cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
224744
Views
41
Helpful
53
Comments
Surendra BG
Cisco Employee
Cisco Employee

 

 

Introduction

Configuration example using multiple VLANs with multiple SSIDs

Components used

  • Any MLS switch which runs IOS
  • Aironet Access Points

Assumption

I assume that you have configured the DHCP pool on the IOS switch or the Router or on the dedicated DHCP server.

Design

Assuming we have 3 VLANs (1,2 and 3) with native as 1 and mapping to 3 different SSIDs (one , two and three) on any Aironet Access Points.

  • SSID ONE uses WEP encryption
  • SSID TWO uses WPA-PSK
  • SSID THREE uses WPA-2-PSK
  • Assuming the AP Ethernet port is connected to fa 2/1 port of the switch.
  • Broadcasting all the 3 SSIDs.

Configuration on the AP - Step 1

>> Configure the SSID and Map it to respective VLANS..

Enable
Conf t
Dot11 ssid one
Vlan 1
Authentication open
Mbssid Guest-mode
End
Enable
Conf t
Dot11 ssid two
Vlan 2
  authentication open
  authentication key-management wpa
  wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
End
Enable
Conf t
Dot11 ssid three
Vlan 3
authentication key-management wpa version 2
wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
End

 

Step 2 - Assigning the Encryption to different SSIDs with respective VLANs

Enable
Int dot11 0
Mbssid
ssid one
ssid two
ssid three
encryption vlan 1 mode wep mandatory
encryption vlan 1 key 1 size 40bit <10bit key>
encryption vlan 2 mode ciphers tkip
encryption vlan 3 mode ciphers aes-ccm

Step 3 - Configuring the sub interface for Dot11 radio 0 and Ethernet.

AP# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
AP(config)# interface Dot11Radio0.1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)#bridge group 1
AP(config-subif)# interface FastEthernet0.1
AP(config-subif)#bridge group 1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)# end
AP# write memory
AP(config)# interface Dot11Radio0.2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)#bridge group 2
AP(config-subif)# interface FastEthernet0.2
AP(config-subif)#bridge group 2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)# end
AP# write memory
AP(config)# interface Dot11Radio0.3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)#bridge group 3
AP(config-subif)# interface FastEthernet0.3
AP(config-subif)#bridge group 3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)# end
AP# write memory
AP(config)#bridge irb
Ap(config)# bridge 1 route ip
Ap(config)# end
Ap#wr

Configuration on the Switch

en
conf t
int fa 2/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2,3
end

Step 4 - Verification

On the AP issue the command “show dot11 associations” and you need to see all the 3 SSIDs

ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [one] :
SSID [two] :
SSID [three] :

 

2.  Try pinging from the AP to the Switch VLAN interface, you should be able to ping.

MANAGING THE AP WITH MANAGEMENT IP ADDRESS

This is done by assigning the IP address to the BVI interface of the AP, that is.

Enable
Conf t
Int bvi 1
Ip address <ip address> <mask>
No shut
End

 

Verify

Issue the command “show ip int br” on the AP and check if all the interfaces are up and running.

This is it!!

PS :

Video as well on the same

multiple SSID.bmp

 

I have attached the Sample working Config from the Switch and the AP for 2 SSIDs.

 

Comments
freemanslim
Community Member

I tried to configure two Cisco 1410s as point to point , one as root and the other as non root with multiple SSIDs/vlans. However, as soon as I configure a subinterface, my dot11radio interface goes down.

Any thoughts would be greatly appreciated. here's my config:

 

 ip domain name VAUG-RAP-01
dot11 ssid RAP01-BAP01-1

   vlan 1
!
dot11 ssid RAP01-BAP01-2
   vlan 2
!
dot11 ssid RAP05-BAP05-800

 

vlan 800
   authentication open

 

ip domain name VAUG-RAP-01
!
!
!
dot11 ssid RAP01-BAP01-1
   vlan 1
!
dot11 ssid RAP01-BAP01-2
   vlan 2
!
dot11 ssid RAP05-BAP05-800

dot11 ssid RAP01-BAP01-801
   vlan 801
!
dot11 ssid RAP01-BAP01-802
   vlan 802
!
dot11 ssid RAP01-BAP02-2
   vlan 2

bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 800 mode ciphers tkip
 !
 ssid RAP01-BAP01-1
 !
 ssid RAP01-BAP01-2
 !
 ssid RAP01-BAP01-800
 !
 ssid RAP01-BAP01-801
 !
 ssid RAP01-BAP01-802
 !
 channel 5745
 station-role root bridge
 rts threshold 4000
 concatenation
 infrastructure-client
!
interface Dot11Radio0.1
 encapsulation dot1Q 800 native
 no ip route-cache
 bridge-group 1
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
!
interface Dot11Radio0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
!
interface Dot11Radio0.101
 encapsulation dot1Q 801
 no ip route-cache
 bridge-group 101
!
interface Dot11Radio0.102
 encapsulation dot1Q 802
 no ip route-cache
 bridge-group 102
!
interface FastEthernet0
 no ip addressexit


 no ip route-cache
!
interface FastEthernet0.1
 encapsulation dot1Q 800 native
 no ip route-cache
 bridge-group 1
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
!
interface FastEthernet0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
!
interface FastEthernet0.101
 encapsulation dot1Q 801
 no ip route-cache
 bridge-group 101
!
interface FastEthernet0.102
 encapsulation dot1Q 802
 no ip route-cache
 bridge-group 102
!
interface BVI1
 ip address 10.74.20.61 255.255.255.192
 no ip route-cache
!
ip default-gateway 10.74.20.1

 

 

Carlos Leiton
Level 1
Level 1

Hello freemanslim

Well, you have too many SSIDs configured.

For a P2P bridge link, only one SSID is needed, I suggest you to remove all except the one from VLAN 800.

According to your configuration, the IP on your BVI is 10.74.20.61, and this should belong to  VLAN 800. So the SSID that you need to create, should belong to VLAN 800.

You need at least to configure the SSID with: "authentication open" and my recommendation add it some encryption to it.
Right now, you do have encryption on the radio for VLAN 800, but you do not have WPA configured on the SSID, therefore this is why the radio is not starting (plus the fact of all the unneeded SSIDs)

However, you do need the subinterfaces on the Radio interface and on the FastEthernet interfaces. The SSID will act as a trunk and will carry all the VLANs between the two bridges using only one SSID.

Let me know if this helps

Great article! 

I am configuring an aironet device for 1st time (1602i here).

I managed to configure everything (and everything works) except I cant access the device, I am managing it thru line con 0.

I have configured VLAN 10 as management VLAN in my network, so I configured BVI int in that ip range.

So, my question is, what should I create for VLAN 10 (int ge0.10, dot11 ssid, dot11radio 0.10) ???

Should VLAN 10 be the native vlan??

and if I create all those under route-bridge 10, should I configure bridge 10 route ip ???

thanks,

 

thanks 

Carlos Leiton
Level 1
Level 1

Hi Pepi Stojanovski,

You could be talking about two different issues. According to your notes you can't access the AP through line con 0 (console session). The configuration of the subinterfaces or VLANs should not affect the accessibility of the device through console, the only thing that could prevent you to access Console, is if you lost the password. Try with different terminal software (Like Putty or SecureCRT)

 

For the VLANs, if you add VLAN support, you do need to create  ge0.10 and dot11radio 0.10, and these needs to be on bridge-group 1 with native vlan 10.

No bridge 10 route ip is needed, in fact on an access point, even with multiple VLANs and bridge-groups, the only really needed is bridge 1 route ip.

 

Hope this helps

 

Hi Carlos, 

thanks for the help : )

in fact, I am able to access the device only thru line con 0.

 

I'll try with the vlan's config and let you know!

 

 

Carlos,

I just forgot to config the trunk port on the switch with VLAN 10 as native : )

all good now,

 

thanks!

Essam H
Level 1
Level 1

I have Cisco AP Aironet 1100 and I have 5 vlans in my network as the fallowing:

vlan101 with name (APmangm101)
vlan4 with name (Voice4)
vlan6 with name (User6)
vlan8 with name (inter8)

and vlan100 is native vlan

step1
I configured the SSID and Map it to respective VLANs (vlan4,vlan6,vla8)as the fallowing:

Dot11 ssid Voice4
vlan 4
authentication open
authentication key-managment wpa
wpa-psk ascii admin4444
mbssid guest-mode
exit

Dot11 ssid User6
vlan 6
authentication open
authentication key-managment wpa
wpa-psk ascii admin666
mbssid guest-mode
exit

Dot11 ssid inter8
vlan8
authentication open
authentication key-managment wpa
wpa-psk ascii admin888
mbssid guest-mode
exit

Step 2
Assigning the encryption to different SSIDs with repective Vlans.


int dot11Radio 0
mbssid
encryption vlan 4 mode ciphers aes-ccm
encryption vlan 6 mode ciphers aes-ccm
encryption vlan 8 mode ciphers aes-ccm
ssid Voice4
ssid User6
ssid inter8

Step 3
Configuring the sub interface for Dot11 radio 0 and Ethernet

interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 100
exit

interface fastethernet0.100
bridge-group 100
encapsulation dot1Q 100 native
exit


interface Dot11Radio0.101
encapsulation dot1Q 101
bridge-group 101
exit


interface fastethernet0.101
bridge-group 101
encapsulation dot1Q 101
exit


interface Dot11Radio0.4
encapsulation dot1Q 4
bridge-group 4
exit


interface fastethernet0.4
bridge-group 4
encapsulation dot1Q 4
exit


interface Dot11Radio0.6
encapsulation dot1Q 6
bridge-group 6
exit


interface fastethernet0.6
bridge-group 6
encapsulation dot1Q 6
exit

interface Dot11Radio0.8
encapsulation dot1Q 8
bridge-group 8
exit


interface fastethernet0.8
bridge-group 8
encapsulation dot1Q 8
exit

bridge irb
bridge 1 route ip
exit


Step 4
Configuration on the switch

int g1/0/3
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,101,4,6,8
exit

=======================================================
My question:
1-The AP is work with Multi SSID and I can connect to any SSID and and do ping to any network, but when try to do ping to AP's IP management (172.16.101.20) I can't do it and can't access ass webpage to AP?
2-whene I type this command (At the bottom) the AP is disconnect and I can't ping to it even reload it by manually:

 interface fastethernet0.100
 bridge-group 100

why it disconnect?
 
Note:
interface BVI1
 ip address 172.16.101.20 255.255.255.0


 ip default-gateway 172.16.101.254

 

Carlos Leiton
Level 1
Level 1

Hello Essam,

I know what the problem is, usually when you configure an access point, the main interface of the AP is interface BVI1, and the IP address 172.16.101.20 according to your description, belongs to VLAN 100.

This means, that BVI1 is going to be mapped to VLAN 100.

BVI1 literally means Bridge Virtual Interface 1, in other words, means bridge-group 1.

interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 100

So when you state above on the subinterface the native VLAN 100 belongs to bridge-group 100, mainly you are locking up the AP. Because it is not being mapped to BVI1, it is being mapped to BVI100.
I know that BVI100 does not exist and does not need to be configured, but it is the same as saying bridge-group 100
The only interface that needs an IP address on an autonomous AP is the BVI1, therefore the native VLAN should always be mapped to this interface. BVI1 = bridge-group 1

In other words, the configuration should look like this:

interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 1

 

This needs to be modified in both the radio and fastethernet interface.

Try this and let me know if this works.

 

Essam H
Level 1
Level 1

Thank you so match  Carlos Leiton and everything is OK now

But according to the configuration if i need to use AP's IP on [vlan101 with name (APmangm101)] and not in same vlan 100 (native vlan) , What is suitable configuration to do it? because with my configuration (I told you) I can connect to any SSID and and do ping to any network, but when try to do ping to AP's IP management (172.16.101.20) I can't do it and can't access ass webpage to AP?

In other word , If I need to keep vlan 100 is native vlan , but the management IP of AP in vlan 101, How can I configure it?.

Carlos Leiton
Level 1
Level 1

If we talk about the old school, the native vlan should always be mapped to the BVI1 interface.
Therefore, if you want VLAN100 to be the native, then you should map it to bridge-group 1.
But if you allow me to make a recommendation, the easiest answer and the best way to configure this, if you want to use AP's IP address on Vlan101, then VLAN 101 should be mapped to bridge-group 1 and make this the native VLAN  on the AP and on the switch port.

Visigoths
Level 1
Level 1

Hi Carlos Leiton, my name is Ricardo and I´m having the same scenario just like Essam H did above, but I have a question, do I need to configure QOS on the AP for the voice vlan or the QOS on the switch will do this job??

I think i need to put some qos on the AP but, I dont know what commands will achieve this.

I´m little bit confuse about this..

Thanks you!

Best regards.

Hi Surendra,

 

I just wanted to thank you especially for a great post, and also other peoples discussions. Has cleared up loads of little queries I had with configuring cisco AP's.

 

Many thanks and keep up the good work.

 

Kind Regards

Ezeddean

ChuckHaynes
Level 3
Level 3

I am having a problem getting CDP working over some Aironet wireless bridges. I have created a thread here, but no one has replied. I was hoping that maybe someone has an idea?

 

https://supportforums.cisco.com/discussion/12502911/cdp-shows-co-bridge-cpe-bridge-not-cpe-bridge-co-bridge

 

freddycalderon85
Community Member

Creating two SSID on a Cisco Aironet AP1242G-A-K9 both using WPA2

Hello everyone,

I have entry level trying to create two SSID using WPA2 on a Cisco AP 1242G on a Cisco Catalyst 3550 switch. Basiclly, I need one SSID call "HHD-Only" and the other "Corp-Users". The "HHD-Only" are for handheld devices (not smartphones, ipad or tablets) and Corp-Users for our employees wireless devices. What is the easier or smart way to perform this task?

Thanks

Boian Soloviov
Level 1
Level 1

Hi Freddy,

the easier and smart way to do this is to commission someone with knowledge to do that for you :)

No, jokes aside, doesn't Surrendra's script above help you to infer the correct configuration for your occasion?

Best

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: