ā07-11-2025 05:46 AM
Hello,
I'm trying to configure my AP7532 to use them in a mash configuration.
One root and 2-3 leafs(ony wirless / as repeater).
The config is down below. The leaf makes a connection to the root but the leaf dose't get an ip and it's not possible to connect to the leaf with a phone or a PC. The root connection works fine and the internet connection works as well.
ROOT |
ap7532-XXXXXR(config)#show run |
! |
! Configuration of AP7532 version 7.7.1.5-003R |
! |
! |
version 2.7 |
! |
! |
client-identity-group default |
load default-fingerprints |
! |
ip access-list BROADCAST-MULTICAST-CONTROL |
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic" |
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies" |
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios" |
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast" |
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast" |
permit ip any any rule-precedence 100 rule-description "permit all IP traffic" |
! |
mac access-list PERMIT-ARP-AND-IPv4 |
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic" |
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic" |
! |
ip snmp-access-list default |
permit any |
! |
firewall-policy default |
no ip dos smurf |
no ip dos twinge |
no ip dos invalid-protocol |
no ip dos router-advt |
no ip dos router-solicit |
no ip dos option-route |
no ip dos ascend |
no ip dos chargen |
no ip dos fraggle |
no ip dos snork |
no ip dos ftp-bounce |
no ip dos tcp-intercept |
no ip dos broadcast-multicast-icmp |
no ip dos land |
no ip dos tcp-xmas-scan |
no ip dos tcp-null-scan |
no ip dos winnuke |
no ip dos tcp-fin-scan |
no ip dos udp-short-hdr |
no ip dos tcp-post-syn |
no ip dos tcphdrfrag |
no ip dos ip-ttl-zero |
no ip dos ipspoof |
no ip dos tcp-bad-sequence |
no ip dos tcp-sequence-past-window |
no ip-mac conflict |
no ip-mac routing conflict |
no stateful-packet-inspection-l2 |
ip tcp adjust-mss 1400 |
! |
! |
mint-policy global-default |
! |
meshpoint-qos-policy default |
! |
wlan-qos-policy default |
qos trust dscp |
qos trust wmm |
! |
radio-qos-policy default |
! |
wlan Internetz |
ssid Internetz |
vlan 1 |
bridging-mode local |
encryption-type ccmp |
authentication-type sae-psk |
protected-mgmt-frames mandatory |
wpa-wpa2 psk 0 123456789 |
! |
meshpoint Netz |
meshid MESH_NETZ |
beacon-format mesh-point |
control-vlan 1 |
security-mode psk |
wpa2 psk 0 MESHPasswordxxx |
root |
! |
! |
management-policy default |
telnet |
no http server |
https server |
rest-server |
ssh |
ssh enable-weak-mac-algo 1 |
user admin password 1 dusdhfhsdfje345df34 role superuser access all |
snmp-server community 0 private rw |
snmp-server community 0 public ro |
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123 |
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123 |
! |
nsight-policy default |
! |
profile ap7532 default-ap7532 |
autoinstall configuration |
autoinstall firmware |
crypto ikev1 policy ikev1-default |
isakmp-proposal default encryption aes-256 group 2 hash sha |
crypto ikev2 policy ikev2-default |
isakmp-proposal default encryption aes-256 group 2 hash sha |
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac |
crypto ikev1 remote-vpn |
crypto ikev2 remote-vpn |
crypto auto-ipsec-secure |
crypto load-management |
crypto remote-vpn-client |
interface radio1 |
interface radio2 |
interface ge1 |
interface vlan1 |
ip address dhcp |
ip address zeroconf secondary |
ip dhcp client request options all |
interface pppoe1 |
use firewall-policy default |
use client-identity-group default |
logging on |
service pm sys-restart |
router ospf |
adoption-mode controller |
! |
rf-domain default |
country-code at |
ad-wips-wireless-mitigation disable |
ad-wips-wired-mitigation disable |
use nsight-policy default |
! |
ap7532 84-24-8D-82-C2-D8 |
use profile default-ap7532 |
use rf-domain default |
hostname ap7532-XXXXXR |
interface radio1 |
wlan Internetz bss 1 primary |
interface radio2 |
channel 36 |
wlan Internetz bss 2 primary |
meshpoint Netz bss 1 |
no dynamic-chain-selection |
interface ge1 |
switchport mode access |
switchport access vlan 1 |
interface vlan1 |
ip address dhcp |
no shutdown |
no adoption-mode |
! |
! |
LEAF |
ap7532-XXXXXL(config)#show running-config |
! |
! Configuration of AP7532 version 7.7.1.5-003R |
! |
! |
version 2.7 |
! |
! |
client-identity-group default |
load default-fingerprints |
! |
ip access-list BROADCAST-MULTICAST-CONTROL |
permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic" |
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies" |
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description "deny windows netbios" |
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast" |
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast" |
permit ip any any rule-precedence 100 rule-description "permit all IP traffic" |
! |
mac access-list PERMIT-ARP-AND-IPv4 |
permit any any type ip rule-precedence 10 rule-description "permit all IPv4 traffic" |
permit any any type arp rule-precedence 20 rule-description "permit all ARP traffic" |
! |
ip snmp-access-list default |
permit any |
! |
firewall-policy default |
no ip dos smurf |
no ip dos twinge |
no ip dos invalid-protocol |
no ip dos router-advt |
no ip dos router-solicit |
no ip dos option-route |
no ip dos ascend |
no ip dos chargen |
no ip dos fraggle |
no ip dos snork |
no ip dos ftp-bounce |
no ip dos tcp-intercept |
no ip dos broadcast-multicast-icmp |
no ip dos land |
no ip dos tcp-xmas-scan |
no ip dos tcp-null-scan |
no ip dos winnuke |
no ip dos tcp-fin-scan |
no ip dos udp-short-hdr |
no ip dos tcp-post-syn |
no ip dos tcphdrfrag |
no ip dos ip-ttl-zero |
no ip dos ipspoof |
no ip dos tcp-bad-sequence |
no ip dos tcp-sequence-past-window |
no ip-mac conflict |
no ip-mac routing conflict |
no stateful-packet-inspection-l2 |
ip tcp adjust-mss 1400 |
! |
! |
mint-policy global-default |
! |
meshpoint-qos-policy default |
! |
wlan-qos-policy default |
qos trust dscp |
qos trust wmm |
! |
radio-qos-policy default |
! |
wlan Internetz |
ssid Internetz |
vlan 1 |
bridging-mode local |
encryption-type ccmp |
authentication-type sae-psk |
protected-mgmt-frames mandatory |
wpa-wpa2 psk 0 123456789 |
! |
meshpoint Netz |
meshid MESH_NETZ |
beacon-format mesh-point |
control-vlan 1 |
security-mode psk |
wpa2 psk 0 MESHPasswordxxx |
no root |
! |
! |
management-policy default |
telnet |
no http server |
https server |
rest-server |
ssh |
ssh enable-weak-mac-algo 1 |
user admin password 1 dusdhfhsdfje345df34 role superuser access all |
snmp-server community 0 private rw |
snmp-server community 0 public ro |
snmp-server user snmptrap v3 encrypted des auth md5 0 admin123 |
snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123 |
! |
nsight-policy default |
! |
profile ap7532 default-ap7532 |
autoinstall configuration |
autoinstall firmware |
crypto ikev1 policy ikev1-default |
isakmp-proposal default encryption aes-256 group 2 hash sha |
crypto ikev2 policy ikev2-default |
isakmp-proposal default encryption aes-256 group 2 hash sha |
crypto ipsec transform-set default esp-aes-256 esp-sha-hmac |
crypto ikev1 remote-vpn |
crypto ikev2 remote-vpn |
crypto auto-ipsec-secure |
crypto load-management |
crypto remote-vpn-client |
interface radio1 |
interface radio2 |
interface ge1 |
interface vlan1 |
ip address dhcp |
ip address zeroconf secondary |
ip dhcp client request options all |
interface pppoe1 |
use firewall-policy default |
use client-identity-group default |
logging on |
service pm sys-restart |
router ospf |
adoption-mode controller |
! |
rf-domain default |
country-code at |
ad-wips-wireless-mitigation disable |
ad-wips-wired-mitigation disable |
use nsight-policy default |
! |
ap7532 84-24-8D-82-C5-74 |
use profile default-ap7532 |
use rf-domain default |
hostname ap7532-XXXXXL |
interface radio1 |
wlan Internetz bss 1 primary |
interface radio2 |
channel 36 |
wlan Internetz bss 2 primary |
meshpoint Netz bss 1 |
no dynamic-chain-selection |
interface vlan1 |
ip address dhcp |
no adoption-mode |
! |
! |
Solved! Go to Solution.
ā07-14-2025 05:36 AM
Hi Andi,
in your meshpint policy is the allowed-vlans parameter missing.
I guess in your case it should be: allowed-vlans 1
Cheers,
Angelo
ā07-14-2025 11:05 PM
Hi Angelo,
that was it!
Thank you.
ā07-14-2025 07:08 AM - edited ā07-14-2025 07:08 AM
As pointed out By Angelo,
Your Meshpoint policy is missing the allowed vlans.
Once added your Mesh client should get an IP address.
For further Mesh configuration reference please see guide below.
MCX_IN_VIRTUAL_CONTROLLER_ENVIRONMENTS_HTG_REV1.0_EN.pdf
ā07-14-2025 05:36 AM
Hi Andi,
in your meshpint policy is the allowed-vlans parameter missing.
I guess in your case it should be: allowed-vlans 1
Cheers,
Angelo