cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
513
Views
0
Helpful
5
Replies

Aeronet 1040 series - Multiple SSID Question

jkurzhals1
Level 1
Level 1

Hi All,

This is a beginner question so my apologies if this has been discussed in the past. I recently acquired a Cisco 1041 Autonomous Access Point that I am using in my home. I have updated the firmware to the latest and have successfully created a single SSID. This all works as expected.

My desire is to have a second guest WiFi network for visitors. My initial research seems to show that I will need to create VLAN's for each SSID.

 

1) Can I create a second functional and visible SSID that does not require a fully functional VLAN through my switch and firewall?  I realize this may allow the guest SSID to have access to my LAN.

 

2) When I am ready to restrict LAN access of the guest network I will need to create a VLAN. Correct?

 

Thank you.

 

 

2 Accepted Solutions

Accepted Solutions

1) Can I create a second functional and visible SSID that does not require a fully functional VLAN through my switch and firewall?  I realize this may allow the guest SSID to have access to my LAN.

No, you cannot create a second SSID in different subnet without creating vlans. In that case your AP connected switchport has to be configured as trunk port & allow required vlan. Always AP management has to be on native vlan on that trunk

HTH

Rasika

**** Pls rate all useful responses ****

 

View solution in original post

I do not think you can do that. What type of switch you connect this AP, is it a managed switch ?

If I get a chance I'll try to see what you can do on this (at least one SSID visible & one without visible).

HTH

Rasika

**** Pls rate all useful responses ****

View solution in original post

5 Replies 5

1) Can I create a second functional and visible SSID that does not require a fully functional VLAN through my switch and firewall?  I realize this may allow the guest SSID to have access to my LAN.

No, you cannot create a second SSID in different subnet without creating vlans. In that case your AP connected switchport has to be configured as trunk port & allow required vlan. Always AP management has to be on native vlan on that trunk

HTH

Rasika

**** Pls rate all useful responses ****

 

It does help. Thank you.

Followup question: I know this is not recommended, but what if I create both SSID's and put them in the same subnet on the native vlan? Would both networks be visible and functional?

I do not think you can do that. What type of switch you connect this AP, is it a managed switch ?

If I get a chance I'll try to see what you can do on this (at least one SSID visible & one without visible).

HTH

Rasika

**** Pls rate all useful responses ****

Thank you for the guidance. I do have a managed switch. I'll see if I can get the second SSID setup on a vlan and separate subnet.

If you have a managed switch, then this is the way to do it. I assumed vlan 1 would be the native on the trunk port & having 192.168.100.0/24 subnet & used it for AP management. You need to define those L2 vlans & required DHCP pools on the switch (config not shown here)

You could configure your AP like this. Replace <SSID-1> & <SSID-2> with required SSID names & corresponding passwords.

dot11 ssid <SSID-1>
   vlan 10
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii <SSID_1_PASSWORD>
!
dot11 ssid <SSID-2>
   vlan 20
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii <SSID_2_PASSWORD>
!
interface Dot11Radio0
 encryption vlan 10 mode ciphers aes-ccm
 encryption vlan 20 mode ciphers aes-ccm
 mbssid
 ssid <SSID-1>
 ssid <SSID-2>
 no shut
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 bridge-group 10
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 bridge-group 20
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10
 bridge-group 10
!
interface GigabitEthernet0.20
 encapsulation dot1Q 20
 bridge-group 20
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.100.101 255.255.255.0
ip default-gateway 192.168.100.1
!

Then switchport should be configured as Trunk port & allow vlan 1, 10 & 20

int gx/x
 description AP-01
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk native vlan 1
 switchport trunk allow vlan 1, 10, 20

 

If you want to put some access restriction between vlan 10 & 20 you can do that on your switch (like ACL)

Let me know if you have any queries.

 

 

HTH

Rasika

**** Pls rate all useful responses ****

 

 

Review Cisco Networking for a $25 gift card