How to set up muti-WLAN on Cisco 1811 router?

jun.gao · ‎05-06-2011

Description of production environment:

As you see in the diagram, at present, there is a VoIP VLAN (10.250.15.0/24), an Office LAN (10.131.1.0/24), an SSID1 WLAN (192.168.131.0/24) connected to Cisco 1811 router. I'd like to add an SSID2 WLAN without any equipment. And I wonder the SSID2 WLAN is able to join the Office LAN just like connecting a physical AP with SSID2 to the Cisco Catalyst 2960 switch. It means I hope the SSID2 WLAN will be in the same subnet with Office LAN (10.131.1.0/24). I don't know whether it is possible.

Have tried in simulation:

For distance reason, it is not good to do a configuration test on the physical equipment remotely. Instead, I did some test with Cisco Packet Tracer (v5.3.0.0088). However, it seems there is no Cisco 1811 sample in the Routers category of CPT. Instead, I did a test with Cisco 1841 sample. I set up dot11 ssid SSID1, and int dot0/1/0, fa0/0, fa0/1 like production environment. Then I added dot11 ssid SSID2. When I tried to set up ssid SSID2 under int f0/1, the system said there is no ssid command. Then I tried to set up ssid SSID2 under dot0/1/1, the setup was suceesful, however, I was unable to find SSID2 in laptop sample, only SSID1 could be found. At that time, I had another thought, how could the SSID2 WLAN be in the same subnet with Office LAN (10.131.1.0/24) even if SSID2 was able to be found? It seemed the int dot0/1/1 was the route mode with int fa0/1, not bridge mode. Actually, I wish bridge mode, route mode is not convenient. I wish SSID2 WLAN will be in the same subnet with Office LAN (10.131.1.0/24). In business way, the SSID2 WLAN is the same as Office LAN (10.131.1.0/24). In technology way, there will be a new subnet if route mode. I have to reconfigure the EIGRP on this Cisco 1811 and add routing entries on some other routing devices without dynamic route. There are still some devices using static route on our network.

version info of my Cisco 1811：

Cisco1811#sh ver
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15)T5, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 30-Apr-08 12:09 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YH12, RELEASE SOFTWARE (fc1)
shan-router uptime is 1 day, 8 hours, 29 minutes
System returned to ROM by power-on
System image file is "flash:c181x-advipservicesk9-mz.124-15.T5.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com

.
Cisco 1811W (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FHK122320AV, with hardware revision 0000
10 FastEthernet interfaces
1 Serial interface
1 terminal line
2 802.11 Radios
31808K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102

running-config info of my Cisco 1811：

Cisco1811#sh run
Building configuration...

Current configuration : 5916 bytes
!
version 12.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1811
!
boot-start-marker
boot-end-marker
!
enable secret 5 !@~#$%^&*(&*^@~%@$*#*#$

@
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login SSH local
aaa authorization exec default local
!
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid SSID1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 !#@Y!&^$(!%

#
!
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool wireless-pool
   network 192.168.131.0 255.255.255.0
   default-router 192.168.131.1
   domain-name sample.com
   dns-server 202.96.209.133
!
!
ip domain name sample.com
ip name-server 10.127.1.16
ip name-server 10.127.1.17
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username user1 privilege 15 password 0 !%&*&#^&$
username user2 privilege 15 secret 5 !^@*&$^*%^(&Y(@*%*Q

#@!
username user3 privilege 15 secret 5 ^*&#@RQHYR*(!&#$(!Y

username user4 privilege 15 secret 5 *(

&AHIU^&@T$*!Y*Y(~~@&$*(
username user5 privilege 15 secret 5 &*(^!*#^$*%Y*(!RHY*(!#(!#@!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key Shanghai-To-Fremont address 204.154.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
! Incomplete
description Tunnel to204.154.x.x
set transform-set ESP-3DES-SHA
!
archive
log config
hidekeys
!
!
bridge irb
!
!
!
interface FastEthernet0
description $ETH-LAN$$FW_OUTSIDE$
ip address 222.66.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet1
description $ETH-LAN$$FW_INSIDE$
ip address 10.131.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
switchport access vlan 250
!
interface FastEthernet7
switchport access vlan 250
!
interface FastEthernet8
switchport access vlan 250
!
interface FastEthernet9
switchport access vlan 250
!
interface Dot11Radio0
ip address 192.168.131.1 255.255.255.0
ip access-group 105 in
ip nat inside
ip virtual-reassembly
!
encryption mode ciphers tkip
!
ssid SSID1
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
channel 2447
station-role root
!
interface Dot11Radio1
no ip address
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
no ip address
!
interface Vlan250
description VLAN 250 to VoIP LAN
ip address 10.250.15.1 255.255.255.0
ip helper-address 10.131.1.4
!
interface Async1
no ip address
encapsulation slip
!
router eigrp 20
redistribute connected
network 10.131.1.0 0.0.0.255
network 10.250.15.0 0.0.0.255
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 222.66.62.241
ip route 204.154.x.x 255.255.255.224 222.66.x.x
ip route 204.154.x.x 255.255.255.255 222.66.x.x
ip route 204.154.x.x 255.255.255.255 222.66.x.x
ip route 204.154.x.x 255.255.255.192 222.66.x.x
ip route 204.154.x.x 255.255.255.255 222.66.x.x
ip route 204.154.x.x 255.255.255.255 222.66.x.x
ip route 204.154.x.x 255.255.255.255 222.66.x.x
!
ip flow-cache timeout active 1
ip flow-export source FastEthernet1
ip flow-export version 5
ip flow-export destination 10.127.6.119 2055
!
no ip http server
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
access-list 10 deny   204.154.x.x 0.0.0.31
access-list 10 deny   204.154.x.x 0.0.0.31
access-list 10 permit any
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.131.1.0 0.0.0.255 10.127.0.0 0.0.255.255
access-list 101 permit ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 101 permit ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 101 permit ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 101 permit ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 101 permit ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 101 permit ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 101 permit ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 101 permit ip 10.131.1.0 0.0.0.255 10.129.0.0 0.0.255.255
access-list 104 deny   ip 10.131.1.0 0.0.0.255 10.127.0.0 0.0.255.255
access-list 104 deny   ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 104 deny   ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 104 deny   ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 104 deny   ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 104 deny   ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 104 deny   ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 104 deny   ip 10.131.1.0 0.0.0.255 204.154.x.0 0.0.0.255
access-list 104 permit ip 10.131.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.131.0 0.0.0.255 any
access-list 105 deny   ip 192.168.131.0 0.0.0.255 10.131.1.0 0.0.0.255
access-list 105 permit ip any any
access-list 105 deny   ip 192.168.131.0 0.0.0.255 192.168.54.0 0.0.0.255
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
route-map blockip permit 10
match ip address 10
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication SSH
line vty 0 4
password !@#$%
logging synchronous
line vty 5 15
logging synchronous
!
end

PETER EIJSBERG · ‎05-12-2011

it should be possible (since it works on almost all Cisco APs as well), but you would have to configure "mbssid" under interface dot11radio0. This example should help:

http://www.cisco.com/en/US/partner/docs/routers/access/1800/wireless/configuration/guide/s37ssid.html

Remember that you need IRB (integrated routing and bridging) to make this work so move the IP addresses from the physical Ethernet to a BVI interface.

Hope it helps