Prev: Source IP address
Next: ASDM certificate error
From: rocko on 10 Dec 2008 17:53
I usually recommend a higher end wireless access point but got talked into
using the AP521. It's being used as a stand alone AP and the idea was to
have two broadcast SSIDs on separate VLANs, one for internal use and one for
external.

BUT, unless I've really lost it, this can't be done. It doesn't matter if I
use the Cisco Configuration Assistant, the Web interface, or the CLI. It
just won't let me do it. Am I missing something? Or is this a limitation on
the 521? I'm just looking for conformation that I'm not crazy.

Problem 2, its never just one, I think I know the issue but before I go and
reconfigure my ASA5520 I thought I'd ask.
The switch ports for the AP and ASA are set as trunks, and the two SSIDs are
VLAN 1 native and VLAN 2. Originally there were no VLANs so the port on the
ASA was just the hardware port with the native VLAN on the ASA as VLAN 1. I
added a sub-interface with VLAN 2 and configured the ASA's DHCP server for
the VLAN 2 sub-interface only. I connect a client to the AP using the VLAN 2
SSID which should attempt to get an IP address from the ASA, but no such
luck. The sub interface on the ASA shows no traffic at all, nothing.

I'm thinking that I have to have 2 sub-interfaces, one for each VLAN, and
that with my using the hard interface and one sub-interface all the traffic
ends up inbound on the hard interface, regardless that it should be VLAN 1.
Is this the case? I've got a fairly complex ASA config with 2 internet
connections, 2 LANs, and a DMZ, so I'd like to make sure I'm headed in the
right direction before I go changing everything.

Thanks in advance for any and all comments,
RC

** Posted from http://www.teranews.com **
From: PrzemekD on 16 Dec 2008 05:20

Uzytkownik "rocko" <notarealaddress(a)nospam.com> napisal w wiadomosci
news:6859a$4940484d$32398(a)news.teranews.com...
>I usually recommend a higher end wireless access point but got talked into
>using the AP521. It's being used as a stand alone AP and the idea was to
>have two broadcast SSIDs on separate VLANs, one for internal use and one
>for external.
>
> BUT, unless I've really lost it, this can't be done. It doesn't matter if
> I use the Cisco Configuration Assistant, the Web interface, or the CLI.
> It just won't let me do it. Am I missing something? Or is this a
> limitation on the 521? I'm just looking for conformation that I'm not
> crazy.

[..]

I do not know asa, but it should not be any difference compared to regular
switchport.

switch (ASA) and AP must be connected using trunk.
Moreover native VLAN number on both must/should be the same.

From AP point of view You must configure always:
One SSID mapped to one VLAN (which has certain settings e.g. WEP or WPA)
mapped to one subinterface (or rather bridge group) of physical ethernet
port.

It applies to all SSIDs configured on AP. One of them must be marked as
native (usually VLAN1)

If You use WEP - You must make sure keys are identical at both sides because
wireless client can show You "I am connected" even if keys mismatch occurs.
Then You wont be able to send or receiove any traffic - it will be blocked
by AP.

From other side - You can set IP addres to your client as static - to see if
it is only DHCP issue.

best regards
Przemek Dmochowski


 | 
Pages: 1
Prev: Source IP address
Next: ASDM certificate error