Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
615
Views
1
Helpful
9
Comments

Multiple SSIDs connect to different VLANS using AIR-CAP3702I AAP

siskum
Spotlight
Spotlight

on ‎05-06-2024 06:15 AM

Access VLANs and Internet through multiple wireless SSIDs, using Autonomous AP AIR-CAP3702

Challenge: 

Access internet through autonomous Access Point (Air-Cap3702i-e-k9) which populated multiple SSIDs that connected to the VLANs at Remote Office. 

Diagnoses: 

With having difficulties establishing a link (connection) between Lightweight Access Point (Air-CAP3702-E-K9) and Wireless Controller (WLC4402) to access WLANs. 

Solution: 

  1. Update and install IOS and convert Lightweight AP (Air-CAP3702i-E-K9) to Autonomous AP. (There are lot of resources available on the internet on how to convert Lightweight AP to Autonomous AP). 
  2. Configuring L3SW-CW3560 Cisco switch, L2SW-CW2960 Cisco switch, Router-1802 and Autonomous AP AIR-CAP3702i-E-K9 to access multiple SSID.
  3. Through multiple SSID access VLANs and Internet at Micro-office.

Special Note:

Here mentioned ip addresses and passwords are imaginary once those are not use in real but only for educational purpose use them in here.

The CLI commands created here only for few VLANs and SSIDs for easy understanding as an example VLAN 10 and VLAN 20. Below attached files contain complete list of VLANs and SSIDs which configuerd each device, those CLI commands can use for study purposes and references. SSIDs names and VLANs names are same which use for easiness but can be used different friendly name for each SSIDs even though have to remember to assign correct VLAN number for each SSID. 

Topology:

LWAP_Multiple-SSID and VLAN internet access ISP.JPG

 

Configurations

L2SW-CISCO 2960  Configuration

Create VLANs 50, 60, 70 and 100
Assigned VLANs to Switchports
L2SW-48P#conf t
L2SW-48P(config)#vlan 50
L2SW-48P(config-vlan)#name AP-VLAN50
L2SW-48P(config)#vlan 60
L2SW-48P(config-vlan)#name AP-VLAN60
L2SW-48P(config)#int range f0/1-6
L2SW-48P(config-if-range)#Switchport mode access
L2SW-48P(config-if-range)#switchport access vlan 50
L2SW-48P(config-if-range)#spanning-tree portfast
L2SW-48P(config-if-range)#no shutdown
L2SW-48P(config)#int range f0/7-12
L2SW-48P(config-if-range)#switchport mode access
L2SW-48P(config-if-range)#switchport access vlan 60
L2SW-48P(config-if-range)#
:
Configure interface G0/2 (GigabiteEthernet 0/2) to trunkport
L2SW-48P(config)#int g0/2
L2SW-48P(config-if)#description --> connection to L3SW-Cisco3560 <-- trunk link -->
L2SW-48P(config-if)#switchport mode trunk
L2SW-48P(config-if)#no shut
Interface G0/1 (GigabiteEthernet 0/1) connection to ISP Router Local port
L2SW-48P(config)#int g0/2
L2SW-48P(config-if)#description --> connection to ISP-1 Router Local port <--

L3SW-CISCO 3560  Configuration

Create VLANs 10, 20, 50, 60, 70 and 100
L3SW-24P#conf t
L3SW-24P(config)#vlan 10
L3SW-24P(config-vlan)#name AP-VLAN10
L3SW-24P(config)#vlan 20
L3SW-24P(config-vlan)#name AP-VLAN20
Assigned VLANs to Switchports
L3SW-24P(config)#int range f0/1-4
L3SW-24P(config-if-range)#Switchport mode access
L3SW-24P(config-if-range)#switchport access vlan 10
L3SW-24P(config-if-range)#spanning-tree portfast
L3SW-24P(config-if-range)#no shutdown
L3SW-24P(config)#int range f0/5-8
L3SW-24P(config-if-range)#switchport mode access
L3SW-24P(config-if-range)#switchport access vlan 20
L3SW-24P(config-if-range)#
:
Configure interfaces G0/2, F0/23 and F0/24 switchports
Configure interface G0/2 (GigabiteEthernet 0/2) no switchport
L3SW-24P(config)#int G0/2
L3SW-24P(config-if)#description --> connection to Router-1802 <--
L3SW-24P(config-if)#no switchport
L3SW-24P(config-if)#ip address 172.168.100.2 255.255.255.0
L3SW-24P(config-if)#no shut
Configure FastEthernet 0/23 as Trunk
L3SW-24P(config)#int F0/23
L3SW-24P(config-if)#description --> connection to Air-CAP3702I AutonomousAP <--
L3SW-24P(config-if)#switchport trunk encapsulation dot1q
L3SW-24P(config-if)#switchport mode trunk
L3SW-24P(config-if)#spanning-tree portfast
L3SW-24P(config-if)#no shut
Configure FastEthernet 0/23 as Trunk
L3SW-24P(config)#int F0/24
L3SW-24P(config-if)#description --> connection to Air-CAP3702I AutonomousAP <--
L3SW-24P(config-if)#switchport trunk encapsulation dot1q
L3SW-24P(config-if)#switchport trunk allowed vlan 10-200  //Vlan1 not allowed
L3SW-24P(config-if)#switchport mode trunk
L3SW-24P(config-if)#spanning-tree portfast
L3SW-24P(config-if)#no shut
Interface G0/1 (GigabiteEthernet 0/1) connection to ISP Router Local port
L3SW-24P(config)#int G0/1
L3SW-24P(config-if)#description --> connection to ISP-2 Router Local port <--

Creating interfaces for each VLAN and assigned IP address.
L3SW-24P(config)#int VLAN 1
L3SW-24P(config-if)#ip address 192.168.1.5 255.255.255.128
L3SW-24P(config)#int VLAN 10
L3SW-24P(config-if)#ip address 172.168.10.5 255.255.255.0
L3SW-24P(config)#int VLAN 20
L3SW-24P(config-if)#ip address 172.168.20.5 255.255.255.0
:
Routing
L3SW-24P(config)#ip routing
L3SW-24P(config)#ip route 0.0.0.0 0.0.0.0 172.168.100.1
L3SW-24P(config)#ip default-gateway 192.168.1.5
L3SW-24P(config)#router eigrp 10
L3SW-24P(config-router)#network 10.0.0.0 0.255.255.255
L3SW-24P(config-router)#network 172.168.10.0 0.255.255.255
L3SW-24P(config-router)#network 172.168.20.0 0.255.255.255
:
Creating DHCP pool
L3SW-24P(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.5
L3SW-24P(config)#ip dhcp excluded-address 172.168.10.1 172.168.10.5
L3SW-24P(config)#ip dhcp excluded-address 172.168.20.1 172.168.20.5
:
L3SW-24P(config)#ip dhcp pool Local-VLAN1
L3SW-24P(dhcp-config)#default-router 192.168.1.5
L3SW-24P(dhcp-config)#dns-server 83.255.255.3
L3SW-24P(config)#ip dhcp pool AP-VLAN10
L3SW-24P(dhcp-config)#network 172.168.10.0 255.255.255.0
L3SW-24P(dhcp-config)#default-router 172.168.10.1
L3SW-24P(dhcp-config)#dns-server 83.255.255.3
L3SW-24P(config)#ip dhcp pool AP-VLAN20
L3SW-24P(dhcp-config)#network 172.168.20.0 255.255.255.0
L3SW-24P(dhcp-config)#default-router 172.168.20.1
L3SW-24P(dhcp-config)#dns-server 83.255.255.3

Autonomous AP – AIR-CAP3702i Configuration

Creating multiple SSIDs and assigned VLANs
ap(config)#dot11 ssid AP-VLAN10
ap(config-ssid)#vlan 10
ap(config-ssid)#authentication open
ap(config-ssid)#authentication key-management wpa version 2
ap(config-ssid)#wpa-psk ascii Password987
ap(config-ssid)#mbssid guest-mode
ap(config)# dot11 ssid AP-VLAN20
ap(config-ssid)#vlan 20
ap(config-ssid)#authentication open
ap(config-ssid)#authentication key-management wpa version 2
ap(config-ssid)#wpa-psk ascii Password123
ap(config-ssid)#mbssid guest-mode
ap(config-ssid)#
:
Populate SSIDs on 2.4GHz Wireless LAN
ap(config)#int dot11radio 0
ap(config-if)#no ip address
ap(config-if)#encryption vlan 10 mode ciphers aes-ccm
ap(config-if)#encryption vlan 20 mode ciphers aes-ccm
ap(config-if)#
ap(config-if)#ssid AP-VLAN10
ap(config-if)#ssid AP-VLAN20
ap(config-if)#
ap(config-if)#mbssid
ap(config-if)#station-role root access-point
ap(config-if)#exit
Creates sub-interfaces
ap(config)#int dot11radio 0.1
ap(config-subif)#encapsulation dot1q 1 native
ap(config-subif)#bridge-group 1
ap(config-subif)#exit
ap(config)#int dot11radio 0.10
ap(config-subif)#encapsulation dot1q 10
ap(config-subif)#bridge-group 10
ap(config)#int dot11radio 0.20
ap(config-subif)#encapsulation dot1q 20
ap(config-subif)#bridge-group 20
ap(config-subif)#exit
Populate SSIDs on 5.0GHz Wireless LAN (It is same as 2.4GHz)
ap(config)#int dot11radio 1.20
ap(config-subif)#encapsulation dot1q 20
ap(config-subif)#bridge-group 20
:
AP-Air-CAP3702, GigabitEthernet 0 connect to Fastethernet 0/23 at L3SW-Cisco3560 using UTP cable.
AP Interface GigabitEthernet 0 configuration
ap(config)#int g0
ap(config-if)#ip address dhcp !(One of ip address get from local vlan1 dhcp pool)
ap(config-if)#no shut
ap(config)#int g0.1
ap(config-subif)#encapsulation dot1q 1 native
ap(config-subif)#bridge-group 1
ap(config)#int g0.10
ap(config-subif)#encapsulation dot1q 10
ap(config-subif)#bridge-group 10
ap(config)#int g0.20
ap(config-subif)#encapsulation dot1q 20
ap(config-subif)#bridge-group 20
ap(config-subif)#exit
Interface BVI 1 configuration
ap(config)#int bvi 1
ap(config-if)#ip add 192.168.1.37 255.255.255.128 !(One of static ip address from local vlan1 dhcp pool)
ap(config-if)#no shut
ap(config-if)#exit
Routing
ap(config)#ip routing
ap(config)#ip route 0.0.0.0 0.0.0.0 172.168.100.1
ap(config)#ip default-gateway 192.168.1.5 !(L3SW-Cisco3560 VLAN 1 interface IP address, otherwise it could not get correct IP address for each different VLAN and not possible to get internet access)

Router – Cisco 1812 configuration

Configure Interfaces FastEthernet 0 and FastEthernet 1

RT-1812W(config)#interface FastEthernet0
RT-1812W(config)#description --> Connection to L3SW-3560 Nat INSIDE <--
RT-1812W(config-if)#ip address 172.168.100.1 255.255.255.0
RT-1812W(config-if)# ip nat inside
RT-1812W(config-if)#exit
RT-1812W(config)#interface FastEthernet1
RT-1812W(config-if)# description --> Connection to ISP Router's port Nat OUTSIDE <--
RT-1812W(config-if)# ip address 192.168.0.144 255.255.255.0 !(set static IP address from Local Vlan pool)
RT-1812W(config-if)# ip nat outside
RT-1812W(config-if)#exit
Routing
RT-1812W(config)#ip routing
RT-1812W(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1 !(ISP local router LAN ip address)
RT-1812W(config)#ip route 10.0.0.0 255.0.0.0 172.168.100.2 !(L3SW- Cisco3560 interface G0/2)
RT-1812W(config)#ip route 172.168.10.0 255.255.255.0 172.168.100.2
RT-1812W(config)#ip route 172.168.20.0 255.255.255.0 172.168.100.2
RT-1812W(config)#router eigrp 10
RT-1812W(config-router)#network 10.0.0.0 0.255.255.255
RT-1812W(config-router)#network 172.168.10.0 0.0.0.255
RT-1812W(config-router)#network 172.168.20.0 0.0.0.255
RT-1812W(config-router)#exit
RT-1812W(config)#ip default-gateway 192.168.0.144 !(FastEthernet 1)
RT-1812W(config)#ip name-server 83.255.255.3 192.168.0.1 192.168.1.1 8.8.8.8
Access-list
RT-1812W(config)#ip access-list standard AP-VLAN-Group1
RT-1812W(config-std-nacl)#permit 10.0.0.0 0.255.255.255
RT-1812W(config-std-nacl)#permit 172.168.10.0 0.0.0.255
RT-1812W(config-std-nacl)#permit 172.168.20.0 0.0.0.255
RT-1812W(config-std-nacl)#exit
RT-1812W(config)#ip nat inside source list AP-VLAN-Group1 interface FastEthernet1 overload
RT-1812W(config)#

Preview file
3 KB
Preview file
8 KB
Preview file
8 KB
Preview file
4 KB
Preview file
17 KB
Preview file
39 KB
Preview file
47 KB
Preview file
39 KB
Preview file
47 KB
Preview file
135 KB
Comments
Jimena Saez
Community Manager
Community Manager
‎05-06-2024 09:22 AM

Dear @siskum 

Thank you very much for contributing to the wireless technology documents, I hope that this new document not only has a positive impact on the community, but also helps other members gain confidence and improve their knowledge. As always, thank you very much Sisira for your commitment and support!

Shared knowledge not only advances humanity, it also provides opportunities beyond all barriers.

With all my appreciation,
Jimena

siskum
Spotlight
Spotlight
‎05-06-2024 09:56 AM

Dear @Jimena Saez,

Thank you very much for your kind and encouraging words. These string of words shows that your professionalism and how much you love to help to CISCO community in here as a Community Manager. Wish you a best for long lasting career.

Thanks and best of best..!

Sisira/Siskum

Rich R
VIP
VIP
‎05-07-2024 06:32 AM

Nice write-up but just a caution to anybody planning to do this that most of the products used are already End of Support by Cisco so product software downloads will be withdrawn soon if not done already.

The 3702 AP - Last Date of Support 30 April 2024:
https://www.cisco.com/c/en/us/products/collateral/wireless/aironet-3700-series/eos-eol-notice-c51-740710.html
1812 router - Last Date of Support 30 April 2016:
https://www.cisco.com/c/en/us/products/collateral/routers/1800-series-integrated-services-routers-isr/eol_c51_597946.html
2960 switch - depends on exact model but most were Last Date of Support 31 October 2019:
https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-2960-series-switches/eos-eol-notice-c51-730121.html
3560 switch - depends on exact model but Last Date of Support 31 May 2021:
https://www.cisco.com/c/en/us/support/switches/catalyst-3560-series-switches/series.html#~tab-documents

siskum
Spotlight
Spotlight
‎05-07-2024 07:38 AM

Hello @Rich R VIP  and Community users,

Everybody should understand first of all the important thing is CLI code functionality. These codes can be implemented to any latest version of CISCO equipment. Those codes are CISCO proprietary codes. Even though old equipment ends of support by CISCO the cisco CLI codes are still valid. My first concern is not the equipment but tested code is my first priority. These codes can be reused and modified by users on their own requirements. Sorry for the misunderstanding if I am not wrong. 

Kindest regards,

Sisira/Siskum

 

Rich R
VIP
VIP
‎05-07-2024 08:40 AM

Hi @siskum - I should probably have elaborated that EOS for 3702 APs means end of support for all Cisco IOS autonomous mode APs.  This autonomous mode AP design is effectively no longer supported by Cisco and there is no direct replacement of newer AP model which runs autonomous IOS.
The 802.11ac Wave 2 APs (1800/2800/3800 series) support Mobility Express instead for autonomous type use case but ME is completely different to autonomous IOS.  ME is based on AireOS for the WLC component and AP-COS for the AP.  AireOS will be end of support soon:
https://www.cisco.com/c/en/us/products/collateral/wireless/8500-series-wireless-controllers/wireless-software-8-10-pb.html
For the next generation of WiFi 6 Catalyst 91xx APs Cisco replaced ME with Embedded Wireless Controller for AP (EWC AP) which is based on IOS-XE for the WLC component and AP-COS for the AP, and currently still supported.
On the latest generation of Catalyst CW916x APs EWC AP is not supported so there is no autonomous style solution for these APs.

The switch and router configs are largely similar even on newer IOS based models but over time more Cisco platforms are based on IOS-XE so there are small config changes over time.  The router configs also depend on whether the router uses routed ports or switch ports.  Some router models use a combination of both port types.  So just need to be aware of these differences.

siskum
Spotlight
Spotlight
‎05-07-2024 09:00 AM

Hi @Rich R 

Some part of the world still use those devices and also latest software update has been released för Air-CAP3700i (ap3g2-rcvk9w8-tar.153-3.JPQ2.tar) on 2024-03-23 by CISCO.  This might be helped to the CISCO community to updates their knowledge about new technology and so on but still there is saying old is gold. Finally I relized that you were also agreed still CISCO IOS CLI code still usable.

Can you give me your own solution and experience to overcome following problem: 

When the LWAP broadcasts and send join request to WLC in same subnet or different subnet send join reply by management interface, but Ap-management not joining the LWAP through CAPWAP. External DHCP server configure correctly with DHCP option 43 and option 60 but even LWAP send join request AP-Management not join the LWAP. So LWAP tries 3 attempts and rebooted. It goes 2 or 3 cycles similar way and it hooks up with TFTP server and broadcast message such "Translating .. CISCO-CAPWAP-CONTROLLER....domain server 255.255.255.255" 

I prefer your solution without any reference link. Look ford to hear from you @Rich R

Kindest regards,

Sisira/siskum

siskum
Spotlight
Spotlight
‎05-10-2024 01:36 PM

Hi @Rich R

Can you give me your own solution and experience to overcome following problem I have: 

When the LWAP broadcasts and send join request to WLC in same subnet or different subnet WLC send join reply by its management interface to LWAP, but Ap-management not joining (status=not join) the LWAP through CAPWAP. External DHCP server configure correctly with DHCP option 43 and option 60 but even though LWAP send join request AP-Management not join the LWAP (status = "not join"). So LWAP tries 3 attempts and rebooted. It goes 2 or 3 cycles similar way and then it hooks up with TFTP server static IP and broadcast message such "Translating .. CISCO-CAPWAP-CONTROLLER....domain server 255.255.255.255". DHCP sever correctly initilized with Domain name server already as dns-server x.x.x.x. WLC is already connected to untag VLAN in L3SW, in the same subnet LWAP connected to same L3SW but WLC AP-Management do not want connect LWAP.

I prefer your solution without any reference link. Look ford to hear from you @Rich R

Kindest regards,

Sisira/siskum

Rich R
VIP
VIP
‎05-11-2024 05:11 AM

@siskum questions like that should be asked in https://community.cisco.com/t5/wireless/bd-p/discussions-wireless not here on Knowledge Base.  Best to post there and include the full console log from the AP from power on, what model and version of software is on the AP, what model and version of software the WLC is running and what the WLC AP join stats show for that AP.

siskum
Spotlight
Spotlight
‎05-11-2024 07:36 AM

@Rich R

Ok, I relized now that your reply visibel the capacity of you, metioned on above devices. The "Esc"-key in the keyoard is very usefull to easily solve problems in this manner such as devices of WLC4400 series & Air-CAP3700 series. Sooner I hope to publish solution for that problem how overcome. I am doing it in practical way not link based.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents