Showing results for 
Search instead for 
Did you mean: 

Add guest mbssid 'tmp' to a working 1941w config

Cisco Employee
Cisco Employee

I am trying to add an isolated guest network to my router/ap. I was able to trunk vlan 1 at the AP but I am unable to get a dhcp address or ping the router with a manual address from SSID 'tmp' on vlan100



LAR#sh run

Building configuration...


Current configuration : 5519 bytes


! Last configuration change at 20:48:47 UTC Sat Oct 17 2015 by mlar

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption


hostname LAR






logging buffered 51200 warnings


no aaa new-model

service-module wlan-ap 0 bootimage autonomous









ip dhcp excluded-address

ip dhcp excluded-address

ip dhcp excluded-address

ip dhcp excluded-address


ip dhcp pool LAR

 import all





ip dhcp pool TMP

 import all







no ip domain lookup

ip domain name lariv

ip host itxfiler

ip name-server

ip cef

ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63

no ipv6 cef


multilink bundle-name authenticated



crypto pki...


license accept end user agreement

license boot module c1900 technology-package securityk9

license boot module c1900 technology-package datak9

hw-module ism 0




username mlar privilege 15 secret 5 ...
















interface Embedded-Service-Engine0/0

 no ip address



interface GigabitEthernet0/0

 description " *** LAN ACCESS PORT *** "

 no ip address


 duplex auto

 speed auto


interface wlan-ap0

 description " *** AP MGMT *** "

 ip unnumbered Vlan1

 arp timeout 0

 no mop enabled

 no mop sysid


interface GigabitEthernet0/1

 description " *** WAN DHCP ***

 ip ddns update hostname

 ip ddns update no-ip

 ip address dhcp hostname lar

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto


interface Wlan-GigabitEthernet0/0

 description " *** BUILTIN 3502 AP *** "

 switchport mode trunk

 no ip address


interface GigabitEthernet0/1/0

 description " *** LAN ACCESS PORT *** "

 no ip address


interface GigabitEthernet0/1/1

 description " *** LAN ACCESS PORT *** "

 no ip address


interface GigabitEthernet0/1/2

 description " *** LAN ACCESS PORT *** "

 no ip address


interface GigabitEthernet0/1/3

 description " *** LAN ACCESS PORT *** "

 no ip address

 power inline never


interface GigabitEthernet0/1/4

 description " *** LAN ACCESS PORT *** "

 no ip address


interface GigabitEthernet0/1/5

 description " *** LAN ACCESS PORT *** "

 no ip address


interface GigabitEthernet0/1/6

 description " *** NAS 2x GE LACP *** "

 no ip address


 no cdp enable


interface GigabitEthernet0/1/7

 description " *** NAS 2x GE LACP *** "

 no ip address

 no cdp enable


interface Vlan1

 ip address

 ip nat inside

 ip virtual-reassembly in


interface Vlan100

 description TMP

 ip address

 ip nat inside

 ip virtual-reassembly in

 no autostate


ip forward-protocol nd


no ip http server

ip http access-class 1

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000


ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 51413 interface GigabitEthernet0/1 51413

ip nat inside source static udp 51413 interface GigabitEthernet0/1 51413



route-map INCOMING permit 10

 match ip address 199



access-list 1 permit






line con 0

 login local

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport output ssh

 stopbits 1

line 67

 no activation-character

 no exec

 transport preferred none

 transport input ssh

 transport output ssh

line vty 0 4

 access-class 1 in

 privilege level 15

 login local

 transport input ssh

line vty 5 15

 access-class 1 in

 privilege level 15

 login local

 transport input ssh


scheduler allocate 20000 1000



LAR#sh vlans


No Virtual LANs configured.


LAR#sh vlan-switch 


VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Gi0/1/0, Gi0/1/1, Gi0/1/2, Gi0/1/3, Gi0/1/4, Gi0/1/5, Gi0/1/6, Gi0/1/7

1002 fddi-default                     act/unsup 

1003 token-ring-default               act/unsup 

1004 fddinet-default                  act/unsup 

1005 trnet-default                    act/unsup 


VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1    enet  100001     1500  -      -      -        -    -        1002   1003

1002 fddi  101002     1500  -      -      -        -    -        1      1003

1003 tr    101003     1500  1005   0      -        -    srb      1      1002

1004 fdnet 101004     1500  -      -      1        ibm  -        0      0   

1005 trnet 101005     1500  -      -      1        ibm  -        0      0



local.ap#sh run                

Building configuration...


Current configuration : 3584 bytes


version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption


hostname local.ap


logging rate-limit console 9

enable secret 5 $1$8CzD$PqkVaQHWA.tZ6F078QUgs/

enable password 7 073C71405D5A09


no aaa new-model

no ip source-route

ip domain name lariv



dot11 syslog


dot11 ssid lar

   vlan 1

   authentication open 

   authentication key-management wpa version 2

   mbssid guest-mode

   wpa-psk ascii 7 03075A0D031D204F4B1B


dot11 ssid tmp

   vlan 100

   authentication open 

   authentication key-management wpa version 2

   mbssid guest-mode

   wpa-psk ascii 7 111D1C16031C0E18557878




username mlar privilege 15 password 7 ...



bridge irb



interface Dot11Radio0

 no ip address

 no ip route-cache


 encryption mode ciphers aes-ccm tkip 


 encryption vlan 100 mode ciphers aes-ccm tkip 


 encryption vlan 1 mode ciphers aes-ccm tkip 


 ssid lar


 ssid tmp


 antenna gain 0


 speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

 station-role root

 beacon period 1000


interface Dot11Radio0.1

 encapsulation dot1Q 1 native

 no ip route-cache

 bridge-group 1

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding


interface Dot11Radio0.100

 encapsulation dot1Q 100

 no ip route-cache

 bridge-group 100

 bridge-group 100 block-unknown-source

 no bridge-group 100 source-learning

 no bridge-group 100 unicast-flooding

 bridge-group 100 spanning-disabled


interface Dot11Radio1

 no ip address

 no ip route-cache


 encryption mode ciphers aes-ccm tkip 


 encryption vlan 100 mode ciphers aes-ccm tkip 


 encryption vlan 1 mode ciphers aes-ccm tkip 


 ssid lar


 antenna gain 0

 dfs band 3 block

 speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

 channel dfs

 station-role root

 beacon period 1000


interface Dot11Radio1.1

 encapsulation dot1Q 1 native

 no ip route-cache

 bridge-group 1

 bridge-group 1 subscriber-loop-control

 bridge-group 1 block-unknown-source

 no bridge-group 1 source-learning

 no bridge-group 1 unicast-flooding

 bridge-group 1 spanning-disabled


interface Dot11Radio1.100

 encapsulation dot1Q 100

 no ip route-cache

 bridge-group 100

 bridge-group 100 subscriber-loop-control

 bridge-group 100 block-unknown-source

 no bridge-group 100 source-learning

 no bridge-group 100 unicast-flooding

 bridge-group 100 spanning-disabled


interface GigabitEthernet0

 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router

 no ip address

 no ip route-cache

 no keepalive

 bridge-group 1

 no bridge-group 1 source-learning

 bridge-group 1 spanning-disabled


interface GigabitEthernet0.100

 encapsulation dot1Q 100

 no ip route-cache

 no keepalive

 bridge-group 100

 no bridge-group 100 source-learning

 bridge-group 100 spanning-disabled


interface BVI1

 ip address

 no ip route-cache


ip default-gateway

no ip http server

no ip http secure-server

bridge 1 protocol ieee

bridge 1 route ip

bridge 100 protocol ieee




line con 0

 privilege level 15

 login local

 no activation-character

line vty 0 4

 login local

 transport input all


cns dhcp



3 Replies 3


I do not see vlan 100 on LAR. Did you create it?

Create BVI100 on Local.ap and ping to make sure your trunk works properly. Then delete it.

interface BVI100
 ip address
 no ip route-cache


If I understood correctly, your wireless users connect to local.ap and then go on LAR to access internet. It would be more clear if you share your topology.


LAR is management and internet traffic for the server/IT network.


TMP is the isolated guest network that should only be able to reach port 53


BVI100 fails to respond to ping

Cisco Employee
Cisco Employee

LAR is my management network (vlan1) which is used only by me to get to the internet

There is a caching dns server sitting on this network the router uses.

I get dhcp lease for

Can access everything


the TMP ssid (vlan100) is supposed to have isolated access only to the internet

Manual ip of does not respond to ping.

AP responds to ping, but traceroute shows its going through ( BVI1?)

It was to my understanding that I do not want a BVI on that network for better security?

Review Cisco Networking for a $25 gift card