12-28-2010 08:14 PM - edited 11-18-2020 02:52 AM
Configuration example using multiple VLANs with multiple SSIDs
I assume that you have configured the DHCP pool on the IOS switch or the Router or on the dedicated DHCP server.
Assuming we have 3 VLANs (1,2 and 3) with native as 1 and mapping to 3 different SSIDs (one , two and three) on any Aironet Access Points.
>> Configure the SSID and Map it to respective VLANS.. Enable Conf t Dot11 ssid one Vlan 1 Authentication open Mbssid Guest-mode End Enable Conf t Dot11 ssid two Vlan 2 authentication open authentication key-management wpa wpa-psk ascii 7 <WPA key> Mbssid Guest-mode End Enable Conf t Dot11 ssid three Vlan 3 authentication key-management wpa version 2 wpa-psk ascii 7 <WPA key> Mbssid Guest-mode End
Enable Int dot11 0 Mbssid ssid one ssid two ssid three encryption vlan 1 mode wep mandatory encryption vlan 1 key 1 size 40bit <10bit key> encryption vlan 2 mode ciphers tkip encryption vlan 3 mode ciphers aes-ccm
AP# configure terminal Enter configuration commands, one per line. End with CNTL/Z. AP(config)# interface Dot11Radio0.1 AP(config-subif)# encapsulation dot1Q 1 native AP(config-subif)#bridge group 1 AP(config-subif)# interface FastEthernet0.1 AP(config-subif)#bridge group 1 AP(config-subif)# encapsulation dot1Q 1 native AP(config-subif)# end AP# write memory AP(config)# interface Dot11Radio0.2 AP(config-subif)# encapsulation dot1Q 2 AP(config-subif)#bridge group 2 AP(config-subif)# interface FastEthernet0.2 AP(config-subif)#bridge group 2 AP(config-subif)# encapsulation dot1Q 2 AP(config-subif)# end AP# write memory AP(config)# interface Dot11Radio0.3 AP(config-subif)# encapsulation dot1Q 3 AP(config-subif)#bridge group 3 AP(config-subif)# interface FastEthernet0.3 AP(config-subif)#bridge group 3 AP(config-subif)# encapsulation dot1Q 3 AP(config-subif)# end AP# write memory AP(config)#bridge irb Ap(config)# bridge 1 route ip Ap(config)# end Ap#wr
en conf t int fa 2/1 switchport mode trunk switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport trunk allowed vlan 1,2,3 end
On the AP issue the command “show dot11 associations” and you need to see all the 3 SSIDs
ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [one] :
SSID [two] :
SSID [three] :
2. Try pinging from the AP to the Switch VLAN interface, you should be able to ping.
This is done by assigning the IP address to the BVI interface of the AP, that is.
Enable
Conf t
Int bvi 1
Ip address <ip address> <mask>
No shut
End
Issue the command “show ip int br” on the AP and check if all the interfaces are up and running.
This is it!!
PS :
I have attached the Sample working Config from the Switch and the AP for 2 SSIDs.
Thanks for the great document.
I do have a question...
I am trying to do this sort of configuration with only two vlans. However I want the native vlan (1) to be without wireless and only wireless on guest vlan 600. My manager wants me to have vlan 1 for management but without wireless access.
How can I have an IP address for both vlans and still have vlan 1 without wireless?
THe ip address of the BVI is throwing me off.
Can anyone offer suggestions?
Thanks in advance.
Hi,
Yes you can do that.. Dont MAP the SSID to VLAN for VLAN 1, just make sure you have vlan 1 as native on the switch and configure the DOT11 0.1 and Ethernet 0.1 subinterface on the AP and let them be in BRIDGE GROUP 1 and then encapsulation dot1Q 1 native.
This will do it for you!!
Cool. So where do I put the management IP address for the native vlan 1? On ethernet0.1? or on the BVI?
Where would I put the IP address for vlan 600? does the bridge group need to match vlan 600? i think it only goes to 255. Know what I mean?
Thanks for your help. I need to complete this tomorrow.
Hi,
>> So where do I put the management IP address for the native vlan 1? On ethernet0.1? or on the BVI?
ANS - Its on the BVI interface.
>> Where would I put the IP address for vlan 600?
ANS - make sure you configure this on the switch.. and configure the trunk port between AP and the switch allowing vlan 600.
does the bridge group need to match vlan 600? i think it only goes to 255. Know what I mean?
ANS - yes you are right!! that goes till (bridge group) 255.. MAP the SSID with VLAN 600 and then create the dot11 0.600, then encapsulate this with vlan 600 (encap dot1Q 600) then bridge it with bridge group 254!! under both the radio and ethernet..
this will work
Thanks so much for your help.
I meant for question two...where can i give the AP an IP address on vlan 600?
Would this be possible?
Since we are bridging the VLAN 600 traffic.. there is no need to give the VLAN 600 ip on the AP.. the bridging will take care of it..
Sweet!
Thanks so much for your help!!!!
Its my pleasure !! and thank u posting on CSC!!
Surenda,
Is it possible with this config to keep the default on the vlan 600 side even though the BVI is addressed on vlan 1?
Reason I ask is that vlan 600 (172.16.11.0/24) is on a guest network with a guest DSL internet connection. We want all wireless users to use that egress. However we still want to be able to manage the AP on the vlan 1 side (192.168.3.0/24) with no wireless on vlan 1.
Is it possible?
Thanks again!!!
If you have VLAN 600 in the network and if we are able reach VLAN 600 from VLAN 1, then everything will work fine..
We don't want the vlans to be able to reach each other. Just layer 2 with no routing in between. Wireless users hit vlan 600 to DSL gateway 172.16.11.1 and vlan 1 just for management that we can access from the network. We don't want to reach the vlan 600 side and don't want users on vlan 600 to reach vlan 1 side.
Make sense? Thats where I am tied up.
What do you think?
Got it working buddy!
Thanks again!!!
Thanks Surendra for providing this useful informaiton.
Regards,
Vinay
Hi Surendra,
This is a fantastic doc, I am also facing issue is configuring the multilple ssid with multiple vlans. I will try out this on monday ie tomorrow. I will get back to you in case I am facing any issue.
Dinesh
thanku!! lemme know for any assistance!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: