Aironet 1602 - No internet for 1 SSID if MBSSID is enabled

eugeneefla · ‎03-21-2017

Hello Everyone,

I have 2 Aironet 1602 in our office. Aironet1 has no issues because this is just broadcasting 1 SSID (SSID1) and roaming to Aironet2 is working fine. Now on my 2nd AP (Aironet2) I have 3 SSIDs to broadcast:

-SSID1 (for officers only, users in SSID2 are not profiled to connect here via Radius), which is roaming from/with Aironet1

-SSID2 (for everyone else except visitors in the office)

-SSID3 (for guests and visitors only)

Here's what's going on:

1.) SSID2 and SSID3 can be broadcasted at the same time and internet connection is working fine.

2.) If i enable MBSSID and broadcast SSID1 together with #2 & #3, I do not have internet connection in SSID1

3.) If single ssid (SSID1) is the only one broadcasted, internet connection is working.

In the Associations tab of the Aironet2 GUI, i can see my laptop's mac address but without any local IP being leased out.

I tried to assign an un-used VLAN to map with bridge group 1 so that my VLAN associated with SSID1 (the one with problem) will match the same bridge-group (e.g. SSID1 vlan = 48, to map with bridge group 48); I was able to assign bridge group 1 to an unused vlan however i cant "de-tach" vlan 48 from bridge group 1.

I need to enable these 3 SSIDs in Aironet2 with the internet up and running for all SSIDs. Please help me to figure out how to fix this.

Here's the running-config of my Aironet2

Current configuration : 18747 bytes
!
! No configuration change since last restart
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname AP_INT2
!
!
logging buffered 16000
logging rate-limit console 9
no logging console
logging monitor informational
enable secret 5 $1$GWLJ$aSjZOxkZ5ANER8DohMLv90
!
aaa new-model
!
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_eap
server name ISE-1
server name ISE-2
server name 172.16.48.229
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
server name ISE-1
server name ISE-2
server name 172.16.48.229
!
aaa group server radius rad_admin
!
aaa group server radius rad_pmip
!
aaa group server radius radius1
server name 172.16.48.193
!
aaa authentication login default group radius1 local
aaa authentication login eap_methods group rad_eap
aaa accounting network acct_methods start-stop group rad_acct
!
!
!
!
!
aaa session-id common
clock timezone SIN 8 0
no ip routing
no ip cef
ip domain name company.com
!
!
!
!
login on-failure log
login on-success log
dot11 syslog
dot11 vlan-name SSID2 vlan 190
dot11 vlan-name INTERNET vlan 188
dot11 vlan-name SERVER_LAN vlan 48
!
dot11 ssid SSID2
vlan 190
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 06515E791E1A5B495C4447525A
information-element ssidl advertisement
!
dot11 ssid SSID3
vlan 188
band-select
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 15405C545C7D7F747A67607243
information-element ssidl advertisement
!
dot11 ssid SSID1
vlan 48
band-select
authentication open eap eap_methods
guest-mode
mbssid guest-mode
information-element ssidl advertisement
!
dot11 band-select parameters
cycle-count 3
cycle-threshold 200
expire-supression 20
expire-dual-band 60
client-rssi 80
!
dot11 guest
!
!
crypto pki trustpoint TP-self-signed-582151068
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-582151068
revocation-check none
rsakeypair TP-self-signed-582151068
!
!
ip ssh version 2
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 48 mode ciphers aes-ccm tkip wep128
!
encryption vlan 188 mode ciphers aes-ccm tkip
!
encryption vlan 190 mode ciphers aes-ccm tkip
!
ssid SSID2
!
ssid SSID3
!
ssid SSID1
!
antenna gain 0
stbc
beamform ofdm
mbssid
packet retries 128
station-role root
rts retries 128
world-mode dot11d country-code SG indoor
l2-filter bridge-group-acl
!
interface Dot11Radio0.16
encapsulation dot1Q 16
no ip route-cache
bridge-group 16
bridge-group 16 subscriber-loop-control
bridge-group 16 spanning-disabled
bridge-group 16 block-unknown-source
no bridge-group 16 source-learning
no bridge-group 16 unicast-flooding
!
interface Dot11Radio0.18
no ip route-cache
!
interface Dot11Radio0.48
encapsulation dot1Q 48 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
!
interface Dot11Radio0.188
encapsulation dot1Q 188
no ip route-cache
bridge-group 188
bridge-group 188 subscriber-loop-control
bridge-group 188 spanning-disabled
bridge-group 188 block-unknown-source
no bridge-group 188 source-learning
no bridge-group 188 unicast-flooding
!
interface Dot11Radio0.190
encapsulation dot1Q 190
no ip route-cache
bridge-group 190
bridge-group 190 subscriber-loop-control
bridge-group 190 spanning-disabled
bridge-group 190 block-unknown-source
no bridge-group 190 source-learning
no bridge-group 190 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 48 mode ciphers aes-ccm tkip wep128
!
encryption vlan 188 mode ciphers aes-ccm tkip
!
encryption vlan 16 mode ciphers aes-ccm tkip wep128
!
encryption vlan 190 mode ciphers aes-ccm tkip
!
ssid SSID2
!
ssid SSID3
!
ssid SSID1
!
antenna gain 0
peakdetect
no dfs band block
stbc
beamform ofdm
mbssid
packet retries 128
channel dfs
station-role root
rts retries 128
world-mode dot11d country-code SG indoor
!
interface Dot11Radio1.18
encapsulation dot1Q 18
no ip route-cache
bridge-group 18
bridge-group 18 subscriber-loop-control
bridge-group 18 spanning-disabled
bridge-group 18 block-unknown-source
no bridge-group 18 source-learning
no bridge-group 18 unicast-flooding
!
interface Dot11Radio1.48
encapsulation dot1Q 48 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.188
encapsulation dot1Q 188
no ip route-cache
bridge-group 188
bridge-group 188 subscriber-loop-control
bridge-group 188 spanning-disabled
bridge-group 188 block-unknown-source
no bridge-group 188 source-learning
no bridge-group 188 unicast-flooding
!
interface Dot11Radio1.190
encapsulation dot1Q 190
no ip route-cache
bridge-group 190
bridge-group 190 subscriber-loop-control
bridge-group 190 spanning-disabled
bridge-group 190 block-unknown-source
no bridge-group 190 source-learning
no bridge-group 190 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.48
encapsulation dot1Q 48 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.188
encapsulation dot1Q 188
no ip route-cache
bridge-group 188
bridge-group 188 spanning-disabled
no bridge-group 188 source-learning
!
interface GigabitEthernet0.190
encapsulation dot1Q 190
no ip route-cache
bridge-group 190
bridge-group 190 spanning-disabled
no bridge-group 190 source-learning
!
interface BVI1
ip address 172.16.48.28 255.255.252.0
no ip route-cache
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway 172.16.48.8
ip forward-protocol nd
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
radius-server deadtime 5
radius-server vsa send accounting
!
radius server 172.16.48.229
address ipv4 172.16.48.229 auth-port 1645 acct-port 1646
key 7 075E756D7E283A36
!
radius server ISE-1
address ipv4 172.16.48.177 auth-port 1234 acct-port 1234
timeout 5
key 7 0055472734723823
!
radius server ISE-2
address ipv4 172.16.48.178 auth-port 1234 acct-port 1234
timeout 5
key 7 1446462A3C2D190E
!
radius server 172.16.48.193
address ipv4 172.16.48.193 auth-port 1645 acct-port 1646
key 7 0257504C0A161F205B1F5D100B
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
exec-timeout 5 0
transport input all
!
sntp server 172.16.48.2
sntp broadcast client
end

I believe I can get help from this community and would like to thank all the knowledgeable gentlemen/women around.

-Eugene-

William Kuczmera · ‎03-21-2017

These may be helpful...

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/service-set-identifier-ssid/116118-configure-ap-ssid-ios.html - This link has a video that walks you through configuring multiple SSIDs and how to map them to individual Vlans.

https://supportforums.cisco.com/document/55561/multiple-ssid-multiple-vlans-configuration-example-cisco-aironet-aps

My guess is this may be a switch port config issue.

Configuration on the Switch

en
conf t
int fa 2/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2,3
end

eugeneefla · ‎03-21-2017

Thanks a lot William.Appreciate it.I will verify my switch config and will update this thread.

eugeneefla · ‎03-22-2017

Hello William and all the experts out there. vlan48 (the vlan that has no internet connection in Aironet2) is already allowed in the trunk, the 2 other SSIDs (on vlan188 and vlan190 can go online) below is a portion of my running config. I am just 2-weeks old to this new organization and I have to fix this ongoing issue. I need all the help I can get from you guys.. pls pls pls.

!
interface GigabitEthernet2/0/46
description OFFICERS-ONLY-AP1
switchport trunk native vlan 48
switchport mode trunk

/// above is the interface config for the same SSID which can go online on Aironet1

!

interface GigabitEthernet3/0/45
description outside meeting room OFFICERS-ONLY-AP2
switchport trunk native vlan 48
switchport mode trunk
!
interface Vlan48
description OFFICERS-ONLY
ip address 172.16.48.6 255.255.252.0
ip pim sparse-mode
!

/// vlan48 does not have an IP helper address, I added an ip helper-address to vlan48, however still the same issue. One more thing, my Aironet1 that only broadcasts vlan48 can go online without issue and without me adding an ip helper-address..that is strange...
!
interface Vlan188
description LOCAL_NONOFFICERS_LAN
ip address 192.168.188.6 255.255.255.0
ip helper-address 172.16.48.4
!
interface Vlan190
description GUEST_WIFI
ip address 192.168.190.6 255.255.254.0
ip helper-address 172.16.48.4
!
ip default-gateway 172.16.48.8
no ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.48.8
!

SW#show interface trunk

Port           Mode   Encapsulation   Status       Native vlan
Gi2/0/46   on         802.1q               trunking    48
Gi2/0/48   on         802.1q               trunking    1
Gi3/0/45   on         802.1q               trunking    48
Po1          on        802.1q              trunking     1

Port Vlans allowed on trunk
Gi2/0/46 1-4094
Gi2/0/48 1-4094
Gi3/0/45 1-4094
Po1 1-4094

Port Vlans allowed and active in management domain
Gi2/0/46 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Gi2/0/48 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Gi3/0/45 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Po1 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444

Port Vlans in spanning tree forwarding state and not pruned

Port Vlans in spanning tree forwarding state and not pruned
Gi2/0/46 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Gi2/0/48 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Gi3/0/45 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444
Po1 1-2,4,6,8,10,12,14,16,28,30-34,48,52,54,56,58,60,62,64,66,88,100-102,105,188,190,444

eugeneefla · ‎03-23-2017

Hoping anyone out there can help me with this issue. Been scouring forums / net for answers.. Been spending a lot of time trying to fix it. Quite a basic feature for 80211 AP that I cant achieve with Cisco.... Thank you so much.