cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1251
Views
15
Helpful
10
Replies
MrDvD
Beginner

Cisco 891-W Wireless Issues

Hello Cisco,

hopefully someone with more expertise with the Cisco 891-W router can help me figure out my configuration issues?  Right now I have the wired part of the 891-W working fine with my cable modem on VLAN1.  But it's another story with my VLAN4 (wireless side).  I've been working on this all week and am hoping some fresh eyes can catch what's wrong with my config.   Currently, my laptop will see the SSID of the Wi-Fi (891W-WiFi) but when I try to connect I get an 169.254.180.251 IP?   Not sure if it's the DHCP or some kind of bridging with the AP module with the correct VLAN settings with my configuration?  I'll post my config below for both the router and AP.  Thank you to anyone that can give me some insight!

I've attached the configs just in case this post was too messy to read with all the configurations.

 

891W_Router#sh run
Building configuration...

Current configuration : 4826 bytes
!
! Last configuration change at 21:49:24 UTC Fri Apr 24 2015
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname 891W_Router
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
no logging on
enable secret 5 $1$3JJJ$6wL98gGvGJQ0ot1xChXJt1
!        
no aaa new-model
!
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1853469223
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1853469223
 revocation-check none
!
!

ip source-route
!
!
!
ip dhcp excluded-address 192.168.99.1
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool Vlan4
   network 192.168.100.0 255.255.255.0
   default-router 192.168.100.1
   dns-server 8.8.8.8
!
ip dhcp pool Vlan1
   network 192.168.99.0 255.255.255.0
   default-router 192.168.99.1
   dns-server 192.168.0.1
!
!
ip cef
no ip domain lookup
ip name-server 209.18.47.61
ip name-server 209.18.47.62
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type inspect global
 log dropped-packets enable
license udi pid CISCO891W-AGN-A-K9 sn FTX15130301
!
!
username dvd privilege 15 secret 5 $1$qHnY$pMyIf18Av.AS2ne0cxXle/
username cisco password 7 01100F175804
!
!
!        
!
!
!
!
bridge irb
!
!
!
!
interface FastEthernet0
 switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description WAN
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip address 10.10.10.10 255.255.255.255
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport trunk native vlan 4
 switchport mode trunk
!
interface Vlan1
 description Internal LAN
 ip address 192.168.99.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan4
 description Wi-Fi Users
 ip address 192.168.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Async1
 no ip address
 encapsulation slip
!
interface GMPLS8
 no ip address
 no fair-queue
 no keepalive
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0 overload
ip nat inside source list 2 interface Wlan-GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
logging esm config
access-list 1 permit 192.168.99.0 0.0.0.255
access-list 2 permit 192.168.100.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 exec-timeout 0 0
 password 7 020D0A5409040A2243401A160912
 logging synchronous
 login
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
 password 7 130E191D090E013C3F3D
 login
 transport input all
!
end

--------------------------------------------------------------------------------------------------------------------------------

AP Configuration:

891W_Router#
891W_Router#service-module wlan-ap 0 session
Trying 10.10.10.10, 2002 ... Open

Connecting to AP console, enter Ctrl-^ followed by x,
then "disconnect" to return to router prompt

ap#sh run
Building configuration...

Current configuration : 1976 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
enable secret 5 $1$bW7h$C2mBp2TNgGbgkgj2fQHDa.
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid 891W-WIFi
!
dot11 ssid 891W-WiFi
   vlan 4
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 cisco891
!
!
!
username cisco privilege 15 secret 5 $1$yIzh$7/j0K1xcYbT99mP4hX3ZU/
username dvd password 0 kmob
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 4 mode ciphers aes-ccm tkip
 !
 ssid 891W-WiFi
 !
 antenna gain 0
 station-role root
!        
interface Dot11Radio0.4
 encapsulation dot1Q 4 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 antenna gain 0
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface

connecting AP with the host router
 no ip address
 no ip route-cache
!
interface GigabitEthernet0.4
 encapsulation dot1Q 4 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address dhcp
 no ip route-cache
!
ip default-gateway 192.168.100.1
ip http server
no ip http secure-server
ip http help-path

http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
line con 0
 privilege level 15
 login local
 no activation-character
line vty 0 4
 login local
!
cns dhcp
end

 

 

10 REPLIES 10
m.george
Beginner

On the router:

interface wlan-ap0
 ip unnumbered Vlan1

interface Wlan-GigabitEthernet0

 switchport mode trunk

 

On the access point:

dot11 vlan-name <vlan> vlan 4

! replace <vlan> with your VLAN  name as used on router for consistency

Remove bridge group 1 from .4 subinterfaces and restore to main interface.

The interfaces will look like this when finished:

interface Dot11Radio0
 no ip address
 no ip route-cache
 !
  encryption vlan 4 mode ciphers aes-ccm tkip
 !
 ssid 891W-WiFi
!
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled

 

interface Dot11Radio0.4
 encapsulation dot1Q 4
 no ip route-cache
 bridge-group 4
 bridge-group 4 subscriber-loop-control
 bridge-group 4 block-unknown-source
 no bridge-group 4 source-learning
 no bridge-group 4 unicast-flooding
 bridge-group 4 spanning-disabled

 

interface Dot11Radio1

 no ip address
 no ip route-cache

encryption vlan 4 mode ciphers aes-ccm tkip
 ssid 891W-WiFi

 antenna gain 0
 dfs band 3 block
 channel dfs
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled

 

interface Dot11Radio1.4
 encapsulation dot1Q 4
 no ip route-cache
 bridge-group 4
 bridge-group 4 subscriber-loop-control
 bridge-group 4 block-unknown-source
 no bridge-group 4 source-learning
 no bridge-group 4 unicast-flooding
 bridge-group 4 spanning-disabled

interface GigabitEthernet0
 no ip address
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.4
 encapsulation dot1Q 4
 no ip route-cache
 bridge-group 4
 no bridge-group 4 source-learning
 bridge-group 4 spanning-disabled
 

 

Then you can give your BVI1 interface a static IP address in VLAN 1 and restrict the VTY lines to only allow access from VLAN 1 not VLAN 4 for security.

The result is you have the SSID tied to VLAN 4 on both wireless interfaces and the virtual interface back to the router. The management address for the access point is on the wired subnet and you can restrict management of your network to this subnet, preventing wireless hosts from managing the network - not a good look.

Once you have tidied this up see if that has solved your problem please. I hope this makes sense!

 

 

 

What george is suggesting is indeed a better solution to create subinterfaces for the MGMT VLAN 1 and VLAN 4 user traffic on the AP.

The trunk from the router will then trunk vlan 1 and 4.

 

Cant really find anything else that is wrong with config other then you might want to remove the default cisco username.

And also the level 7 encryption is very weak so you might wanna change youre passwords from atleast the console.

Furthermore always watch out if there arent any username's passwords or snmp strings in cleartext when posting a config online.

I know this thread is 4 years old, but I have the same issue with my 891W, I followed the advice given here, but I cant get an DHCP IP address when connecting to my AP. If i set a static IP I still cant get out to the internet , the router part is fine 

 

 the configs are attached

Hello,

 

attached the (what I think should be) working configuration. Changes and important parts are marked in bold:

 

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname 891W_Router
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
no logging on
enable secret 5 1100105
!
no aaa new-model
!
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1853469223
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1853469223
revocation-check none
!
ip source-route
!
ip dhcp excluded-address 192.168.99.1
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool Vlan4
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 8.8.8.8
!
ip dhcp pool Vlan1
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
dns-server 192.168.0.1
!
ip cef
no ip domain lookup
ip name-server 209.18.47.61
ip name-server 209.18.47.62
ip inspect log drop-pkt
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
!
bridge irb
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address unnumbered Vlan4
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 4
switchport mode trunk
!
interface Vlan1
description Internal LAN
ip address 192.168.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description Wi-Fi Users
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
interface GMPLS8
no ip address
no fair-queue
no keepalive
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0 overload
--> no ip nat inside source list 2 interface Wlan-GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp
!
logging esm config
access-list 1 permit 192.168.99.0 0.0.0.255
access-list 1 permit 192.168.100.0 0.0.0.255
!
ip domain-lookup
no service config
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 0 0
logging synchronous
login
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
password 7 1100105
login
transport input all
!
end

--------------------------------------------------------------------------------------------------------------------------------

AP Configuration:


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
no aaa new-model
!
dot11 syslog
!
dot11 ssid Bella
!
dot11 ssid Bella
mbssid guest-mode
vlan 4
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 5555555555
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 4 mode ciphers aes-ccm tkip
!
ssid Bella
!
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.4
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 4 mode ciphers aes-ccm tkip
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interfaceconnecting AP with the host router
no ip address
no ip route-cache bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 4 mode ciphers aes-ccm tkip
ssid Bella
!
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.4
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp
no ip route-cache
!
ip default-gateway 192.168.100.1
ip http server
no ip http secure-server
bridge 1 protocol ieee
bridge 1 route ip
!
interface GigabitEthernet0
no ip address
no ip route-cache
!
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
!
cns dhcp
end

 

 

 

I can finally ping out from the AP console , I still cannot cannot get a DHCP address when associated with the AP, I been working on this for days and i feel like im almost there

 

 

 

891W_Router#show config
Using 3664 out of 262136 bytes
!
! Last configuration change at 16:52:26 UTC Fri Sep 13 2019
!
version 15.5
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname 891W_Router
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
no logging on
!
no aaa new-model

ethernet lmi ce
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1853469223
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1853469223
revocation-check none
rsakeypair TP-self-signed-1853469223
!
!
crypto pki certificate chain TP-self-signed-1853469223
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.99.1
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool Vlan4
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 8.8.8.8
!
ip dhcp pool Vlan1
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
dns-server 192.168.0.1
!
!
!
ip name-server 8.8.8.8

ip inspect log drop-pkt
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891W-AGN-A-K9 sn FTX151604R2

redundancy
!
!
!
!
!
!
!
!
!
!
!
bridge irb
!
!
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1

no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
description WAN
no ip address

ip nat outside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan4
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 4
switchport mode trunk

no ip address
!
interface Vlan1
description Internal LAN
ip address 192.168.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan4
description Wi-Fi Users
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
interface GMPLS8
no ip address
no keepalive
!
ip forward-protocol nd

ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 dhcp
!
!
!
access-list 1 permit 192.168.99.0 0.0.0.255
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 2 permit 192.168.100.0 0.0.0.255
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
login
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec

transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
login
transport input all
!
!
end

 

 

____________________________________

AP

 

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
enable secret 5 $1$gUWs$SHn1YFDMXmSKX2sF.epuX1
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid 891W-WiFi
!
dot11 ssid Bella
vlan 4
authentication open
authentication key-management wpa

guest-mode
mbssid guest-mode
wpa-psk ascii 0 5555555555
!
!
!
username cisco privilege 15 secret 5 $1$vBe1$fdFA5dKMjuvAKH5tEeDTU/
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 4 mode ciphers aes-ccm tkip
!
ssid 891W-WiFi
!
ssid Bella
!
antenna gain 0

mbssid
station-role root
!
interface Dot11Radio0.4
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 4 mode ciphers aes-ccm tkip
!
ssid 891W-WiFi
!
ssid Bella

!
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.4
encapsulation dot1Q 4
no ip route-cache
bridge-group 4
bridge-group 4 subscriber-loop-control
bridge-group 4 block-unknown-source
no bridge-group 4 source-learning
no bridge-group 4 unicast-flooding
bridge-group 4 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interfaceconnecting AP with the host router

no ip address
no ip route-cache
!
interface GigabitEthernet0.4
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp
no ip route-cache
!
ip default-gateway 192.168.100.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 protocol ieee
bridge 1 route ip
!
!

 

 

!
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
!
cns dhcp
end

 

 

 

 

 

Hello,

 

check if Vlan 4 is actually existing on the router (sh vlan).

Also, on the AP you have two dot11 subinterfaces for Vlan 4, not sure if that creates a problem, but to be sure, delete the second, so the config looks like this:

 

AP

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
enable secret 5 $1$gUWs$SHn1YFDMXmSKX2sF.epuX1
!
no aaa new-model
!
dot11 syslog
!
dot11 ssid 891W-WiFi
!
dot11 ssid Bella
vlan 4
authentication open
authentication key-management wpa

guest-mode
mbssid guest-mode
wpa-psk ascii 0 5555555555
!
username cisco privilege 15 secret 5 $1$vBe1$fdFA5dKMjuvAKH5tEeDTU/
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 4 mode ciphers aes-ccm tkip
!
ssid 891W-WiFi
!
ssid Bella
!
antenna gain 0
!
mbssid
station-role root
!
interface Dot11Radio0.4
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 4 mode ciphers aes-ccm tkip
!
ssid 891W-WiFi
!
ssid Bella
!
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interfaceconnecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.4
encapsulation dot1Q 4 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp
no ip route-cache
!
ip default-gateway 192.168.100.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
!
cns dhcp
end

George. Thank you , It must have been the extra interface, i deleted that and it started working, thank you so much for your help

Good to hear that you got it to work finally...

i noticed GigabitEthernet0.4 and GigabitEthernet0 in your config are both in bridge group 1, could this be the problem?

#interface GigabitEthernet0
ap(config-if)#bridge-group 1
Configuration of subinterfaces and main interface
within the same bridge group is not permitted