Interface Bvi1 Assigned Dhcp Address Assignment

I have inherited a wireless system which has a 4402 controller. I need to add a few AIR-LAP1142N-A-K9 APs to our environment. I have no idea how to do this. I have plugged the AP into a port on a POE switch and set the port to the correct VLAN. The AP is receiving an IP address from DHCP in the correct range. I have a laptop plugged into the console of one of the new APs and I have launched a session in Putty terminal emulator. What are the next steps I need to take? 

Details from an AP already in the WLC: https://docs.google.com/document/d/1Fsd_wiFmUmbuIgOJq_zb2yU-OnWund6Dmj7f1ceBoew/edit?usp=sharing

Here is what Putty displays:

*Mar  1 17:42:31.061: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.55.8.54, mask 255.255.252.0, hostname APacf2.c50a.54cb

Translating "CISCO-CAPWAP-CONTROLLER.hardinnorthern.local"...domain server (10.55.1.1)

*Mar  1 17:42:38.434: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.

*Mar  1 17:42:38.441: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.hardinnorthern.local

Not in Bound state.

*Mar  1 17:43:23.952: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.

*Mar  1 17:43:27.528: %CAPWAP-3-ERRORLOG: Invalid event 38 & state 2 combination.

Show all 6 tags


Best Answer

Jalapeno

OP

CrutchieOct 23, 2014 at 4:00 UTC

It may not be necessary. Especially if you have 31 working APs already. All that option does is point it to the WLC if the APs are on different subnets than the WLC. 

Here is a link from Cisco about Option 43:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-0...

Also in your WLC, under Security > AAA > Ap Policies is there a "Accept Self Signed Certificate (SSC) box under policy Configuration? If so see if checking that box will fix the issue. You may need to reboot the WLC after you check the box though so something I would recommend after hours.

View this "Best Answer" in the replies below »

8 Replies

· · ·

Sonora

OP

ajckOct 23, 2014 at 2:25 UTC

I should also mention that I cannot SSH, Telnet or open the device up in a web browser using the IP address. I can however ping it across the network, even across vlans. 

0

· · ·

Jalapeno

OP

CrutchieOct 23, 2014 at 3:18 UTC

What are your scope options on that subnet in DHCP? Do you have 241 Option 43 enabled?

0

· · ·

Sonora

OP

ajckOct 23, 2014 at 3:29 UTC

tunadang, Your article lead me to http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/70333-lap-registration... I'm currently going through it. 

Crutchie, Those scope options are not currently enabled. I currently have 31 working access points in the WLC that were configured before my time. Since that's the case do you still think these scope options are necessary? 

Is Cisco equipment as picky about time as Windows? I'm wondering because the date/time is so off from what putty displayed above when connected to the AP console. 

0

· · ·

Jalapeno

OP

Best Answer

CrutchieOct 23, 2014 at 4:00 UTC

It may not be necessary. Especially if you have 31 working APs already. All that option does is point it to the WLC if the APs are on different subnets than the WLC. 

Here is a link from Cisco about Option 43:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/97066-dhcp-option-43-0...

Also in your WLC, under Security > AAA > Ap Policies is there a "Accept Self Signed Certificate (SSC) box under policy Configuration? If so see if checking that box will fix the issue. You may need to reboot the WLC after you check the box though so something I would recommend after hours.

0

· · ·

Pimiento

OP

matttarrOct 23, 2014 at 4:01 UTC

Yes, make sure the date is set correctly or configure NTP on the controller. Can cause AP join issues is system time is prior to AP certificate creation date.

DHCP scope options typically not required, simplest way for discovery is with a DNS record pointing cisco-capwap-controller to you WLC management IP or simply prime the AP on the same vlan as the WLC management.

0

· · ·

Sonora

OP

ajckOct 23, 2014 at 4:38 UTC

I'll have figure out how to configure NTP on the controller. Once the AP joins the controller the time goes from being a few months off to 4 hrs. 

I'm not sure which suggestion worked Crutchie, but I configured option 43 on the DHCP server following part 1 and 2 of this video. The video is a walk through of the document you posted. This makes sense since my management VLAN is separate from my wireless VLAN. 

Matttarr, Since my management VLAN is not using DHCP would the AP auto join the controller if I set the AP port to the management VLAN (for initial setup)? 

I also checked Accept Self Signed Certificate clicked apply and rebooted the controller. After the controller rebooted this setting was unchecked. 

I then was able to successfully add another AP. 

0

· · ·

Sonora

OP

ajckOct 23, 2014 at 4:41 UTC

Looks like NTP is setup correctly on the controller and the controller can ping the NTP server. Thanks for the suggestion mattterr.

0

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.

The command line configuration of Cisco Aironet access points can be confusing to someone who doesn't understand what's going on behind the scenes. "What's a bridge group? How is it different from a VLAN? Why do I have subinterfaces and a BVI?" In this article, we'll walk through a basic multiple SSID configuration on an Aironet one section at a time and shed some light on how bridge groups are used to tie everything together.

Our example will make use of two SSIDs:

  • VLAN 10: Corporate
  • VLAN 20: Guest

Configuration

Global Configuration

dot11 ssid Corporate vlan 10 ! dot11 ssid Guest vlan 20 ! bridge irb

Two relevant functions are performed in the snippet above. First, our two SSIDs (Corporate and Guest) are defined and associated with VLANs. Second, integrated routing and bridging (IRB) is enabled with the command . This allows to define bridge groups and a BVI.

Radio Interface Configuration

Our access point has two physical radio (wireless) interfaces: Dot11Radio0 (2.4 GHz) and Dot11Radio1 (5 GHz). Since we want to enable both SSIDs on both radios, the interfaces are configured identically.

interface Dot11Radio0 no ip address ! ssid Corporate ! ssid Guest ! mbssid ! interface Dot11Radio0.10 encapsulation dot1Q 10 bridge-group 1 ! interface Dot11Radio0.20 encapsulation dot1Q 20 bridge-group 2 interface Dot11Radio1 no ip address ! ssid Corporate ! ssid Guest ! mbssid ! interface Dot11Radio1.10 encapsulation dot1Q 10 bridge-group 1 ! interface Dot11Radio1.20 encapsulation dot1Q 20 bridge-group 2

First, we assign both SSIDs to the physical radio interfaces. We also include the command to ensure that each SSID receives a unique BSSID (which is analogous to a MAC address).

Next, we create a subinterface for each SSID, .10 and .20. Each subinterface is mapped to both a VLAN and a bridge group. We'll talk more about bridge groups shortly.

Ethernet Interface Configuration

interface FastEthernet0 no ip address ! interface FastEthernet0.10 encapsulation dot1Q 10 bridge-group 1 ! interface FastEthernet0.20 encapsulation dot1Q 20 bridge-group 2

The configuration of our FastEthernet interface should look similar to that of our radio interfaces. Two subinterfaces are attached to the physical interface, with each tied to its respective VLAN and bridge group.

BVI Configuration

interface BVI1 ip address 192.168.10.123 255.255.255.0 no ip route-cache

Finally, we configure the bridge virtual interface (BVI) for management. A BVI interface is mapped to a bridge group by its numeric identifier (in this case, 1), similar to how a VLAN interface is mapped to a VLAN. It may help to refer to VLAN interfaces as switch virtual interfaces (SVIs); BVIs are the same concept but applied to bridge groups instead of VLANs.

BVI1 is the default BVI on Aironet access points and cannot be deleted:

ap(config)# no interface bvi1 %command not allowed, cannot remove BVI 1

While you can create BVIs for other bridge groups, only one of them can be assigned an IP address for management (similar to how a layer two-only Catalyst switch can only have one active VLAN interface). And since BVI1 is going to be there anyway, we might as well use it.

Note that the IP address assigned to BVI1 must be in the same subnet as any SSID assigned to the bridge group (in this case, the Corporate SSID).

Putting it all Together

Working from top to bottom, we can see that:

  • SSIDs are mapped to VLANs.
  • VLANs are mapped to radio subinterfaces.
  • Radio subinterfaces are mapped to bridge groups.
  • Ethernet subinterfaces are also mapped to bridge groups.
  • BVI1 is assigned an IP address tied to bridge group 1.

This configuration keeps wireless traffic belonging to one SSID isolated from traffic belonging to the other as it transits the access point from the wired interface to the wireless interface and vice versa. Note that because there is no BVI2 interface, the access point has no IP address reachable directly from the Guest SSID.

What About Those Other Bridge Group Commands?

You may have noticed that, when assigning a radio interface to a bridge group with the command, four or five additional commands also appear out of nowhere. For example, here's the full configuration of interface Dot11Radio0.10 from our lab as it appears in the running configuration:

interface Dot11Radio0.10 encapsulation dot1Q 10 no ip route-cache bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled

These are default commands which tweak the behavior of bridge groups on the access point, primarily by disabling spanning tree and compensating for its absence. Unless you have a specific reason to modify them, just let these commands be.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *