Help with Cisco 2960 with Aironet 1231 and vlans

[lanman1865]

We are replacing all switches that are nortels to cisco 2960's. I am not sure what config changes i need to do with the 2960 and a 1231 ap. If you apply smartport options, the 2960 trunks that port for the AP to connect to. Our network is 4 vlans. 1(mgmt),2(pcs), 3(servers),4(wifi).

the core switch is a 3560 that all other 2960's will connect to. As of now the 1231 AP is connected to nortel switch. The nortel has port 2 as a member of vlan1,4 for the AP. Now in the 1231, the default vlan is 1 and I have also added vlan4. When i switch the native to 4 and change the SSID to use vlan4, i loose my clients. With the nortels all ports have to a member of vlan1 and vlan4 inthe table, then you set that access vlan per port. I am wondering if that will work once the cisco 2960 is in place?
All clients behind the 1231ap will have a ip on vlan4 subnet. I am not sure what my interface on the 1231ap and the 2960 port should be?

3560-trunk<--->trunk-2960?<--->?1231

 

[vipergg]

Post the 2960 port config and the AP config.

 

[lanman1865]

basically all wifi is on vlan4 all swithces,routers are on vlan1. vlan2 pc's, vlan3 servers.

cisco 2960
interface FastEthernet0/1
switchport access vlan 4
switchport mode access
switchport nonegotiate

interface GigabitEthernet0/1
description Uplink to core switch 3560
switchport mode trunk
switchport nonegotiate
interface Vlan1
ip address 10.10.19.158
ip default-gateway "vlan1-core switch 3560"
=================================================
1231 AP
=================================================
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname ap1-sandcab
!
enable secret 5 $
enable password 7 $
!
ip subnet-zero
ip domain name na
ip name-server 10.10.19.21
!
!
ip dhcp-server 10.10.19.3
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
!
dot11 ssid NET1
vlan 1
authentication open
!
dot11 network-map
!
crypto pki trustpoint TP-self-signed-810730892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-810730892
revocation-check none
rsakeypair TP-self-signed-810730892
!
!
crypto ca certificate chain TP-self-signed-810730892
certificate self-signed 01
******

!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 key 1 size 128bit 7 ******* transmit-key
encryption vlan 1 mode wep mandatory
!
ssid CAMNET
!
traffic-stream priority 0 sta-rates 5.5 nom-6.0 nom-9.0 11.0 nom-12.0 nom-18.0 nom-24.0 nom-36.0 nom-48.0 nom-54.0
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
packet max-retries 3 0 fail-threshold 100 500 priority 0 drop-packet
station-role root
antenna receive right
antenna transmit right
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.4
encapsulation dot1Q 4
no ip route-cache
bridge-group 4
bridge-group 4 block-unknown-source
no bridge-group 4 source-learning
no bridge-group 4 unicast-flooding
bridge-group 4 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
speed 100
full-duplex
hold-queue 160 in
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.4
encapsulation dot1Q 4
no ip route-cache
bridge-group 4
no bridge-group 4 source-learning
bridge-group 4 spanning-disabled
!
interface BVI1
ip address 10.10.19.195 255.255.255.192
no ip route-cache
!
ip default-gateway 10.10.19.193
ip http server
ip http secure-server
ip http help-path

http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1
!
access-list 111 permit tcp any any neq telnet
snmp-server community 123 RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.10.19.28 auth-port 1645 acct-port 1646 key 7 ***
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
banner login ^C
Access to authorized users only. Please enter your username and password. ^C
banner motd ^Cotd#
This is a secure site. Only authorized users are allowed.^C
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
!
end

 

[vipergg]

You have the AP setup to trunk to the switch so you must setup the switchport as a trunk to get it to work with a native vlan 1 , instead of switchport mode access make it switchport mode trunk .

 

[vipergg]

Also on the 2960 you better hardcode the speed/duplex of the port because the AP is hardcoded otherwise you have a speed/duplex mismatch.

 

[lanman1865]

Ok. So all AP's will be on vlan4. Create all vlans needed in the 1231 AP vlan1(native) and vlan4. Now should i make vlan 4 native in the AP since all the AP's are to be on that vlan?

On the 2960 i configured the port through the web gui using the smartport manager. Do i really need qos? The only devices connecting are wireless security cameras and maybe a pc or two.

interface fastethernet0/1
description "Uplink to 1231 AP"
switchport trunk native vlan 4
switchport mode trunk
switchport nonegotiate
mls qos trust cos
macro description cisco-wireless
auto qos voip trust
spanning-tree bpdguard enable

 

[vipergg]

Doesn't have to be , native just indicates what packets will be untagged across the trunk , if 1 is native then all traffic in vlan 1 will be untagged and all packets in vlan 4 will simply be tagged across the trunk .

 

[vipergg]

Just make sure whatever you choose as native it has to match on both sides or you break the trunk .