cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
224735
Views
41
Helpful
53
Comments
Surendra BG
Cisco Employee
Cisco Employee

 

 

Introduction

Configuration example using multiple VLANs with multiple SSIDs

Components used

  • Any MLS switch which runs IOS
  • Aironet Access Points

Assumption

I assume that you have configured the DHCP pool on the IOS switch or the Router or on the dedicated DHCP server.

Design

Assuming we have 3 VLANs (1,2 and 3) with native as 1 and mapping to 3 different SSIDs (one , two and three) on any Aironet Access Points.

  • SSID ONE uses WEP encryption
  • SSID TWO uses WPA-PSK
  • SSID THREE uses WPA-2-PSK
  • Assuming the AP Ethernet port is connected to fa 2/1 port of the switch.
  • Broadcasting all the 3 SSIDs.

Configuration on the AP - Step 1

>> Configure the SSID and Map it to respective VLANS..

Enable
Conf t
Dot11 ssid one
Vlan 1
Authentication open
Mbssid Guest-mode
End
Enable
Conf t
Dot11 ssid two
Vlan 2
  authentication open
  authentication key-management wpa
  wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
End
Enable
Conf t
Dot11 ssid three
Vlan 3
authentication key-management wpa version 2
wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
End

 

Step 2 - Assigning the Encryption to different SSIDs with respective VLANs

Enable
Int dot11 0
Mbssid
ssid one
ssid two
ssid three
encryption vlan 1 mode wep mandatory
encryption vlan 1 key 1 size 40bit <10bit key>
encryption vlan 2 mode ciphers tkip
encryption vlan 3 mode ciphers aes-ccm

Step 3 - Configuring the sub interface for Dot11 radio 0 and Ethernet.

AP# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
AP(config)# interface Dot11Radio0.1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)#bridge group 1
AP(config-subif)# interface FastEthernet0.1
AP(config-subif)#bridge group 1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)# end
AP# write memory
AP(config)# interface Dot11Radio0.2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)#bridge group 2
AP(config-subif)# interface FastEthernet0.2
AP(config-subif)#bridge group 2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)# end
AP# write memory
AP(config)# interface Dot11Radio0.3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)#bridge group 3
AP(config-subif)# interface FastEthernet0.3
AP(config-subif)#bridge group 3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)# end
AP# write memory
AP(config)#bridge irb
Ap(config)# bridge 1 route ip
Ap(config)# end
Ap#wr

Configuration on the Switch

en
conf t
int fa 2/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2,3
end

Step 4 - Verification

On the AP issue the command “show dot11 associations” and you need to see all the 3 SSIDs

ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [one] :
SSID [two] :
SSID [three] :

 

2.  Try pinging from the AP to the Switch VLAN interface, you should be able to ping.

MANAGING THE AP WITH MANAGEMENT IP ADDRESS

This is done by assigning the IP address to the BVI interface of the AP, that is.

Enable
Conf t
Int bvi 1
Ip address <ip address> <mask>
No shut
End

 

Verify

Issue the command “show ip int br” on the AP and check if all the interfaces are up and running.

This is it!!

PS :

Video as well on the same

multiple SSID.bmp

 

I have attached the Sample working Config from the Switch and the AP for 2 SSIDs.

 

Comments
wannabe22
Community Member

Hello.

i've the same problem, but i need 3 vlan and 2 MBSSID, the vlan 25 for administration, the vlan 20 Production and the vlan 90 Visitors, but only need 2 MBSSID (AP_Production to vlan 20 and AP_Visitor to vlan 90), the two SSID need encryption WEP 40bits, at the same time the vlan 20 "Production need use a ip helper address (10.106.10.65), and the vlan 90 "Visitors"only internet access assign DHCP in this range 192.168.10.160 / 27

well my problem is i'm so newbie in cisco commands.

i read for all internet and forums and dont find nothing

thanks

gcurto
Level 1
Level 1

Hi Surendra, this document I´m makin same solution in our office, thank you again and the video is so great!

I will try out this today. Best regards

CompassIntl
Community Member

Surendra,

Thanks for laying this out!...  But I've another related question:  Can you have a 'single' SSID accept multiple types of encryption?...

Using your example, is it possible to modify the commands above to:

authentication key-management wpa

authentication key-management wpa version 2

&&

encryption vlan 2 mode ciphers tkip

encryption vlan 2 mode ciphers aes-ccm

could I allow vlan 2 above to accept both WPA & WPA2 ( tkip & aes-ccm )?

Or if not possible in the way I did it above, is it possible (from the "users" perspective) to have 1 (one) ssid from which their computer / device will automatically select WPA2 or WPA?

Thanks,

George

Tibell
Level 1
Level 1

Hi Surendra,

I was just given this task to see how i can configure a second ssid for guest access in our environment.

this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.

Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.

Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.

Please tell me what am I doing wrong.

Do i need to redesign the whole network to have a native vlan other nthan the data vlan?

Does the access point need to be aware of the voice vlan?

Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?

I will greatly appreciate your urgent response.

Thanks in advanced.

Surendra BG
Cisco Employee
Cisco Employee

Hi,

Please post the show run frm the AP.. if possible post a new thread on the questions section of the forum

I will have look in to the same and will get back to you!!

Regards

Surendra

Hi Surendra

I've been working with your example here and it's working great.  I have stalled on one part though and I'm really struggling to get round it.  The management interface of the WAP is on vlan 3.  If I am on the switch and put "switchport trunk native vlan 3", the BVI interface becomes pingable but SSID three stops working.  Take the native line off again and the BVI port becomes unavailable but SSID 3 works fine again.

Sorry if my questions shows up my inexperience!

Thanks in advance for any assistance you can offer me

Steve

Sorry to bother, I've figured it.  In case anyone else is stuck, the bridge group on FA0.3 and Dot 0.3 needed to be 1 rather than 3  (note, I don't use vlan 1 for anything) and also FA0.3 and Dot 0.3 needed encaps dot1Q 3 NATIVE put in.  Thanks!

Boian Soloviov
Level 1
Level 1

Steve, mind if you elaborate, because I still don' grasp it: on our whole environment we don't use VLAN1 as well - it is the native VLAN on all our catalyst switches but no IP port assigned anywhere, so sort of dummy. We use, say VLAN6 for admin - and that is where I would like to see the only IP address - I tried on gig0.6 as well as configuring bridge-group 6 on it and assigning the IP on interface BVI6, even configuring bridge 6 route ip. All to no avail I cannot ping this IP from the admin VLAN and vice versa.

What is wrong here?

I don't want any routing and actually bridging as well. I used Lancoms earlier and it was as simple as configuring 3 VLANs (for admin, corporate and guest lans, assigning the latter two to Dot Interfaces) and that was that - all the rest is taken care of DHCP/DNS/Gateway devices plugged to respective switchport mode access-Configured ports.

Thanks for any help in advance!

Hi Boian

You'll have to bare with me here because it's been a little while since I got my WAPs working and now I just copy-alter-paste the entire running config into a new WAP.  However, I've just jumped onto one of my WAPs and I believe below is the key elements of the code that you need.  I've hand typed it so watch out for any typos!  This is on a Cisco 1131AG in autonomous mode.

I have two VLANs, one for admin and one for guest.  VLAN 2 is for admin, VLAN 3 is for Guest.  (vlan 1 is shut down on the switch).  Whilst my switch is configured with a management IP address for VLAN 2, it's not necessary for this to work, providing that the subnet you are using is addressable from outside that subnet.

basically, there are two vlans which means the wap needs two virtual radio interfaces, two virtual ethernet interfaces and the virtual radio interfaces need to be bridged to each other.  In my case, I've got radio interfaces 0.2 and 0.3, and ethernet interfaces 0.2 and 0.3.  For reasons I'm struggling to remember, the admin vlan needed to use bridging group 1

This is how my WAP runs

int dot11radio0

encrypt vlan 2 mode ciphers aes-ccm

encrypt vlan 3 mode ciphers aes-ccm

broadcast-key change 86000

mbssid

ssid guest

ssid admin

int dot11radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

int dot11radio0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

int fa0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

int fa0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

dot11 ssid guest

vlan 3

authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii [key goes here]

dot11 ssid admin

vlan 2

authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii [differeny key goes here]

bridge irb

int bvi1

ip address [address] [mask]

ip default-gateway [address]

Then on the switch, the config looks like this:

int fa0/1

switchport trunk encapsulation dot1Q

switchport mode trunk

switchport trunk native vlan 2

I had a lot of issues being able to get to the management interface of the WAP from the admin vlan and the issue surrounded the use of the native vlan - or to be precise, I wasn't using the native vlan commands.

Does that help?

Steve

Boian Soloviov
Level 1
Level 1

Steve thanks for the prompt answer. Sorry for my delay.

Now actually it works, considering that I am using as you proposed bridge-group 1 for this purpose.

But as a responsible CCNA I can only say: this config is RIDICULOUS!

Not only should a router WORK as a router allowing interface #.# as VLAN interface AND switching it to directly attached port of another network component, but also a network administrator should be given the opportunity to choose whether to use bridge-groups at all ot not!

Even at your proposed configuration I had to restart the device for the management IP to get working. And further more now its virtual MAC is staying on the VLAN1 as well on the VLAN6 of the switch's MAC table  (management VLAN6 configured as native on both ends), meaning for me that bridge group 1 is somehow adding VLAN1 header.

And also the Aironet 1600 standalone modules delivery was MISERABLE! No user manual, no description, not even a power supply!

This is the last time I purchase anything from these monkeys, really!!!

Surendra BG
Cisco Employee
Cisco Employee

Hi

I really appreciate you guys discussion this here.. this is a docuemnt section.. for any technical questions. please post a question on Discussion forum and you will get better responses..

Regards

Surendra

Boian Soloviov
Level 1
Level 1

Surendra, you are right, sorry for that: this section is the wrong place for the otherwize right words.

PS: blame only me, Steve has nothing to do with it (because you mention "guys" above) ;-p

Boian Soloviov
Level 1
Level 1

One more technical feedback to Steve and other interested: actually you are not bound to bridge-group 1. my testing showed that actually mapping your admin VLAN - say 2 - to another bridge-group - say 2 as well - and then defining bvi2 ip address could work perfectly good, BUT only if you assign on the switch trunk port VLAN2 native. By the way you don't necessarily need to assign eth0.2 encapsulation dot1Q 2 native on the AP - without native it still runs. What really disturbs is that even in this scenario and shutdown bvi1 won't help to announce its MAC address on VLAN1 to the switch.

Commands that don't work on Aironet 1600 were: "no bridge-group 1" on any interface, "no int bvi1", "no bridge 1" and "no bridge irp". No need to try them at all

OK, What am I missing here. Step Three just does not work!

I'm trying to implement WPA2PSK on a Cisco 1142 AP running (C1140-K9W7-M), Version 15.2(4)JA1, but I just can't seem to get it to work:

ap(config)#Dot11 ssid three

ap(config-ssid)#

ap(config-ssid)#Vlan 3

ap(config-ssid)#

ap(config-ssid)#authentication key-management wpa version 2

Error: open or network-eap authentication is required for WPA

ap(config-ssid)#

ap(config-ssid)#wpa-psk ascii 7 cisco123cisco123

Error: Key-management WPA is requried for WPA-PSK

I've tried enabling ciphers under the Dot11Radio0 interface (encrypt vlan 3 mode ciphers aes-ccm), but still won't work and I still get the error message for the WPA Version 2.

Can someone please post a working configuration for WPA2PSK for a 1142N and explai?n what I'm missing

Thanks.

Carlos Leiton
Level 1
Level 1

Dominic,

I know it is too late to answer your question, but just for the records, your problem here was because you were missing the following line:

ap(config-ssid)#authentication open

And then you should be able to configure the key-management without any problems.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: