12-28-2010 08:14 PM - edited 11-18-2020 02:52 AM
Configuration example using multiple VLANs with multiple SSIDs
I assume that you have configured the DHCP pool on the IOS switch or the Router or on the dedicated DHCP server.
Assuming we have 3 VLANs (1,2 and 3) with native as 1 and mapping to 3 different SSIDs (one , two and three) on any Aironet Access Points.
>> Configure the SSID and Map it to respective VLANS.. Enable Conf t Dot11 ssid one Vlan 1 Authentication open Mbssid Guest-mode End Enable Conf t Dot11 ssid two Vlan 2 authentication open authentication key-management wpa wpa-psk ascii 7 <WPA key> Mbssid Guest-mode End Enable Conf t Dot11 ssid three Vlan 3 authentication key-management wpa version 2 wpa-psk ascii 7 <WPA key> Mbssid Guest-mode End
Enable Int dot11 0 Mbssid ssid one ssid two ssid three encryption vlan 1 mode wep mandatory encryption vlan 1 key 1 size 40bit <10bit key> encryption vlan 2 mode ciphers tkip encryption vlan 3 mode ciphers aes-ccm
AP# configure terminal Enter configuration commands, one per line. End with CNTL/Z. AP(config)# interface Dot11Radio0.1 AP(config-subif)# encapsulation dot1Q 1 native AP(config-subif)#bridge group 1 AP(config-subif)# interface FastEthernet0.1 AP(config-subif)#bridge group 1 AP(config-subif)# encapsulation dot1Q 1 native AP(config-subif)# end AP# write memory AP(config)# interface Dot11Radio0.2 AP(config-subif)# encapsulation dot1Q 2 AP(config-subif)#bridge group 2 AP(config-subif)# interface FastEthernet0.2 AP(config-subif)#bridge group 2 AP(config-subif)# encapsulation dot1Q 2 AP(config-subif)# end AP# write memory AP(config)# interface Dot11Radio0.3 AP(config-subif)# encapsulation dot1Q 3 AP(config-subif)#bridge group 3 AP(config-subif)# interface FastEthernet0.3 AP(config-subif)#bridge group 3 AP(config-subif)# encapsulation dot1Q 3 AP(config-subif)# end AP# write memory AP(config)#bridge irb Ap(config)# bridge 1 route ip Ap(config)# end Ap#wr
en conf t int fa 2/1 switchport mode trunk switchport trunk encapsulation dot1q switchport trunk native vlan 1 switchport trunk allowed vlan 1,2,3 end
On the AP issue the command “show dot11 associations” and you need to see all the 3 SSIDs
ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [one] :
SSID [two] :
SSID [three] :
2. Try pinging from the AP to the Switch VLAN interface, you should be able to ping.
This is done by assigning the IP address to the BVI interface of the AP, that is.
Enable
Conf t
Int bvi 1
Ip address <ip address> <mask>
No shut
End
Issue the command “show ip int br” on the AP and check if all the interfaces are up and running.
This is it!!
PS :
I have attached the Sample working Config from the Switch and the AP for 2 SSIDs.
Hi,
I'm trying to find how to configure a guest ssid on an air-sap1602i-a-k9 access point. I'd like the guest ssid seperate from the current internal work ssid.
Can someone help me with this?
Sincerely,
Sam
Sam,
Surendra's document match exactly your needs.
You need two VLANs which will be mapped to two different SSIDs, one for guests and one for your internal network.
I would suggest you configuring your two SSIDs as in the example of SSID #3 given by Surendra, which is WPA2+PSK, unless you want to use a different authentication method.
Surendra, thank you for your very helpful article. My question is do we have to use bridge-group 1 and BVI1? If I am using VLAN10, 20 & 30 could I instead start at bridge-group 10 and BVI10 and go on to bridge-group 20/BVI20 then bridge-group 30/BVI30? I have read on other forums that bridge-group 1 & BVI1 are required for this to work. Matt.
Hello Carlos,
i am having same issue as freemanslim does which i am able ping all ip broadcasted from ssid except to Management IP also not able to telnet,ssh and https. as you suggested to essam to to configure int dotradio.100 and put in bridge-group 1 which i tried to configure but it forbidden me saying "Configuration of subinterfaces and main interface within the same bridge group is not permitted" . so can you have any other solution for me which will be much appreciated.
hi ,
thank for the tuto ...
...but i still didn't manage to make it work
I have a AP cisco aironet 3600 and a Netgear M5300-28g
In the netgear i have some VLAN, in particular : vlan 1 = default, vlan 300 = Group, Vlan 301 = Client. I also have a DHCP include who's procure IP to each vlan.
It's connected to the AP on port 20 on giga (it's config in trunk mode like you say)
i'd like to diffuse 2 SSID one for each vlan on the AP so i create the 3 vlan with their encryption (like you say) and 3 SSID (one nativ and 2 on multi Beacon), the network interface Dot1radio X are also in place.
In the end i can see the SSIDs and connect on static ip but the DHCP doesn't work.
I know there is some command for the DHCP like "dhcp-server" or "dhcp-relay" but despise all my test it's still doesn't work .
I could use some help please.
gothh
P.S. I'm a frenchie so please forgive my langage's mistake
I am trying to apply the instructions using the following h/w:
Switch: C2960S Software (C2960S-UNIVERSALK9-M), Version 15.0(2)EX5
AP: C1600 Software (AP1G2-K9W7-M), Version 15.3(3)JC
I can type in all the commands, except for this command on the switch port:
switchport trunk encapsulation dot1q
This command is apparently not supported by the switch.
Ultimately, the AP broadcasts both SSID's, I can authenticate a client to both of them (I can verify this because both SSID's authenticate users using a RADIUS server) but in only one of them will the client get an IP from the DHCP server.
Interestingly, the ssid that works is assigned the non-native trunk vlan.
Thanks,
George
Hi I followed your instructions to create two SSIDs and multiple VLANs, but cannot access the (web) management interface (IP address assigned to BVI1). I can ping between devices connected to the access point, but cannot ping the management IP address assigned to BVI1.
I would greatly appreciate any suggestions.
My Aironet and Switch configs are:
AIR-CAP3702I-A-K9 CONFIGURATION
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname aironet
!
!
logging rate-limit console 9
enable secret 5 $1$rDXP$B
!
no aaa new-model
clock timezone EST -5 0
clock summer-time EDT recurring
led display dim
no ip source-route
no ip cef
ip domain name ##########
!
!
!
!
dot11 pause-time 100
dot11 syslog
!
dot11 ssid private
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 ####################
!
dot11 ssid public
vlan 10
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 ####################
!
!
dot11 arp-cache optional
!
no ipv6 cef
!
crypto pki trustpoint TP-self-signed-712378768
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-712378768
revocation-check none
rsakeypair TP-self-signed-712378768
!
!
crypto pki certificate chain TP-self-signed-712378768
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
username ########## privilege 15 secret 5 ####################
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
ssid private
!
ssid public
!
antenna gain 0
stbc
mbssid
station-role root
no dot11 extension aironet
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
ssid public
!
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
channel width 80
channel dfs
station-role root
no dot11 extension aironet
!
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
!
interface GigabitEthernet0.99
encapsulation dot1Q 99 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
ip address 192.168.10.10 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.10.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
exec-timeout 15 0
logging synchronous
login local
length 0
line vty 0 4
exec-timeout 15 0
logging synchronous
login local
length 0
transport input all
!
end
SWITCH PORT CONFIGURATION
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport trunk allowed vlan 10,20,99
switchport mode trunk
Your post has helped me enormously to better understand the use of multiple SSIDs.
I have implemented it but I am facing a problem.
I have to activate internet distribution on my two SSIDs, but I can't.
Can you give me an idea of what to do?
My aironet acces point is an 2700 series
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: