09-26-2012 08:59 AM - edited 07-03-2021 10:43 PM
I am trying to connect two bridges Root bridge to non root bridge. The SSID and the encryption must be match on both bridges to get the association and authentication. The encryption can be different when you input from the console or web base. Is there any tool to check for the encryption for matching? Any helps? Thanks
Solved! Go to Solution.
09-26-2012 08:48 PM
We need to rip the config down further. You see that line mobility network id command ? You arent doing a WDS and you dint have a WLSE correct ?
Read this ...
A. You use the mobility network-id command in order to configure Layer 3 mobility in a wireless network. You use the mobility network-id ssidcommand in order to associate a service set identifier (SSID) to a Layer 3 mobility network ID. With Layer 3 ...
You must use a wireless LAN (WLAN) services module (WLSM) as your wireless domain services (WDS) device in order to properly configure Layer 3 mobility. Layer 3 mobility is not supported when you use an AP as your WDS device. For more information on ...Understanding Layer 3 Mobility section of Configuring WDS, Fast Secure Roaming, and Radio Management.
The command is meant to be used when the AP participates in a WDS infrastructure with a WLSM module (that acts as the WDS device) where there is Layer 3 mobility. If you use this command incorrectly, connectivity problems in the WLAN network result, such as these:
- Clients do not get IP addresses from the DHCP.
- In some cases, the clients cannot associate with the AP.
- Wireless clients cannot associate with the AP.
- Extensible Authentication Protocol (EAP) authentication does not happen. With the mobility network-id command configured, the AP tries to build a generic routing encapsulation (GRE) tunnel for the forwarding of the EAP packets. If no tunnel is established, the packets cannot go anywhere.
- The AP that is configured as a WDS device does not function as expected, and the WDS configuration does not work.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-26-2012 09:24 AM
Not sure I follow:
The encryption can be different when you input from the console or web base. Is there any tool to check for the encryption for matching?
The connectivity between the bridges need to have the identical encryption. Do you mean access to the bridge itself ?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-26-2012 09:47 AM
Thank you for response. I mean how do I know that both encryptions are identical? They are look the same in the console but it does not match. Is there a way we can find the match?
Thanks
09-26-2012 09:50 AM
One way is to see if you can pass traffic across the bridges. Also look at the associations, see if you see the other bridge. I suppose you have your bridges set up and they arent working ?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-26-2012 09:57 AM
Thank you for response. You are right. I am setup the bridge for association but it does not work. I checked the SSID matched. The encryption is not working properly. I can see the non root bridge try to contact the root bridge but it is not associated. The log in the non root bridge shown "interface Dot11Radio0, cannot associate: Rcvd response from 00000.0000.00000 channel 9 2809.
I think the WEP128 is having problem so I want to check the traffic and the encryption. However, I can cut and pasted the same 4 keys from the root bridge to the non root bridge but it is not match.
Thanks
09-26-2012 10:11 AM
lets get back to basics. turn off all security and see if the bridges connect
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-26-2012 11:56 AM
You mean the bridge only connect when the SSID match when no encryption? does the open authentication need the WEP?
09-26-2012 12:10 PM
correct ... we think there is an issue with he security side of things .. to confirm this take all security off, if it works then we start to apply the layers back on ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-26-2012 12:50 PM
Back to the basic, what do we set on the AP for association with open authentication, no encryption, beside SSID matching?
09-26-2012 12:56 PM
yup open, no security .. feel free to post the config and I can take a peek ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-26-2012 01:18 PM
Here is the root bridge configure
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TimmyTown1
!
enable secret 5 $1$/olK$pm4f3SRp8Wmb/bpEC5TpD0
!
ip subnet-zero
!
!
no aaa new-model
dot11 vlan-name Management vlan 253
dot11 vlan-name User vlan 31
!
dot11 ssid TimmyTown
vlan 31
authentication open
infrastructure-ssid
mobility network-id 10
!
!
!
username Cisco password 7 106D000A0618
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid TimmyTown
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root bridge
!
interface Dot11Radio0.31
encapsulation dot1Q 31 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.253
encapsulation dot1Q 253
no ip route-cache
bridge-group 253
bridge-group 253 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
!
interface FastEthernet0.31
encapsulation dot1Q 31 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0.253
encapsulation dot1Q 253
no ip route-cache
bridge-group 253
bridge-group 253 spanning-disabled
!
interface BVI1
ip address 131.50.31.81 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
snmp-server community Testing RW
snmp-server location Timmy Town
snmp-server chassis-id TimmyTown1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server enable traps envmon
snmp-server host 131.50.31.250 Testing
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
**********************************************
and non root bridge configuration:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TimmyTown2
!
enable secret 5 $1$SIed$R3SIojfAkJ.OlN3vypnlt0
!
no aaa new-model
!
!
dot11 vlan-name Management vlan 253
dot11 vlan-name User vlan 31
!
dot11 ssid TimmyTown
vlan 31
authentication open
infrastructure-ssid
mobility network-id 10
!
!
!
username Cisco password 7 047802150C2E
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid TimmyTown
!
parent timeout 10
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role non-root bridge
!
interface Dot11Radio0.31
encapsulation dot1Q 31 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.253
encapsulation dot1Q 253
no ip route-cache
bridge-group 253
bridge-group 253 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface FastEthernet0.31
encapsulation dot1Q 31 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0.253
encapsulation dot1Q 253
no ip route-cache
bridge-group 253
bridge-group 253 spanning-disabled
!
interface BVI1
ip address 131.50.31.61 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server community Testing RW
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
******************************
It does not have any encryption and open authentication.
Thanks
09-26-2012 01:29 PM
Did you ever set a channel on the bridges? Both bridges need to be on the same channel .. I dont see this in your config ...
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
09-26-2012 01:50 PM
Here another version with channel:
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TimmyTown1
!
enable secret 5 $1$/olK$pm4f3SRp8Wmb/bpEC5TpD0
!
ip subnet-zero
!
!
no aaa new-model
dot11 vlan-name Management vlan 253
dot11 vlan-name User vlan 31
!
dot11 ssid TimmyTown
vlan 31
authentication open
infrastructure-ssid
mobility network-id 10
!
!
!
username Cisco password 7 106D000A0618
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid TimmyTown
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2452
station-role root bridge
!
interface Dot11Radio0.31
encapsulation dot1Q 31 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.253
encapsulation dot1Q 253
no ip route-cache
bridge-group 253
bridge-group 253 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
!
interface FastEthernet0.31
encapsulation dot1Q 31 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0.253
encapsulation dot1Q 253
no ip route-cache
bridge-group 253
bridge-group 253 spanning-disabled
!
interface BVI1
ip address 131.50.31.81 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
snmp-server community Testing RW
snmp-server location Timmy Town
snmp-server chassis-id TimmyTown1
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server enable traps envmon
snmp-server host 131.50.31.250 Testing
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
************************************
Non root bridge
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TimmyTown2
!
enable secret 5 $1$SIed$R3SIojfAkJ.OlN3vypnlt0
!
no aaa new-model
!
!
dot11 vlan-name Management vlan 253
dot11 vlan-name User vlan 31
!
dot11 ssid TimmyTown
vlan 31
authentication open
infrastructure-ssid
mobility network-id 10
!
!
!
username Cisco password 7 047802150C2E
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
ssid TimmyTown
!
parent timeout 10
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role non-root bridge
mobile station scan 2452
!
interface Dot11Radio0.31
encapsulation dot1Q 31 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.253
encapsulation dot1Q 253
no ip route-cache
bridge-group 253
bridge-group 253 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
!
interface FastEthernet0.31
encapsulation dot1Q 31 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0.253
encapsulation dot1Q 253
no ip route-cache
bridge-group 253
bridge-group 253 spanning-disabled
!
interface BVI1
ip address 131.50.31.61 255.255.255.0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
snmp-server community Testing RW
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
end
I have no luck for this basic configuration.
09-26-2012 02:25 PM
I ran two commands
debug dot11 dot0 trace print mgmt
debug dot11 station connection failure
on both devices. I can see the non root bridge is trying to make connection but I can't see the association. Any ideas?
09-26-2012 02:34 PM
*Mar 1 00:41:19.514: Client 003a.9a93.b970 failed: WDS Down but association att
empted with network id configured
*Mar 1 00:41:19.514: 2E61212D r 1 25 52- 0000 13A 003A9A869350 003A9A93B970 00
3A9A869350 5080 assreq l 84
cap 421 infra shorthdr
listen interval 200
ssid TimmyTown
rates 82 4 B C 12 16 18 24
extrates 30 48 60 6C
aironet TimmyTown2 load 0 clients 0 hops 0 device 4D-2500
refresh 15 CW 0-0 flags 1 distance 0
IP 131.50.31.61 1
221 - 0 50 F2 2 0 1 0
*Mar 1 00:41:19.515: 2E6128D8 t 1 - 1000 13A 003A9A93B970 003A9A869350 003A9A8
69350 E5D0 assrsp l 6
cap 0
status 25
aid C000
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide