping the sub-interface for vlan 10 on the router 10.x.x.1

I cannot ping BVI1 on the access point 10.x.x.5

FROM A WIRELESS DEVICE

I can ping the sub-interface for vlan 10 on the switch 10.x.x.2

I can ping the sub-interface for vlan 10 on the router 10.x.x.1

I cannot ping BVI1 on the access point 10.x.x.5

*********************************************************************

SWITCH sh ip int brief

sw-public#sh ip int brief

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM administratively down down

Vlan10 10.x.x.2 YES NVRAM up up

Vlan98 unassigned YES unset up up

Vlan666 unassigned YES unset down down

GigabitEthernet1/0/1 unassigned YES unset up up

…

GigabitEthernet1/0/52 unassigned YES unset up up

sw-public#

Should the IP address for BVI1 appear next to GigabitEthernet1/0/1?

*********************************************************************

ACCESS POINT sh ip int brief

ap#show ip interface br

Interface IP-Address OK? Method Status Protocol

BVI1 10.10.10.5 YES manual up up

Dot11Radio0 unassigned YES NVRAM up up

Dot11Radio0.10 unassigned YES unset up up

Dot11Radio0.98 unassigned YES unset up up

Dot11Radio1 unassigned YES NVRAM up up

Dot11Radio1.10 unassigned YES unset up up

Dot11Radio1.98 unassigned YES unset up up

GigabitEthernet0 unassigned YES NVRAM up up

GigabitEthernet0.10 unassigned YES unset up up

GigabitEthernet0.98 unassigned YES unset up up

ap#

*********************************************************************

SWITCH CONFIGURATION

switch#show config

Using 14534 out of 524288 bytes

!

! Last configuration change at 17:30:48 UTC Sat Feb 16 2019 by ares

! NVRAM config last updated at 17:30:56 UTC Sat Feb 16 2019 by ares

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname switch

!

boot-start-marker

boot-end-marker

!

enable secret 5 #########

!

username ######### privilege 15 secret 5 #########

no aaa new-model

clock timezone UTC -5 0

clock summer-time UTC recurring

switch 1 provision ws-c3750g-48ps

system mtu routing 1500

ip routing

ip domain-name #######.local

ip dhcp database nvram:dhcp_public.txt

ip dhcp excluded-address 10.x.x.1 10.x.x.10

!

ip dhcp pool public

network 10.x.x.0 255.255.255.0

dns-server 10.x.x.1 IP ADDRESS OF THE VLAN 10 SUB-INTERFACE ON THE ROUTER (10.x.x.1)

default-router 10.x.x.2 IP ADDRESS FOR VLAN 10 INTERFACE ON THIS SWITCH (10.x.x.2)

!

spanning-tree mode pvst

spanning-tree extend system-id

vlan internal allocation policy ascending

!

interface GigabitEthernet1/0/1 CONNECTS TO AIRONET

description aironet1

switchport trunk encapsulation dot1q

switchport trunk native vlan 98

switchport trunk allowed vlan 10,98,666

switchport mode trunk

!

abbreviated

!

interface GigabitEthernet1/0/52 CONNECTS TO ROUTER

description rt-core G0/1

switchport trunk encapsulation dot1q

switchport trunk native vlan 98

switchport trunk allowed vlan 10,98,666

switchport mode trunk

!

interface Vlan1

no ip address

shutdown

!

interface Vlan10

description guest_vlan

ip address 10.x.x.2 255.255.255.0

no ip route-cache

!

interface Vlan98

description native_vlan

no ip address

no ip route-cache

!

interface Vlan666

description quarantine_vlan

no ip address

no ip route-cache

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 10.x.x.1 IP ADDRESS OF THE VLAN 10 SUB-INTERFACE ON THE ROUTER (10.x.x.1)

!

line con 0

exec-timeout 15 0

logging synchronous

login local

length 0

line vty 0 4

exec-timeout 15 0

logging synchronous

login local

length 0

transport input telnet ssh

line vty 5 15

no login

!

ntp peer 10.x.x.1

end

switch#

*********************************************************************

ACCESS POINT CONFIGURATION

ap#show config

Using 3347 out of 32768 bytes

!

! Last configuration change at 00:51:16 EDT Sat May 29 1993 by ares

version 15.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

logging rate-limit console 9

enable secret 5 ###########

!

no aaa new-model

clock timezone EST -5 0

clock summer-time EDT recurring

no ip source-route

no ip cef

ip domain name ###########.local

!

dot11 pause-time 100

dot11 syslog

dot11 vlan-name native_vlan vlan 98

dot11 vlan-name public_vlan vlan 10

!

dot11 ssid public_SSID

vlan 10

authentication open

authentication key-management wpa version 2

guest-mode

mbssid guest-mode

wpa-psk ascii 7 ###########

!

dot11 arp-cache optional

!

no ipv6 cef

!

username ########### privilege 15 secret 5 ###########

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 10 mode ciphers aes-ccm tkip

!

ssid #########

!

antenna gain 0

stbc

station-role root

no dot11 extension aironet

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 spanning-disabled

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

!

interface Dot11Radio0.98

encapsulation dot1Q 98 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption vlan 10 mode ciphers aes-ccm tkip

!

ssid public_SSID

!

antenna gain 0

peakdetect

dfs band 3 block

stbc

mbssid

channel width 80

channel dfs

station-role root

no dot11 extension aironet

!

interface Dot11Radio1.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 spanning-disabled

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

!

interface Dot11Radio1.98

encapsulation dot1Q 98 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface GigabitEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface GigabitEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

bridge-group 10 spanning-disabled

no bridge-group 10 source-learning

!

interface GigabitEthernet0.98

encapsulation dot1Q 98 native

no ip route-cache

bridge-group 1

bridge-group 1 spanning-disabled

no bridge-group 1 source-learning

!

interface BVI1

mac-address #################

ip address 10.x.x.5 255.255.255.0

no ip route-cache

!

ip default-gateway 10.x.x.2

ip forward-protocol nd

ip http server

no ip http secure-server

ip http help-path www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

bridge 1 route ip

!

line con 0

exec-timeout 15 0

logging synchronous

login local

length 0

line vty 0 4

exec-timeout 15 0

logging synchronous

login local

length 0

transport input all

!

end

ap#

tnayak · ‎02-18-2019

I updated my configs as follows:

ON THE AP

Created BVI10 with the following configuration:

mac-address a46c.2a76.0990

ip address 10.1.1.5 255.255.255.0

no ip route-cache

Updated BVI1

no mac address

no ip address

ON THE SWITCH

Updated interface GigabitEthernet1/0/1

switchport access vlan 10

RESULTS

No change in ping test results

Still can't access the AP browser interface

Much more visibility into the AP from the switch — the MAC address table on the switch shows the MAC addresses for devices connected to the AP, but doesn't show the AP's MAC address. I was able to see the AP using other commands - see results below:

*********************************************************************

sw-public#sh mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

10 #####.###.#### DYNAMIC Gi1/0/1 MAC ADDRESS OF CLIENT CONNECTED TO AP

*********************************************************************

sw-public#sh ip arp 10.1.1.5

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.5 22 <AP MAC Address> ARPA Vlan10

*********************************************************************

sw-public#show cdp neighbor detail

-------------------------

Device ID: ap.#######.local

Entry address(es):

IP address: 10.1.1.5

Platform: cisco AIR-SAP3702I-A-K9, Capabilities: Trans-Bridge Source-Route-Bridge IGMP

Interface: GigabitEthernet1/0/1, Port ID (outgoing port): GigabitEthernet0

Holdtime : 155 sec

Management address(es):

IP address: 10.1.1.5

View solution in original post

Georg Pauwen · ‎02-18-2019

Hello,

the BVI is typically matched to the native VLAN (VLAN 98 is your native Vlan in your case). Can you change the native Vlan on both ends to be Vlan 10 ?

View solution in original post

Georg Pauwen · ‎02-17-2019

Hello,

at first glance I would say the problem is that you have a BVI for bridge-group 1, but not for 10.

interface BVI1

mac-address #################

ip address 10.x.x.5 255.255.255.0 <--what is the real IP address here ?

no ip route-cache

Is Vlan 10 on the switch in the same address space as interface BVI 1?

tnayak · ‎02-17-2019

Hi, please forgive my ignorance, but addresss space = subnet? If so, the vlan10 on the AP and switch are both in the same subnet, eg switch vlan interface = 10.10.10.2 and BVI1 = 10.10.10.5.

All the online guides that I found for configuring the Access Point for multiple VLANs said to assign the IP address to BVI1. I will try assigning the IP address to BVI10 and post the results.

Thanks for for your help

PS I’m using the following devices/images:

AIR-CAP3702i with IOS 15.3(3)JG1 (fc1)

WS-C3750G with IOS 15.0(2)SE10a (fc3)

tnayak · ‎02-18-2019

I updated my configs as follows:

ON THE AP

Created BVI10 with the following configuration:

mac-address a46c.2a76.0990

ip address 10.1.1.5 255.255.255.0

no ip route-cache

Updated BVI1

no mac address

no ip address

ON THE SWITCH

Updated interface GigabitEthernet1/0/1

switchport access vlan 10

RESULTS

No change in ping test results

Still can't access the AP browser interface

Much more visibility into the AP from the switch — the MAC address table on the switch shows the MAC addresses for devices connected to the AP, but doesn't show the AP's MAC address. I was able to see the AP using other commands - see results below:

*********************************************************************

sw-public#sh mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

10 #####.###.#### DYNAMIC Gi1/0/1 MAC ADDRESS OF CLIENT CONNECTED TO AP

*********************************************************************

sw-public#sh ip arp 10.1.1.5

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.1.1.5 22 <AP MAC Address> ARPA Vlan10

*********************************************************************

sw-public#show cdp neighbor detail

-------------------------

Device ID: ap.#######.local

Entry address(es):

IP address: 10.1.1.5

Platform: cisco AIR-SAP3702I-A-K9, Capabilities: Trans-Bridge Source-Route-Bridge IGMP

Interface: GigabitEthernet1/0/1, Port ID (outgoing port): GigabitEthernet0

Holdtime : 155 sec

Management address(es):

IP address: 10.1.1.5

Georg Pauwen · ‎02-18-2019

Hello,

the BVI is typically matched to the native VLAN (VLAN 98 is your native Vlan in your case). Can you change the native Vlan on both ends to be Vlan 10 ?

tnayak · ‎03-03-2019

Thanks for your help and sorry for the delay in updating this post