Random IP's Not Accessible...

[trmg]

I'm not even sure where to post this, so if I'm in the wrong section please let me know.

I recently re-configured the wireless access points at work (HP ProCurve 420's) so that we have two networks, a private network (for employee use only) and a public network (for guest access). I set up a VLAN and an ACL for the public wireless network so that users can only access the Internet and not access any internal IPs and it functions as expected. The private wireless network, which is untagged traffic (so it flows over the default VLAN 1) is experiencing a weird issue of batches of IP addresses that are unreachable!

The private wireless network (and wired network) use the Class B range of 10.40.x.x. When I am physically connected to the network, I can access any host on this network. However, when I am connected via wireless, there are batches of IP's that I cannot reach! So far, I've found that 10.40.10.108-10.40.10.117 are unreachable via wireless, as well as 10.40.10.135 and 10.40.10.138. The only reason I discovered this is because 10.40.10.1xx is what we use for printers!

The ports that the WAPs connect to are configured as trunk ports using 802.1q encapsulation. All connections between switches are configured as trunk ports as well. VTP is configured properly as far as I can tell and all switches are aware of all VLANs. We use a mixture of Cisco 3560's, 3548's and 3524's with varying versions of IOS (oldest is 12.0) if this helps.

I don't even know where to being as far as troubleshooting goes. Does anybody have any ideas?

 

[VinceWhirlwind]

hmmm....nothing really springs to mind - the addresses you mention don't match any subnetting boundary or anything.

I would try this:

From the WAPs themselves - what IP addresses are on them? From them, can you ping these addresses?

From your wireless-connected laptop - give yourself various IP addresses - .2, .120, .130, .252 - see if your results are the same from each of these source addresses.
Do this from both WAPs.
Do it again with one WAP switched off.
Try the other one on its own as well.

Then have a look at whatever device is doing your routing - what is your router for this network? Check the ACls.

 

[trmg]

Well, I thought the problem resolved itself as things were normal this afternoon. However, coming into work this morning, the problem is back.

I can ping the unreachable IP's from the WAPs.

We have 16 WAPs at this site, and it seems the problem is universal among all WAPs. I encounter the same problem no matter my location on site. Of course, they all have an identical configuration (minus their IP address and hostname, of course).

We have a 3560G switch doing the routing for this site. It is also where the public wireless VLAN originates from (and is distributed via VTP). The only ACL is the ACL to limit traffic on the public VLAN, and removing it results in no changes.

I set up a second computer with an IP address that is not reachable over wireless (10.40.10.104). I can't ping it from my machine (10.40.45.1), and it can't ping me! When I go back to being wired (using 10.40.45.1 for consistency), I can ping it just fine and it can ping me just fine.

Hmm. I'll keep playing and report back if I discover anything new. In the mean time, any suggestions/ideas would be great!!!

 

[trmg]

It looks like the problem is related to trunking and how the switchports are configured?! I moved the WAP in my office to a non-trunked port (only configuration difference is switchport mode access instead of switchport mode trunk, and of course no switchport trunk encapsulation dot1q).

Here are how a typical switchport is configured on our switches (pulled from a 3560 8 Port):

interface FastEthernet0/2
switchport mode access
switchport voice vlan 101
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast

Before I was hired, a guy was contracted in to set us up with a Cisco IP telephony system, the above is not my doing.

So, the ports that WAPS are connected to look just like the above with the exception of "switchport mode trunk" and "switchport trunk encapsulation dot1q"

I decided to take it a step further and removed all the configuration from the port the WAP was originally connected to so it looks as so:

interface FastEthernet0/1
description OK-WAP-03
switchport trunk encapsulation dot1q
switchport mode trunk

Simple, right? Seems to solve the problem?!

Now, if I leave the switchports that our WAPs are conneced to without any QoS settings, will QoS still take place? I assume yes because the traffic from our WAPs will traverse other QoS aware ports. So, is it safe for me to leave the WAP switchports configured as above?

 

[VinceWhirlwind]

You can add the qos settings back, they won't hurt.

I wonder if your problem is more that some devices were failing to get a DHCP response?
I'm thinking this because if you change an access port to a trunk, you need to also change spanning-tree portfast trunk

If you want to change your access port to a trunk, this is what you should do:

interface FastEthernet0/2
noswitchport mode access
noswitchport voice vlan 101
sw tr en do
sw mo trunk
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast trunk

 

[trmg]

Minus "spanning-tree portfast trunk", that's exactly how the WAP ports were configured.

The unreachable clients were statically configured (they were printers).

I'll play around with it on Monday.

 

[VinceWhirlwind]

Hmmm - I wonder if the printers have clever NICs that can see the two VLANs?
How about making sure the printer switch ports are configured with NOTHING on them except
- sw mo acc
- spanning-tree portfast?

Oh, another thing - why do the printers have static addresses? Make them use DHCP like evrything else. This is the 21st Century.....