cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Multiple SSID With Multiple VLANs configuration example on Cisco Aironet APs

192024
Views
30
Helpful
52
Comments

 

 

Introduction

Configuration example using multiple VLANs with multiple SSIDs

Components used

  • Any MLS switch which runs IOS
  • Aironet Access Points

Assumption

I assume that you have configured the DHCP pool on the IOS switch or the Router or on the dedicated DHCP server.

Design

Assuming we have 3 VLANs (1,2 and 3) with native as 1 and mapping to 3 different SSIDs (one , two and three) on any Aironet Access Points.

  • SSID ONE uses WEP encryption
  • SSID TWO uses WPA-PSK
  • SSID THREE uses WPA-2-PSK
  • Assuming the AP Ethernet port is connected to fa 2/1 port of the switch.
  • Broadcasting all the 3 SSIDs.

Configuration on the AP - Step 1

>> Configure the SSID and Map it to respective VLANS..

Enable
Conf t
Dot11 ssid one
Vlan 1
Authentication open
Mbssid Guest-mode
End
Enable
Conf t
Dot11 ssid two
Vlan 2
  authentication open
  authentication key-management wpa
  wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
End
Enable
Conf t
Dot11 ssid three
Vlan 3
authentication key-management wpa version 2
wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
End

 

Step 2 - Assigning the Encryption to different SSIDs with respective VLANs

Enable
Int dot11 0
Mbssid
ssid one
ssid two
ssid three
encryption vlan 1 mode wep mandatory
encryption vlan 1 key 1 size 40bit <10bit key>
encryption vlan 2 mode ciphers tkip
encryption vlan 3 mode ciphers aes-ccm

Step 3 - Configuring the sub interface for Dot11 radio 0 and Ethernet.

AP# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
AP(config)# interface Dot11Radio0.1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)#bridge group 1
AP(config-subif)# interface FastEthernet0.1
AP(config-subif)#bridge group 1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)# end
AP# write memory
AP(config)# interface Dot11Radio0.2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)#bridge group 2
AP(config-subif)# interface FastEthernet0.2
AP(config-subif)#bridge group 2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)# end
AP# write memory
AP(config)# interface Dot11Radio0.3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)#bridge group 3
AP(config-subif)# interface FastEthernet0.3
AP(config-subif)#bridge group 3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)# end
AP# write memory
AP(config)#bridge irb
Ap(config)# bridge 1 route ip
Ap(config)# end
Ap#wr

Configuration on the Switch

en
conf t
int fa 2/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2,3
end

Step 4 - Verification

On the AP issue the command “show dot11 associations” and you need to see all the 3 SSIDs

ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [one] :
SSID [two] :
SSID [three] :

 

2.  Try pinging from the AP to the Switch VLAN interface, you should be able to ping.

MANAGING THE AP WITH MANAGEMENT IP ADDRESS

This is done by assigning the IP address to the BVI interface of the AP, that is.

Enable
Conf t
Int bvi 1
Ip address <ip address> <mask>
No shut
End

 

Verify

Issue the command “show ip int br” on the AP and check if all the interfaces are up and running.

This is it!!

PS :

Video as well on the same

multiple SSID.bmp

 

I have attached the Sample working Config from the Switch and the AP for 2 SSIDs.

 

Comments
Beginner

Thanks for the great document.

I do have a question...

I am trying to do this sort of configuration with only two vlans. However I want the native vlan (1) to be without wireless and only wireless on guest vlan 600. My manager wants me to have vlan 1 for management but without wireless access.

How can I have an IP address for both vlans and still have vlan 1 without wireless?

THe ip address of the BVI is throwing me off.

Can anyone offer suggestions?

Thanks in advance.

Cisco Employee

Hi,

Yes you can do that.. Dont MAP  the SSID to VLAN for VLAN 1, just make sure you have vlan 1 as native on the switch  and configure the DOT11 0.1 and Ethernet 0.1 subinterface on  the AP and let them be in BRIDGE GROUP 1 and then encapsulation dot1Q 1 native.

This will do it for you!!

Beginner

Cool. So where do I put the management IP address for the native vlan 1? On ethernet0.1? or on the BVI?

Where would I put the IP address for vlan 600? does the bridge group need to match vlan 600? i think it only goes to 255. Know what I mean?

Thanks for your help. I need to complete this tomorrow.

Cisco Employee

Hi,

>> So where do I put the management IP address for the native vlan 1? On ethernet0.1? or on the BVI?

ANS - Its on the BVI interface.

>> Where would I put the IP address for vlan  600?

ANS - make sure you configure this on the switch.. and configure the trunk port between AP and the switch allowing vlan 600.

does the bridge group need to match vlan 600? i think it only goes  to 255. Know what I mean?

ANS - yes you are right!! that goes till (bridge group) 255.. MAP the SSID with VLAN 600 and then create the dot11 0.600, then encapsulate this with vlan 600 (encap dot1Q 600) then bridge it with bridge group 254!! under both the radio and ethernet..

this will work

Beginner

Thanks so much for your help.

I meant for question two...where can i give the AP an IP address on vlan 600?

Would this be possible?

Cisco Employee

Since we are bridging the VLAN 600 traffic.. there is no need to give the VLAN 600 ip on the AP.. the bridging will take care of it..

Beginner

Sweet!

Thanks so much for your help!!!!

Cisco Employee

Its my pleasure !! and thank u posting on CSC!!

Beginner

Surenda,

Is it possible with this config to keep the default on the vlan 600 side even though the BVI is addressed on vlan 1?

Reason I ask is that vlan 600 (172.16.11.0/24) is on a guest network with a guest DSL internet connection. We want all wireless users to use that egress. However we still want to be able to manage the AP on the vlan 1 side (192.168.3.0/24) with no wireless on vlan 1.

Is it possible?

Thanks again!!!

Cisco Employee

If you have VLAN 600 in the network and if we are able reach VLAN 600 from VLAN 1, then everything will work fine..

Beginner

We don't want the vlans to be able to reach each other. Just layer 2 with no routing in between. Wireless users hit vlan 600 to DSL gateway 172.16.11.1 and vlan 1 just for management that we can access from the network. We don't want to reach the vlan 600 side and don't want users on vlan 600 to reach vlan 1 side.

Make sense? Thats where I am tied up.  

What do you think?

Beginner

Got it working buddy!

Thanks again!!!

Rising star

Thanks Surendra for providing this useful informaiton.

Regards,

Vinay

Beginner

Hi Surendra,

This is a fantastic doc, I am also facing issue is configuring the multilple ssid with multiple vlans. I will try out this on monday ie tomorrow. I will get back to you in case I am facing any issue.

Dinesh

Cisco Employee

thanku!! lemme know for any assistance!!

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards