cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
512
Views
0
Helpful
4
Replies

Aironet 1602 - No internet for 1 SSID if MBSSID is enabled

eugeneefla
Level 1
Level 1

Hello Everyone,

I have 2 Aironet 1602 in our office. Aironet1 has no issues because this is just broadcasting 1 SSID (SSID1) and roaming to Aironet2 is working fine. Now on my 2nd AP (Aironet2) I have 3 SSIDs to broadcast:

-SSID1 (for officers only, users in SSID2 are not profiled to connect here via Radius), which is roaming from/with Aironet1

-SSID2 (for everyone else except visitors in the office)

-SSID3 (for guests and visitors only)

Here's what's going on:

1.) SSID2 and SSID3 can be broadcasted at the same time and internet connection is working fine.

2.) If i enable MBSSID and broadcast SSID1 together with #2 & #3, I do not have internet connection in SSID1

3.) If single ssid (SSID1) is the only one broadcasted, internet connection is working.

In the Associations tab of the Aironet2 GUI, i can see my laptop's mac address but without any local IP being leased out.

I tried to assign an un-used VLAN to map with bridge group 1 so that my VLAN associated with SSID1 (the one with problem) will match the same bridge-group (e.g. SSID1 vlan = 48, to map with bridge group 48); I was able to assign bridge group 1 to an unused vlan however i cant "de-tach" vlan 48 from bridge group 1. 

I need to enable these 3 SSIDs in Aironet2 with the internet up and running for all SSIDs. Please help me to figure out how to fix this.

Here's the  running-config of my Aironet2

Current configuration : 18747 bytes
!
! No configuration change since last restart
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname AP_INT2
!
!
logging buffered 16000
logging rate-limit console 9
no logging console
logging monitor informational
enable secret 5 $1$GWLJ$aSjZOxkZ5ANER8DohMLv90
!
aaa new-model
!
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_eap
server name ISE-1
server name ISE-2
server name 172.16.48.229
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server name ISE-1
server name ISE-2
server name 172.16.48.229
!
aaa group server radius rad_admin
!
aaa group server radius rad_pmip
!
aaa group server radius radius1
server name 172.16.48.193
!
aaa authentication login default group radius1 local
aaa authentication login eap_methods group rad_eap
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone SIN 8 0
no ip routing
no ip cef
ip domain name company.com
!
!
!
!
login on-failure log
login on-success log
dot11 syslog
dot11 vlan-name SSID2 vlan 190
dot11 vlan-name INTERNET vlan 188
dot11 vlan-name SERVER_LAN vlan 48
!
dot11 ssid SSID2
vlan 190
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 06515E791E1A5B495C4447525A
information-element ssidl advertisement
!
dot11 ssid SSID3
vlan 188
band-select
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 15405C545C7D7F747A67607243
information-element ssidl advertisement
!
dot11 ssid SSID1
vlan 48
band-select
authentication open eap eap_methods
guest-mode
mbssid guest-mode
information-element ssidl advertisement
!
dot11 band-select parameters
cycle-count 3
cycle-threshold 200
expire-supression 20
expire-dual-band 60
client-rssi 80
!
dot11 guest
!
!
crypto pki trustpoint TP-self-signed-582151068
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-582151068
revocation-check none
rsakeypair TP-self-signed-582151068
!
!
ip ssh version 2
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 48 mode ciphers aes-ccm tkip wep128
!
encryption vlan 188 mode ciphers aes-ccm tkip
!
encryption vlan 190 mode ciphers aes-ccm tkip
!
ssid SSID2
!
ssid SSID3
!
ssid SSID1
!
antenna gain 0
stbc
beamform ofdm
mbssid
packet retries 128
station-role root
rts retries 128
world-mode dot11d country-code SG indoor
l2-filter bridge-group-acl
!
interface Dot11Radio0.16
encapsulation dot1Q 16
no ip route-cache
bridge-group 16
bridge-group 16 subscriber-loop-control
bridge-group 16 spanning-disabled
bridge-group 16 block-unknown-source
no bridge-group 16 source-learning
no bridge-group 16 unicast-flooding
!
interface Dot11Radio0.18
no ip route-cache
!
interface Dot11Radio0.48
encapsulation dot1Q 48 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
!
interface Dot11Radio0.188
encapsulation dot1Q 188
no ip route-cache
bridge-group 188
bridge-group 188 subscriber-loop-control
bridge-group 188 spanning-disabled
bridge-group 188 block-unknown-source
no bridge-group 188 source-learning
no bridge-group 188 unicast-flooding
!
interface Dot11Radio0.190
encapsulation dot1Q 190
no ip route-cache
bridge-group 190
bridge-group 190 subscriber-loop-control
bridge-group 190 spanning-disabled
bridge-group 190 block-unknown-source
no bridge-group 190 source-learning
no bridge-group 190 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 48 mode ciphers aes-ccm tkip wep128
!
encryption vlan 188 mode ciphers aes-ccm tkip
!
encryption vlan 16 mode ciphers aes-ccm tkip wep128
!
encryption vlan 190 mode ciphers aes-ccm tkip
!
ssid SSID2
!
ssid SSID3
!
ssid SSID1
!
antenna gain 0
peakdetect
no dfs band block
stbc
beamform ofdm
mbssid
packet retries 128
channel dfs
station-role root
rts retries 128
world-mode dot11d country-code SG indoor
!
interface Dot11Radio1.18
encapsulation dot1Q 18
no ip route-cache
bridge-group 18
bridge-group 18 subscriber-loop-control
bridge-group 18 spanning-disabled
bridge-group 18 block-unknown-source
no bridge-group 18 source-learning
no bridge-group 18 unicast-flooding
!
interface Dot11Radio1.48
encapsulation dot1Q 48 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.188
encapsulation dot1Q 188
no ip route-cache
bridge-group 188
bridge-group 188 subscriber-loop-control
bridge-group 188 spanning-disabled
bridge-group 188 block-unknown-source
no bridge-group 188 source-learning
no bridge-group 188 unicast-flooding
!
interface Dot11Radio1.190
encapsulation dot1Q 190
no ip route-cache
bridge-group 190
bridge-group 190 subscriber-loop-control
bridge-group 190 spanning-disabled
bridge-group 190 block-unknown-source
no bridge-group 190 source-learning
no bridge-group 190 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.48
encapsulation dot1Q 48 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.188
encapsulation dot1Q 188
no ip route-cache
bridge-group 188
bridge-group 188 spanning-disabled
no bridge-group 188 source-learning
!
interface GigabitEthernet0.190
encapsulation dot1Q 190
no ip route-cache
bridge-group 190
bridge-group 190 spanning-disabled
no bridge-group 190 source-learning
!
interface BVI1
ip address 172.16.48.28 255.255.252.0
no ip route-cache
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway 172.16.48.8
ip forward-protocol nd
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
radius-server deadtime 5
radius-server vsa send accounting
!
radius server 172.16.48.229
address ipv4 172.16.48.229 auth-port 1645 acct-port 1646
key 7 075E756D7E283A36
!
radius server ISE-1
address ipv4 172.16.48.177 auth-port 1234 acct-port 1234
timeout 5
key 7 0055472734723823
!
radius server ISE-2
address ipv4 172.16.48.178 auth-port 1234 acct-port 1234
timeout 5
key 7 1446462A3C2D190E
!
radius server 172.16.48.193
address ipv4 172.16.48.193 auth-port 1645 acct-port 1646
key 7 0257504C0A161F205B1F5D100B
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
exec-timeout 5 0
transport input all
!
sntp server 172.16.48.2
sntp broadcast client
end

I believe I can get help from this community and would like to thank all the knowledgeable gentlemen/women around.

-Eugene-

4 Replies 4

These may be helpful...

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/service-set-identifier-ssid/116118-configure-ap-ssid-ios.html   - This link has a video that walks you through configuring multiple SSIDs and how to map them to individual Vlans. 

https://supportforums.cisco.com/document/55561/multiple-ssid-multiple-vlans-configuration-example-cisco-aironet-aps 

My guess is this may be a switch port config issue. 

Configuration on the Switch

en
conf t
int fa 2/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2,3
end

Thanks a lot William.Appreciate it.I will verify my switch config and will update this thread.

Hello William and all the experts out there. vlan48 (the vlan that has no internet connection in Aironet2) is already allowed in the trunk, the 2 other SSIDs (on vlan188 and vlan190 can go online) below is a portion of my running config. I am just 2-weeks old to this new organization and I have to fix this ongoing issue. I need all the help I can get from you guys.. pls pls pls.

!
interface GigabitEthernet2/0/46
description OFFICERS-ONLY-AP1
switchport trunk native vlan 48
switchport mode trunk

/// above is the interface config for the same SSID which can go online on Aironet1

!

interface GigabitEthernet3/0/45
description outside meeting room OFFICERS-ONLY-AP2
switchport trunk native vlan 48
switchport mode trunk
!
interface Vlan48
description OFFICERS-ONLY
ip address 172.16.48.6 255.255.252.0
ip pim sparse-mode
!

/// vlan48 does not have an IP helper address, I added an ip helper-address to vlan48, however still the same issue. One more thing, my Aironet1 that only broadcasts vlan48 can go online without issue and without me adding an ip helper-address..that is strange...
!
interface Vlan188
description LOCAL_NONOFFICERS_LAN
ip address 192.168.188.6 255.255.255.0
ip helper-address 172.16.48.4
!
interface Vlan190
description GUEST_WIFI
ip address 192.168.190.6 255.255.254.0
ip helper-address 172.16.48.4
!
ip default-gateway 172.16.48.8
no ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.48.8
!

SW#show interface trunk

Port           Mode   Encapsulation   Status       Native vlan
Gi2/0/46   on         802.1q               trunking    48
Gi2/0/48   on         802.1q               trunking    1
Gi3/0/45   on         802.1q               trunking    48
Po1          on         802.1q               trunking     1

Port         Vlans allowed on trunk
Gi2/0/46  1-4094
Gi2/0/48  1-4094
Gi3/0/45  1-4094
Po1         1-4094

Port Vlans allowed and active in management domain
Gi2/0/46 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Gi2/0/48 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Gi3/0/45 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Po1 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444

Port Vlans in spanning tree forwarding state and not pruned

Port Vlans in spanning tree forwarding state and not pruned
Gi2/0/46 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Gi2/0/48 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Gi3/0/45 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Po1 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444

Hoping anyone out there can help me with this issue. Been scouring forums / net for answers.. Been spending a lot of time trying to fix it. Quite a basic feature for 80211 AP that I cant achieve with Cisco.... Thank you so much.

Review Cisco Networking for a $25 gift card