I have inherited some Cisco Aironet 1042 fat APs and a network design of a flat, single VLAN (10).
To offer multiple SSIDs, the Cisco insists on a VLAN for each SSID.
By placing the interfaces against a bridge group, I am able to offer network access across all three SSIDs when the AP is connected to a simple port on Cisco the LAN configured as:
switchport access vlan 10
switchport mode access
Or on HP ProCurve configured as
untagged
However, I have one AP (rather, one location- it occurs on any AP plugged there) that is connected behind two switches that refuses to pass traffic – UNLESS I have a dumb switch in front of it. All other APs that connect to a switch have had no issues- including one that is connected behind another switch.
This makes me think that the dumb switch is stripping VLAN identification off of it? Does that push it to VLAN 1 as the default? I don't see how that'd work given that the AP works just fine behind the dumb switch but not on the switch proper.
I'm not sure how to get this AP behind two switches working without the dumb switch.
The AP is plugged to a switch plugged to another switch and the connection between the switches is an untagged uplink.
Here is my config. Thoughts?
T-0060#show running-config
Building configuration...
Current configuration : 4101 bytes
!
! Last configuration change at 11:26:47 EDT Sun Aug 14 2016 by newlifeadmin
! NVRAM config last updated at 11:21:11 EDT Sun Aug 14 2016
! NVRAM config last updated at 11:21:11 EDT Sun Aug 14 2016
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname T-0060
!
!
logging rate-limit console 9
enable secret 5 #SECRET#
!
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
no ip source-route
no ip cef
!
!
!
!
dot11 syslog
!
dot11 ssid RN Faculty
vlan 10
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 #SECRET#
!
dot11 ssid RN Guest
vlan 30
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 #SECRET#
!
dot11 ssid RN Students
vlan 20
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 #SECRET#
!
!
!
no ipv6 cef
!
!
username #SECRET# password 7 #SECRET#
username #SECRET# privilege 15 password 7 #SECRET#
username #SECRET# privilege 15 password 7 #SECRET#
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
ssid RN Faculty
!
ssid RN Guest
!
ssid RN Students
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
ssid RN Faculty
!
ssid RN Guest
!
ssid RN Students
!
antenna gain 0
peakdetect
dfs band 3 block
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address ccef.484c.bab0
ip address 192.168.1.60 255.255.255.0
!
ip default-gateway 192.168.1.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
login local
line vty 0 4
login local
transport input all
!
end
T-0060#
Best Answer
If you want to do a quick and dirty hack, just loop back the VLANs into each other on a switch. Just add two untagged/access ports in VLAN10, and one for VLAN20 and VLAN30, and just patch the ports together.
Very ugly, extremely sketchy, but it will work as long as you don't have Spanning Tree enabled (and it will work even then if you put BPDU filtering on the ports). But as others have said already, the point of having multiple SSIDs is to separate traffic, if you feed everything into the same network there's not really any point of having multiple SSIDs.