11-22-2014 02:50 AM - edited 07-05-2021 01:59 AM
Hi,
I have configured a firewall port as a port trunk and I need to configure GigabitEthernet on on 3702E AP as port trunk as well.
Documentation is not of much help and I could not find any similar example on the Internet.
My scenario is below:
1. My Firewall is connected to ISP router.
2. For mobility in office we use Cisco 3702E, which is not supported by an AC. It is autonomous AP, which means that I have configured it to be Access Point. I hope it is correct configuration and it is what is called ROOT mode in Cisco documentation.
3. The AP is connected directly to firewall.
4. I have defined a VLAN no. 20 and VLANIF20 on the firewall.
5. The port on firewall is configured as a port trunk that should permit VLAN 20 traffic only
6. I am not able to do the same on the AP. Is this possible?
Many thanks.
11-22-2014 11:15 AM
Don't you have a switch in your network ? Typically that is the device where we normally connect APs.
If you want wireless to be on vlan20, then simply configure the firewall port as access & then configure AP to have a very basic config like this
hostname <AP_HOSTNAME> ! dot11 ssid <SSID_NAME> authentication open authentication key-management wpa version 2 guest-mode wpa-psk ascii <SSID_PASSWORD> ! interface Dot11Radio0 encryption mode ciphers aes-ccm ssid <SSID_NAME> no shutdown ! interface Dot11Radio1 channel width 80 encryption mode ciphers aes-ccm ssid <SSID_NAME> no shutdown ! interface BVI1 ip address x.x.x.x <subnet_mask> ! ip default-gateway x.x.x.x
If you want multiple vlan & multiple SSID on your AP, then you have to configure sub interfaces & you can leave AP connected switchport as trunk. If that is the case refer this post as I have provided some sample configuration for multiple SSID/vlan.
HTH
Rasika
**** Pls rate all useful responses ****
11-22-2014 12:26 PM
Hi,
Many thanks for your answer.
1. Is it not better to keep the port as port trunk rather than port access? I will define a native VLAN on AP and hence the VLAN ID should be the same on both side of the trunk.
2. I have not enough switches. I have one switch and one AP, but 2 firewall that will run in hot/standby mode. Switch is configured to serve Office VLAN and I need a redundancy in the network. If switch goes down, then I have Wireless LAN.
Kind regards,
Sam
11-22-2014 01:42 PM
1. Is it not better to keep the port as port trunk rather than port access? I will define a native VLAN on AP and hence the VLAN ID should be the same on both side of the trunk.
If you want to give AP management on a different vlan (native vlan) while users of a given SSID to get seperate vlan IP (from the AP management vlan) then it is a good idea to configure AP connected port as Trunk port & same on AP (via sub-interfaces & bridge-group)
2. I have not enough switches. I have one switch and one AP, but 2 firewall that will run in hot/standby mode. Switch is configured to serve Office VLAN and I need a redundancy in the network. If switch goes down, then I have Wireless LAN.
You can give it a try as you plan & if that works for you, then no problem.
But in general (if you have multiple AP) & connecting them to switch is the best way to go. Think about you get many APs in future & you do not want to power then using external power sources (if your switch is POE you can power AP from switch easily)
HTH
Rasika
**** Pls rate all useful responses ****
11-22-2014 02:08 PM
1. Trunk vs. Access
I guess I will use your recommendation and I will configure it as access.
2. This office is on a very low budget. There are only 10 employees and hence management is very tight. There won't be any extra AP's or switches. AP will be connected to UPS directly.
11-22-2014 12:32 PM
Hi,
One more thing DHCP is configured ion the firewall for VLANIF20. For AP I have reserved IP 10.2.2.2 and MAC locked it. Is there anything else I need to think about?
Many thanks.
Kind regards,
Sam
11-22-2014 01:02 PM
Hi,
What do you think of below conf?
Kind regards,
Sam
! Configuration change 22 Nov 2014 by sam
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname KCAP
!
!
logging rate-limit console 9
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone +0100 1 0
no ip source-route
no ip cef
ip name-server 195.58.103.21 195.58.103.22
!
!
dot11 syslog
!
dot11 ssid KCAP_WLAN
vlan 20
authentication open
authentication key-management wpa version 2
wpa-psk ascii 7 0257560F52535D75191A5C4C5D424A5E5953787C017F17627A4257405756040D0801025A564D440C0B070302740329
!
dot11 network-map
!
username CISCO password 7 01300F175804
username TOMMY privilege 15 password 7 106D01180B10170609457878
username DANIEL privilege 15 password 7 05280E0E2F4B4B041C444541
username SAM privilege 15 password 7 08104957241C0D4340
!
bridge irb
!
interface Dot11Radio0
encryption vlan 20 mode ciphers aes-ccm
ssid KCAP_WLAN
antenna gain 0
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
station-role root access-point
no shutdown
!
interface Dot11Radio1
encryption vlan 20 mode ciphers aes-ccm
ssid KCAP_WLAN
antenna gain 0
peakdetect
no dfs band block
stbc
mbssid
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23. a1ss9 a2ss9 a3ss9
channel dfs
station-role root access-point
no shutdown
!
interface GigabitEthernet0
mac-address 58f3.9c39.118b
ip address 10.2.2.2 255.255.255.0
duplex auto
speed auto
!
interface BVI1
mac-address 58f3.9c39.118b
ip address 10.2.2.2 255.255.255.0
!
ip default-gateway 10.2.2.1
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 protocol ieee
bridge 1 route ip
!
!
line con 0
line vty 0 4
transport input all
!
sntp server 192.36.144.23
sntp broadcast client
end
11-22-2014 01:05 PM
Hi Sam,
1. If you want to use vlan20 in AP config then you have to create subinterfaces on your AP radio & ethernet interfaces
2. IP address should be only under BVI interface & not ethernet
3. Unless you configure channel-width 80, your 5GHz radio will use 20MHz channel width for clients & you do not get 802.11ac benefits of this AP model.
Use the simple configuration I have given & configure the AP connected port as access vlan 20.
**** Pls do not forget to rate our responses if that is useful to you ****
HTH
Rasika
11-22-2014 01:52 PM
Many thanks.
1. If you want to use vlan20 in AP config then you have to create subinterfaces on your AP radio & ethernet interfaces
I have to adhere to desire rule. Design says that to have to use vlan 20.
You mean something like below:
ap# configure terminal
ap(config)# interface dot11Radio 0.20
ap(config-subif)# encapsulation dot1Q 20 native
ap(config-subif)# exit
ap(config)# interface gigabitEthernet 0.20
ap(config-subif)# encapsulation dot1Q 20 native
ap(config-subif)# exit
ap(config)# dot11 ssid KCAP_WLAN
ap(config-ssid)# vlan 20
ap(config-ssid)# exit
ap(config)# interface dot11Radio 0
ap(config-if)# encryption vlan 20 mode ciphers aes-ccm
ap(config-if)# ssid KCAP_WLAN
ap(config-if)# end
Right?
kind regards,
Sam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide