SSID & VLAN Troubleshooting Advice

[MulLa]

Hi all,

After a bit of troubleshooting advice as to where I should be looking, remember that I?m still a n00b :S so I might ask something silly!!

Equipment Involved:
Aironet 1200
Catalyst 2950
Router 1841

Setup a new SSID on the 1200 with its own VLAN so guests can come in, and we provide a WPA shared key so they can jump on the net without performing a RADIUS authentication which is what?s previously configured on the network.

2 SSIDs on the AP assigned to VLAN 120 (existing wireless network) & 130 (guest network ? newly created)
3 VLANs in total on the wired land VLAN 110 (main network), 120 (wireless client VLAN) & 130 (guest wireless VLAN)

At present clients on either VLAN 110 & 120 can ping the default gateway (sub-interface, trunks created on the 1841) on all VLANs including VLAN 130. However clients on VLAN 130 is unable to ping anything including default gateway of VLAN 130. Clients can currently connect to and authenticate to the AP successfully but that?s about as far as it?ll go.

I suspected that it was a permission issue on the router, however, I?ve basically replicated the ACLs for the 2 working VLANs to VLAN 130 and still I can?t ping the gateway.

Is anyone able to advice what I should be doing in terms of troubleshooting this? Steps and things I should be cross checking? If anyone is willing to assist I can pm configs through, don?t want to overload this thread with configs on 3 devices!!!


Thanks in advance for any tips!

 

[spidey07]

sounds like an encryption problem on the AP/Client.

Also make sure the vlan 130 SVI is up and that vlan is allowed on the trunk to the router. Check the spanning-tree for vlan 130 to make sure it is forwarding on the trunk port to the router and AP.

 

[nweaver]

It's been a while, but iirc you need to make sure that your native VLAN on your switch is VLAN1, or the AP gets really confused.

 

[MulLa]

Thanks everyone for the tips. Going to test this out tonight and see how I go!!

 

[MulLa]

Originally posted by: spidey07
sounds like an encryption problem on the AP/Client.

Also make sure the vlan 130 SVI is up and that vlan is allowed on the trunk to the router. Check the spanning-tree for vlan 130 to make sure it is forwarding on the trunk port to the router and AP.

Windows XP indicated a successful authentication with the AP showing network is connected would this still suggest an encryption error?

When I do a "sh run" the VLANs on the swith are all indicated as "shutdown" except for VLAN 110. No idea why they are in "shutdown" mode. The funny thing is VLAN 120 still worked even if it's "shutdown" on the switch. "sh vlan" indicated all VLANs are "active"

I have not configured any permission for allowed VLANs on trunks, I assume all VLANs are allowed by default?

Did a "sh spanning-tree" on the switch and all VLANs are allowed on the 2 trunks to the router & AP.


nweaver: I've read on Cisco's website that I only need to ensure the native VLAN on the AP and the connected switchport are matching (which they are) and I should be fine. Tho the native VLAN for the Switch itself is VLAN 1 not sure if this is causing the problem

What would be my next step of troubleshooting process?

Thanks once again spidey07 & nweaver.

 

[nweaver]

log into the console and watch for native vlan mismatch problems. I have had MAJOR issues when the native vlan was something other then 1 (tried to do some funky L2 stuff a while back)

I would start by turning off all encryption/authentication on all SSID's, and try and connect/see what happens. Assuming that works, layer security back on, one step at a time. If it doesn't let us know what SSID's work, and which don't.

 

[nweaver]

also, what code are you running on this?

 

[MulLa]

Sorry to be a n00b... how do I detect native vlan mismatch? Do a "sh logging"??

IOS versions are:
Switch 12.1
Router 12.3
AP 12.3


Thanks

 

[spidey07]

sh int trunk will give you all your trunking information.

also, unshut those vlan interfaces. also sh int vlan <vlan number> will tell you if the SVI is up (Ip interface)

 

[MulLa]

Funny thing is... When I do a "no shut" on those vlan interfaces (VLAN120) the switch would lock up in the CLI. I can't ping the switch, can't establish another telnet session to it. Can't browse to it's web interface etc... However, network operations still runs fine. Like it's still forwarding frames and network isn't down. Just I can't manage it anymore! Argh, I have to go and power cycle it!

Any ideas I can trouble shoot this problem?

Thanks spidey07, gawd it's so hard remebering commands for people who don't manage these things day in day out.

 

[nweaver]

you can't up those on the switch (I'm not sure if Spidey meant that or the AP) becuase the switch only has one active vlan (i.e. managment vlan) because it's all old school layer 2. THe ip is for management only.

change the primary VLAN to VLAN 1 on both, and see if it works then