Thank you for your help.  I am using Autonomous access points.

I have already read the example you reference.  You will note that it does the bridging using a separate MLS switch running IOS. My question was how to do the bridging using the Aironet AP.

I don't have VLANs set up anywhere else in my network.  I don't have Cisco switches at the network core.

Back to my question: can the bridging be done at the Access Point?  Can you re-write the example you reference so that it does not require the additional piece of equipment to do the bridging?

Thank you.

I made these changes to the example here:

https://supportforums.cisco.com/document/55561/multiple-ssid-multiple-vlans-configuration-example-cisco-aironet-aps

and it seems to be working.  (By "working" I mean that I can now ping to/from devices connected on different SSIDs.) I had to make these changes from the CLI.  There does not seem to be a way to make these changes from the GUI.  Is that correct? If there is a way to make these changes from the GUI please let me know.

The changes I made were to make the sub interface for Dot11 radio 0 on the VLANs part of bridge-group 1.  So assuming the config in the example:

ap(config)#interface Dot11Radio0.2
ap(config-subif)#no bridge-group 2
ap(config-subif)#bridge-group 1
ap(config-subif)#exit
ap(config)#interface Dot11Radio0.3
ap(config-subif)#no bridge-group 3
ap(config-subif)#bridge-group 1
ap(config-subif)#exit

I did not change the bridge group on the Ethernet interface.

Questions:

1. Did I create any new problems making this change? It seems to work, but am I going to get myself in trouble somewhere else?  Intuitively it makes sense to me: the VLANs are now part of the same bridge group (1, the native VLAN).  So all traffic should be bridged together.  Correct?

2. I didn't change the Ethernet sub interfaces.  I don't seem to need to make that change.  I also don't like things sitting out there that I don't understand.  Should I do anything to clean up the Ethernet interfaces?

3. The original configuration was made entirely from the GUI.  This change needs to be made from the CLI.  Can it be done from the GUI?  I can't seem to find a way to change bridge groups for a sub interface from the GUI. It worried me that it can't be done from the GUI.

Thank you.

Larry

I a previous post you're speaking about MLS switching: so you

don't need bridging, you need routing between different subnets.

The problem is, APs (and WLCs!) can not route, they're basically

switches between air and copper.

If you squeeze different bridge groups on the same one, you are

putting different corresponding subnets on the same L2 domain,

also called VLAN :-)

Though, you still need your IP packets to be routed between your

subnets and it cannot work without an MLS or an L3 device.

My suggestion is to go back to a clean config with different bridge

groups, i dont think you can get rid of your MLS.

I think the only L3 interface (bvi) is only there for control plane purposes

such as VTY, AAA, and so on, i dont think it will ever learn MAC/IP

addresses and forward traffic.

fp

You are confused.  I don't have subnets.

Setting the bridge groups to the same group worked because the AP is a Layer 3 bridge.

Someone else must have a configuration like this.  It's just multiple SSIDs

FYI, it's easy to set this up on Netgear devices.  Not sure why it's so difficult to configure on the Cisco Aironet.

Thanks.

If you dont have subnets, you clearly dont have ip addresses:

so why are you making references to layer 3?

Furthermore, if you want to put different bridge groups (vlans)

in communication beween themselves, why dont you just use only one?

fp

> Furthermore, if you want to put different bridge groups (vlans) in

> communication beween themselves, why dont you just use only one?

You missed the whole point of my question. I need multiple SSIDs because I have physical devices that require different WiFi security settings.  The devices have limitations in their WiFi capabilities. The only way to do this on a Cisco Aironet is to assign a VLAN per SSID.  That is a limitation of how the Cisco Aironet can be configured.

Unfortunately, I then need to bridge the VLANs.  Assigning all the VLANs to the same bridge-group seems to be the way to go.

Yes, I could create multiple subnets, and then route the subnets. I shouldn't need to.  (Even the example from Cisco shows the VLANs being bridged, just at the Ethernet switch, not at the AP.)

Do you mind posting your config stripping sensitive infos such as passw. and PSKs?