1. Trunk vs. AccessI guess I

sampersis · ‎11-22-2014

Hi,

I have configured a firewall port as a port trunk and I need to configure GigabitEthernet on on 3702E AP as port trunk as well.

Documentation is not of much help and I could not find any similar example on the Internet.

My scenario is below:

1. My Firewall is connected to ISP router.

2. For mobility in office we use Cisco 3702E, which is not supported by an AC. It is autonomous AP, which means that I have configured it to be Access Point. I hope it is correct configuration and it is what is called ROOT mode in Cisco documentation.

3. The AP is connected directly to firewall.

4. I have defined a VLAN no. 20 and VLANIF20 on the firewall.

5. The port on firewall is configured as a port trunk that should permit VLAN 20 traffic only

6. I am not able to do the same on the AP. Is this possible?

Many thanks.

Rasika Nayanajith · ‎11-22-2014

Don't you have a switch in your network ? Typically that is the device where we normally connect APs.

If you want wireless to be on vlan20, then simply configure the firewall port as access & then configure AP to have a very basic config like this

hostname <AP_HOSTNAME>
!
dot11 ssid <SSID_NAME>
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii <SSID_PASSWORD>
!
interface Dot11Radio0
 encryption mode ciphers aes-ccm
 ssid <SSID_NAME>
 no shutdown
!
interface Dot11Radio1
 channel width 80
 encryption mode ciphers aes-ccm
 ssid <SSID_NAME>
 no shutdown
!
interface BVI1
 ip address x.x.x.x <subnet_mask>
!
ip default-gateway x.x.x.x

If you want multiple vlan & multiple SSID on your AP, then you have to configure sub interfaces & you can leave AP connected switchport as trunk. If that is the case refer this post as I have provided some sample configuration for multiple SSID/vlan.

https://supportforums.cisco.com/discussion/12353756/best-practice-configuring-2602i-aironet-50-70-users

HTH

Rasika

**** Pls rate all useful responses ****

sampersis · ‎11-22-2014

Hi,

Many thanks for your answer.

1. Is it not better to keep the port as port trunk rather than port access? I will define a native VLAN on AP and hence the VLAN ID should be the same on both side of the trunk.

2. I have not enough switches. I have one switch and one AP, but 2 firewall that will run in hot/standby mode. Switch is configured to serve Office VLAN and I need a redundancy in the network. If switch goes down, then I have Wireless LAN.

Kind regards,

Sam

Rasika Nayanajith · ‎11-22-2014

1. Is it  not better to keep the port as port trunk rather than port access? I will define a native VLAN on AP and hence the VLAN ID should be the same on both side of the trunk.

If you want to give AP management on a different vlan (native vlan) while users of a given SSID to get seperate vlan IP (from the AP management vlan) then it is a good idea to configure AP connected port as Trunk port & same on AP (via sub-interfaces & bridge-group)

2. I have not enough switches. I have one switch and one AP, but 2 firewall that will run in hot/standby mode. Switch is configured to serve Office VLAN and I need a redundancy in the network. If switch goes down, then I have Wireless LAN.

You can give it a try as you plan & if that works for you, then no problem.

But in general (if you have multiple AP) & connecting them to switch is the best way to go. Think about you get many APs in future & you do not want to power then using external power sources (if your switch is POE you can power AP from switch easily)

HTH

Rasika

**** Pls rate all useful responses ****

sampersis · ‎11-22-2014

1. Trunk vs. Access

I guess I will use your recommendation and I will configure it as access.

2. This office is on a very low budget. There are only 10 employees and hence management is very tight. There won't be any extra AP's or switches. AP will be connected to UPS directly.

sampersis · ‎11-22-2014

Hi,

One more thing DHCP is configured ion the firewall for VLANIF20. For AP I have reserved IP 10.2.2.2 and MAC locked it. Is there anything else I need to think about?

Many thanks.

Kind regards,

Sam

sampersis · ‎11-22-2014

Hi,

What do you think of below conf?

Kind regards,

Sam

! Configuration change 22 Nov 2014 by sam
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname KCAP
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone +0100 1 0
no ip source-route
no ip cef
ip name-server 195.58.103.21 195.58.103.22
!
!
dot11 syslog
!
dot11 ssid KCAP_WLAN
   vlan 20
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 0257560F52535D75191A5C4C5D424A5E5953787C017F17627A4257405756040D0801025A564D440C0B070302740329
!
dot11 network-map
!
username CISCO password 7 01300F175804
username TOMMY privilege 15 password 7 106D01180B10170609457878
username DANIEL privilege 15 password 7 05280E0E2F4B4B041C444541
username SAM privilege 15 password 7 08104957241C0D4340
!
bridge irb
!
interface Dot11Radio0
encryption vlan 20 mode ciphers aes-ccm
ssid KCAP_WLAN
antenna gain 0
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
station-role root access-point
no shutdown
!
interface Dot11Radio1
encryption vlan 20 mode ciphers aes-ccm
ssid KCAP_WLAN
antenna gain 0
peakdetect
no dfs band block
stbc
mbssid
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23. a1ss9 a2ss9 a3ss9
channel dfs
station-role root access-point
no shutdown
!
interface GigabitEthernet0
mac-address 58f3.9c39.118b
ip address 10.2.2.2 255.255.255.0
duplex auto
speed auto
!
interface BVI1
mac-address 58f3.9c39.118b
ip address 10.2.2.2 255.255.255.0
!
ip default-gateway 10.2.2.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line vty 0 4
transport input all
!
sntp server 192.36.144.23
sntp broadcast client
end

Rasika Nayanajith · ‎11-22-2014

Hi Sam,

1. If you want to use vlan20 in AP config then you have to create subinterfaces on your AP radio & ethernet interfaces

2. IP address should be only under BVI interface & not ethernet

3. Unless you configure channel-width 80, your 5GHz radio will use 20MHz channel width for clients & you do not get 802.11ac benefits of this AP model.

Use the simple configuration I have given & configure the AP connected port as access vlan 20.

**** Pls do not forget to rate our responses if that is useful to you ****

HTH

Rasika

sampersis · ‎11-22-2014

Many thanks.

1. If you want to use vlan20 in AP config then you have to create subinterfaces on your AP radio & ethernet interfaces

I have to adhere to desire rule. Design says that to have to use vlan 20.

You mean something like below:

ap# configure terminal
ap(config)# interface dot11Radio 0.20
ap(config-subif)# encapsulation dot1Q 20 native
ap(config-subif)# exit
ap(config)# interface gigabitEthernet 0.20
ap(config-subif)# encapsulation dot1Q 20 native
ap(config-subif)# exit
ap(config)# dot11 ssid KCAP_WLAN
ap(config-ssid)# vlan 20
ap(config-ssid)# exit
ap(config)# interface dot11Radio 0
ap(config-if)# encryption vlan 20 mode ciphers aes-ccm
ap(config-if)# ssid KCAP_WLAN
ap(config-if)# end

Right?

kind regards,

Sam

Configurting Trunk on Cisco Aironet 3702E