Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
641
Views
0
Helpful
2
Replies

871W - Multiple SSID/VLAN trouble

us10610
Level 4
Level 4

‎02-14-2006 09:15 AM - edited ‎07-04-2021 11:38 AM

I have a 871W at a remote site that VPN's into the corporate office via DSL. Trusted wireless clients are configured for WPA-PKS/TKIP desktops are hard wired. I am trying to configure a guest ssid that has only access to the internet while letting the trusted client use the tunnel. I've been poking at this for a couple of days and I could really use some help.

I've discovered that removing the default dot0 bridge group and creating a new ssid, dot0.x, int vlanx, int bvix and add bridge x route IP, that I can attach to the new group but then I am unable to attach to the WPA group. It seems that the most recent BVI interface assumes the AP identity.

I know this is very vague and I would be glad to post my config. I am really curious if I am trying something that can't be done on the 871W.

Thanks in advanced!!

Greg

Labels:
0 Helpful
2 Replies 2

mel.woodley
Level 1
Level 1

‎02-14-2006 01:34 PM

I have been fighting the same problem for over 6 months with no help from Cisco TAC. No one in their TAC has any clue about this router. I just don't think it works. I was told you can't do 802.1x with bridge interface so I'm curious how yours is working. I'll be happy to share my config with you. please respond or call me 434 951-3265.

0 Helpful

us10610
Level 4
Level 4
In response to mel.woodley

‎02-15-2006 11:47 AM

I think I finally have it figured out.

Create 3 DHCP pools

**********************************************************

ip dhcp excluded-address 192.168.12.1

ip dhcp excluded-address 192.168.36.1 192.168.36.9

ip dhcp excluded-address 192.168.36.25 192.168.36.254

ip dhcp excluded-address 10.10.100.1 10.10.100.9

ip dhcp excluded-address 10.10.100.25 10.10.100.254

!

ip dhcp pool Wired

import all

network 192.168.12.0 255.255.255.0

default-router 192.168.12.1

lease 0 2

!

ip dhcp pool EmployeeW

import all

network 192.168.36.0 255.255.255.0

default-router 192.168.36.1

lease 0 2

!

ip dhcp pool guest

import all

network 10.10.100.0 255.255.255.0

default-router 10.10.100.1

lease 0 2

!

*****************************************************

Create 2 SSID's and add them to different VLAN's (Both are open authentication for test)

***********************************************************

bridge irb

!

interface Dot11Radio0

no ip address

!

ssid employee

vlan 2

authentication open

!

ssid guest

vlan 100

authentication open

guest-mode

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

*****************************************************

Create 2 sub interfaces set the encapsulation and assign them addesses within the DHCP ranges

*****************************************************

!

interface Dot11Radio0.2

encapsulation dot1Q 2

ip address 192.168.36.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

no cdp enable

!

interface Dot11Radio0.100

encapsulation dot1Q 100

ip address 10.10.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

no cdp enable

!

interface Vlan1

no ip address

bridge-group 1

!

interface BVI1

description Wired LAN

ip address 192.168.12.1 255.255.255.0

ip access-group Inside_access_out in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

bridge 1 protocol ieee

bridge 1 route ip

*****************************************************

Then use access-lists to control access to and from resources. I have a dsl connected to FA4 and a dialer group that I use to connect to the internet. I have a default route that points to Dialer0 and use a access list to control what traffic gets tunnelled back to the main office. I have had a couple of times where I couldn't ping the internet from the employee SSID but I think it's an ACL problem. (or this is just flaky!!)

Give it a try and let me know if it works for you....I'm going to keep on working on it

this afternoon to make sure that it's stable.

*****************************************************

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card