Multiple SSID With Multiple VLANs configuration example on Cisco Aironet APs - Page 4

Surendra BG · ‎12-28-2010

MANAGING THE AP WITH MANAGEMENT IP ADDRESS

Introduction

Configuration example using multiple VLANs with multiple SSIDs

Components used

Any MLS switch which runs IOS
Aironet Access Points

Assumption

I assume that you have configured the DHCP pool on the IOS switch or the Router or on the dedicated DHCP server.

Design

Assuming we have 3 VLANs (1,2 and 3) with native as 1 and mapping to 3 different SSIDs (one , two and three) on any Aironet Access Points.

SSID ONE uses WEP encryption
SSID TWO uses WPA-PSK
SSID THREE uses WPA-2-PSK
Assuming the AP Ethernet port is connected to fa 2/1 port of the switch.
Broadcasting all the 3 SSIDs.

Configuration on the AP - Step 1

>> Configure the SSID and Map it to respective VLANS..

Enable
Conf t
Dot11 ssid one
Vlan 1
Authentication open
Mbssid Guest-mode
End
Enable
Conf t
Dot11 ssid two
Vlan 2
  authentication open
  authentication key-management wpa
  wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
End
Enable
Conf t
Dot11 ssid three
Vlan 3
authentication key-management wpa version 2
wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
End

Step 2 - Assigning the Encryption to different SSIDs with respective VLANs

Enable
Int dot11 0
Mbssid
ssid one
ssid two
ssid three
encryption vlan 1 mode wep mandatory
encryption vlan 1 key 1 size 40bit <10bit key>
encryption vlan 2 mode ciphers tkip
encryption vlan 3 mode ciphers aes-ccm

Step 3 - Configuring the sub interface for Dot11 radio 0 and Ethernet.

AP# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
AP(config)# interface Dot11Radio0.1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)#bridge group 1
AP(config-subif)# interface FastEthernet0.1
AP(config-subif)#bridge group 1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)# end
AP# write memory
AP(config)# interface Dot11Radio0.2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)#bridge group 2
AP(config-subif)# interface FastEthernet0.2
AP(config-subif)#bridge group 2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)# end
AP# write memory
AP(config)# interface Dot11Radio0.3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)#bridge group 3
AP(config-subif)# interface FastEthernet0.3
AP(config-subif)#bridge group 3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)# end
AP# write memory
AP(config)#bridge irb
Ap(config)# bridge 1 route ip
Ap(config)# end
Ap#wr

Configuration on the Switch

en
conf t
int fa 2/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2,3
end

Step 4 - Verification

On the AP issue the command “show dot11 associations” and you need to see all the 3 SSIDs

ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [one] :
SSID [two] :
SSID [three] :

2. Try pinging from the AP to the Switch VLAN interface, you should be able to ping.

MANAGING THE AP WITH MANAGEMENT IP ADDRESS

This is done by assigning the IP address to the BVI interface of the AP, that is.

Enable
Conf t
Int bvi 1
Ip address <ip address> <mask>
No shut
End

Verify

Issue the command “show ip int br” on the AP and check if all the interfaces are up and running.

This is it!!

PS :

Video as well on the same

I have attached the Sample working Config from the Switch and the AP for 2 SSIDs.

Sammy_Nice · ‎12-16-2015

Hi,

I'm trying to find how to configure a guest ssid on an air-sap1602i-a-k9 access point. I'd like the guest ssid seperate from the current internal work ssid.

Can someone help me with this?

Sincerely,

Sam

Carlos Leiton · ‎12-16-2015

Sam,

Surendra's document match exactly your needs.

You need two VLANs which will be mapped to two different SSIDs, one for guests and one for your internal network.

I would suggest you configuring your two SSIDs as in the example of SSID #3 given by Surendra, which is WPA2+PSK, unless you want to use a different authentication method.

Matt Wilson · ‎02-09-2016

Surendra, thank you for your very helpful article. My question is do we have to use bridge-group 1 and BVI1? If I am using VLAN10, 20 & 30 could I instead start at bridge-group 10 and BVI10 and go on to bridge-group 20/BVI20 then bridge-group 30/BVI30? I have read on other forums that bridge-group 1 & BVI1 are required for this to work. Matt.

manzeel · ‎02-16-2016

Hello Carlos,

i am having same issue as freemanslim does which i am able ping all ip broadcasted from ssid except to Management IP also not able to telnet,ssh and https. as you suggested to essam to to configure int dotradio.100 and put in bridge-group 1 which i tried to configure but it forbidden me saying "Configuration of subinterfaces and main interface within the same bridge group is not permitted" . so can you have any other solution for me which will be much appreciated.

gothhhgoth · ‎05-26-2016

hi ,

thank for the tuto ...

...but i still didn't manage to make it work

I have a AP cisco aironet 3600 and a Netgear M5300-28g

In the netgear i have some VLAN, in particular : vlan 1 = default, vlan 300 = Group, Vlan 301 = Client. I also have a DHCP include who's procure IP to each vlan.

It's connected to the AP on port 20 on giga (it's config in trunk mode like you say)

i'd like to diffuse 2 SSID one for each vlan on the AP so i create the 3 vlan with their encryption (like you say) and 3 SSID (one nativ and 2 on multi Beacon), the network interface Dot1radio X are also in place.

In the end i can see the SSIDs and connect on static ip but the DHCP doesn't work.

I know there is some command for the DHCP like "dhcp-server" or "dhcp-relay" but despise all my test it's still doesn't work .

I could use some help please.

gothh

P.S. I'm a frenchie so please forgive my langage's mistake

ihuniversity · ‎09-14-2016

I am trying to apply the instructions using the following h/w:

Switch: C2960S Software (C2960S-UNIVERSALK9-M), Version 15.0(2)EX5

AP: C1600 Software (AP1G2-K9W7-M), Version 15.3(3)JC

I can type in all the commands, except for this command on the switch port:

switchport trunk encapsulation dot1q

This command is apparently not supported by the switch.

Ultimately, the AP broadcasts both SSID's, I can authenticate a client to both of them (I can verify this because both SSID's authenticate users using a RADIUS server) but in only one of them will the client get an IP from the DHCP server.

Interestingly, the ssid that works is assigned the non-native trunk vlan.

Thanks,

George

tnayak · ‎05-29-2019

Hi I followed your instructions to create two SSIDs and multiple VLANs, but cannot access the (web) management interface (IP address assigned to BVI1). I can ping between devices connected to the access point, but cannot ping the management IP address assigned to BVI1.

I would greatly appreciate any suggestions.

My Aironet and Switch configs are:

AIR-CAP3702I-A-K9 CONFIGURATION

version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname aironet
!
!
logging rate-limit console 9
enable secret 5 $1$rDXP$B
!
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
led display dim
no ip source-route
no ip cef
ip domain name ##########
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid private
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 ####################
!
dot11 ssid public
vlan 10
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 ####################
!
!
dot11 arp-cache optional
!
no ipv6 cef
!
crypto pki trustpoint TP-self-signed-712378768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-712378768
revocation-check none
rsakeypair TP-self-signed-712378768
!
!
crypto pki certificate chain TP-self-signed-712378768
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
username ########## privilege 15 secret 5 ####################
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
ssid private
!
ssid public
!
antenna gain 0
stbc
mbssid
station-role root
no dot11 extension aironet
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
ssid public
!
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
channel width 80
channel dfs
station-role root
no dot11 extension aironet
!
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
!
interface GigabitEthernet0.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address 192.168.10.10 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.10.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
exec-timeout 15 0
logging synchronous
login local
length 0
line vty 0 4
exec-timeout 15 0
logging synchronous
login local
length 0
transport input all
!
end

SWITCH PORT CONFIGURATION

interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport trunk allowed vlan 10,20,99
switchport mode trunk

josephnguessan70691 · ‎01-05-2021

Your post has helped me enormously to better understand the use of multiple SSIDs.

I have implemented it but I am facing a problem.
I have to activate internet distribution on my two SSIDs, but I can't.

Can you give me an idea of what to do?

My aironet acces point is an 2700 series