Radius assigned Vlans on Cisco AP1200

Hi

When assigning vlans via radius on Cisco Ap1200's is it possible to drop a
user into the native vlan the same way you would with a tagged vlan?

example :-

My ap has several vlans tagged into the ethernet interface lets call them
vlan id's 10, 20 and 30. I want to set up the access point so that the
native (untagged) is id 40 and assign it via radius in the same way as it
would for the others. Also I want to manage my access point on a tagged
vlan, lets call this id 50.

Cheers

Ben

On Mon, 15 Aug 2005 14:28:58 +0100, Ben <(E-Mail Removed)> wrote:

~ Hi
~
~ When assigning vlans via radius on Cisco Ap1200's is it possible to drop a
~ user into the native vlan the same way you would with a tagged vlan?
~
~ example :-
~
~ My ap has several vlans tagged into the ethernet interface lets call them
~ vlan id's 10, 20 and 30. I want to set up the access point so that the
~ native (untagged) is id 40 and assign it via radius in the same way as it
~ would for the others.

Don't see why that shouldn't work.

~ Also I want to manage my access point on a tagged
~ vlan, lets call this id 50.

This you can't do. Cisco Aironet APs must have exactly
one IP address, which must be on interface BVI1 (i.e.
in bridge-group 1), and bridge-group 1 must be bridged to
the native VLAN.

Aaron

On Mon, 15 Aug 2005 10:04:55 -0700, Aaron Leonard wrote:


> ~ Also I want to manage my access point on a tagged
> ~ vlan, lets call this id 50.
>
> This you can't do. Cisco Aironet APs must have exactly
> one IP address, which must be on interface BVI1 (i.e.
> in bridge-group 1), and bridge-group 1 must be bridged to
> the native VLAN.
>

I have have managed to get this working. Here is a snippet from my config :-

!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 50
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.40
encapsulation dot1Q 40 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 255
no bridge-group 255 source-learning
bridge-group 255 spanning-disabled
!
interface BVI1
ip address x.x.x.x y.y.y.y
no ip route-cache
!

Does it matter that I have a tagged interface as well as a native
interface both being members of bridge group 1 ?

Thanks, Ben

Hi Ben,

OK, I'm glad to hear that you got this working ... however it's
not supported to have the BVI IP address in a non-native VLAN.
So, if you should encounter any problems and should need to open a
TAC case, I'd recommend that temporarily put on a "kosher" config
while we work in your issue. (Configuring BVI1 in a non-native
VLAN *won't* void your warranty ;-)

Cheers,

Aaron

---

~ On Mon, 15 Aug 2005 10:04:55 -0700, Aaron Leonard wrote:
~
~
~ > ~ Also I want to manage my access point on a tagged
~ > ~ vlan, lets call this id 50.
~ >
~ > This you can't do. Cisco Aironet APs must have exactly
~ > one IP address, which must be on interface BVI1 (i.e.
~ > in bridge-group 1), and bridge-group 1 must be bridged to
~ > the native VLAN.
~ >
~
~ I have have managed to get this working. Here is a snippet from my config :-
~
~ !
~ interface FastEthernet0
~ no ip address
~ no ip route-cache
~ duplex auto
~ speed auto
~ !
~ interface FastEthernet0.1
~ encapsulation dot1Q 50
~ no ip route-cache
~ bridge-group 1
~ no bridge-group 1 source-learning
~ bridge-group 1 spanning-disabled
~ !
~ interface FastEthernet0.40
~ encapsulation dot1Q 40 native
~ no ip route-cache
~ bridge-group 1
~ no bridge-group 1 source-learning
~ bridge-group 1 spanning-disabled
~ !
~ interface FastEthernet0.10
~ encapsulation dot1Q 10
~ no ip route-cache
~ bridge-group 255
~ no bridge-group 255 source-learning
~ bridge-group 255 spanning-disabled
~ !
~ interface BVI1
~ ip address x.x.x.x y.y.y.y
~ no ip route-cache
~ !
~
~ Does it matter that I have a tagged interface as well as a native
~ interface both being members of bridge group 1 ?
~
~ Thanks, Ben

On Tue, 16 Aug 2005 10:26:19 -0700, Aaron Leonard wrote:

> Hi Ben,
>
> OK, I'm glad to hear that you got this working ... however it's
> not supported to have the BVI IP address in a non-native VLAN.
> So, if you should encounter any problems and should need to open a
> TAC case, I'd recommend that temporarily put on a "kosher" config
> while we work in your issue. (Configuring BVI1 in a non-native
> VLAN *won't* void your warranty ;-)
>
> Cheers,
>
> Aaron

Hi Aaron

Thanks again for the info. I might just abandon this idea if it's not
supported. I'm not quite clear about exactly what is a bridge group and
what they are used for in a Cisco context. Does the fact that I have more
than one Ethernet interface in the same group mean that I might get some
unwanted results such as traffic being able to pass between VLAN's?

Cheers

Ben

~ > OK, I'm glad to hear that you got this working ... however it's
~ > not supported to have the BVI IP address in a non-native VLAN.
~ > So, if you should encounter any problems and should need to open a
~ > TAC case, I'd recommend that temporarily put on a "kosher" config
~ > while we work in your issue. (Configuring BVI1 in a non-native
~ > VLAN *won't* void your warranty ;-)

~ Thanks again for the info. I might just abandon this idea if it's not
~ supported. I'm not quite clear about exactly what is a bridge group and
~ what they are used for in a Cisco context. Does the fact that I have more
~ than one Ethernet interface in the same group mean that I might get some
~ unwanted results such as traffic being able to pass between VLAN's?
~
~ Cheers
~
~ Ben

Well, that is correct ... a bridge-group is a set of interfaces
that the IOS device bridges together. So if you have configured
say FastEthernet0.10 in one VLAN and FastEthernet0.20 in another
VLAN, and then put them in the same bridge-group, then the AP will
(I believe) bridge those two VLANs together.

(Note that I've set Followup-to: comp.dcom.sys.cisco
as this is really Cisco-specific stuff rather than stuff
that would be of general wireless interest.)

Cheers,

Aaron