Solved: Best practice configuring 2602i aironet 50-70 users.

butchoi_seso · ‎11-15-2014

Hi Im new to cisco wireless AP.

I need your advice and best way to configure wireless AP. we have 50-70 users in 2 buildings 3 storey. 2 vlans

I have 2 cisco aironet 2602i and 1 1142 aironet.. it is okey if AP-1142 to be access points? and 2 -2602i will be the bridge? can anyone give me configurations?

Thanks

Rasika Nayanajith · ‎11-18-2014

If you ok with that here is what you have to do.

vlan 25 - 172.22.25.0/24

1. Define this L2 vlan on your switch

2. Define SVI for vlan 25 (int vlan 25) & assign 172.22.25.2 /24 (assuming it is the correct gateway IP you want to have)

3. Define DHCP pool for vlan 25 (assume first 20 addresses reserved for APs & SVI). Follow the same configuration options you given for vlan 10,20. So wireless users will get IP in the range of 172.22.25.21 - 172.22.25.254

4. Configure the below configuration on AP-01 & do the same on AP-02 & AP-03 with modified BVI IP & hostname. (I used WLAN password, hostname, SSID given in your config- if you need modify those)

AP-01 : 172.22.25.11/24

AP-02 : 172.22.25.12/24

AP-03 : 172.22.25.13/24

conf t
hostname LEDO_AP01
!
dot11 ssid LEDO_WIFI
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 7 03035704040E2D5C411E1C17
!
interface Dot11Radio0
 encryption mode ciphers aes-ccm
 ssid LEDO_WIFI
 no shutdown
!
interface Dot11Radio1
 channel width 40-above
 encryption mode ciphers aes-ccm
 ssid LEDO_WIFI
 no shutdown
!
interface BVI1
 ip address 172.22.25.11 255.255.255.0
!
ip default-gateway 172.22.25.2
end
write memory
!

5. Configure 3 switchports for access vlan 25 & plug those 3 AP. Here is a sample config for a switchport.

interface gx/x
description Access Point
switchport mode access
switchport access vlan 25
spanning-tree portfast

6. Test your wireless connectivity

Give us a try & let us know if you have any further queries.

HTH

Rasika

**** Pls rate all useful responses ****

View solution in original post

Rasika Nayanajith · ‎11-19-2014

Hi

You simply require erase the startup-config & reload without saving.

AP#erase startup-config
Erasing the nvram filesystem will remove all configuration files! Continue? [confirm]
[OK]
Erase of nvram: complete

AP#reload
System configuration has been modified. Save? [yes/no]: no
Proceed with reload? [confirm]

Once reloaded, you can apply the new configurations

HTH

Rasika

View solution in original post

Scott Fella · ‎11-16-2014

Here is my opinion. It is best to have an access point in each floor and more than one if a single access point doesn't provide the coverage you want. Now that being said, you can use a seperate AP as a bridge if you are trying to connect two building together via wireless. The bridge would have antennas on the outside and you would use the proper antenna to provide a stable wireless link between the two. This is how I would implement a solution like what you have to ensure you can provide enough wireless coverage for the end devices and a link between the buildings.

Scott

-Scott
*** Please rate helpful posts ***

butchoi_seso · ‎11-16-2014

Hi Scott and Leo Thanks for the reply. Great advise!

If i put access point in each floor can i assign one SSID 1 for every floor ? it posible vlan 1 and 2 can connect with the same SSID 1 and 3 access points? what should be the configurations for all the AP?

Thanks,

Rasika Nayanajith · ‎11-16-2014

Are these Autonomous APs ? If not you require either WLC or convert those to Autonomous.

If you access CLI via AP console & issue "show version" you can verify this. (Cisco/Cisco will be the credential if these new APs)

Also what type of switch do you have to connect these 3 AP & power them (Hope it is Gigabit switch & PoE)

Let us know, we can help accordingly

HTH

Rasika

**** Pls rate all useful responses ****

butchoi_seso · ‎11-16-2014

Hi Manannalage,

Are these Autonomous APs ? YES . We dont have WLC for now. i have Layer 3 switch 3560 g series yes this is Gigabit switch & PoE. this switch is configured 2 vlans only.

Thanks,

Rasika Nayanajith · ‎11-16-2014

Hi

Thanks for the confirmation.

Since you are new to Cisco wireless I would go with a very basic configuration.

If you configure all your APs with this basic configuration & plug it to 3 switchport configured for a DHCP vlan (where you want wireless users to take IP from), your wireless should work.

Replace <AP_HOSTNAME>, <SSID_NAME> & <SSID_PASSWORD> as required. Also default username password (Cisco/Cisco) you can change for better security.

conf t
hostname <AP_HOSTNAME>
!
dot11 ssid <SSID_NAME>
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii <SSID_PASSWORD>
!
interface Dot11Radio0
 encryption mode ciphers aes-ccm
 ssid <SSID_NAME>
 no shutdown
!
interface Dot11Radio1
 channel width 40-above
 encryption mode ciphers aes-ccm
 ssid <SSID_NAME>
 no shutdown
!
interface BVI1
 ip address dhcp
!
end
write memory
!

In this case AP will take an IP from the same subent. If you want to create multiple SSIDs & also put AP onto separate mgmt vlan, then we may need to create sub-interfaces & configuration would be little bit complex (but can be done :) ).

Let us know

**** Pls do not forget to rate our responses if that is useful to you ****

HTH

Rasika

butchoi_seso · ‎11-16-2014

Hi Manannalage,

Our L3 Switch port 1, port 2 and port 3 is different vlans and subnet

vlan 1 172.22.7.x , vlan 2 172.22.10.x. i want this 2 subnets to see in all 3 AP's.

any advise?

Thanks,

Rasika Nayanajith · ‎11-16-2014

which vlan AP management should be ? Do you have any switch management vlan on your network ? What IP should I give to AP1,2 & 3 in this case ?

SSID-1 : vlan 1

SSID-2 : vlan 2

AP-mgt : vlan x ???

Do you have pre-defined DHCP pool for vlan 1 & 2 ?

Let us know to help out the required config

HTH

Rasika

**** Pls rate all useful responses ****

butchoi_seso · ‎11-16-2014

Hi rasika,

which vlan AP management should be ?

Do you have any switch management vlan on your network ? Yes

What IP should I give to AP1,2 & 3 in this case ?

for AP 1- 172.22.10.X
AP 2- 172.22.7.X
AP 3- 172.21.10.X- this vlan 3 - 3rd floor sorry i forgot to mention.

SSID-1 : vlan 1

SSID-2 : vlan 2

AP-mgt : vlan 3 ???- sorry dont have idea about this.

Do you have pre-defined DHCP pool for vlan 1 & 2 ? YES we have DHCP server subnet pool=172.22.10.x, 172.22.7.x, 172.21.10.x

Thanks for the reply.

Rasika Nayanajith · ‎11-17-2014

Ok, Here we go.

I assumed a switch management vlan 999 & subnet 192.168.99.0/24. In my case switch configured with vlan 999 - 192.168.99.1 & that would be the default gateway configuration for the AP.

I would assign those 3 AP IP like below

AP-01 : 192.168.99.101

AP-01 : 192.168.99.102

In your case modify this vlan/subnet information accordingly.

Here is the AP-01 configuration. AP-02 & AP-03 configuration would be same excep the BVI 1 IP address & hostname.

conf t
!
hostname AP-01
!
dot11 ssid SSID-1
   vlan 1
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii <SSID_1_PASSWORD>
!
dot11 ssid SSID-2
   vlan 2
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii <SSID_2_PASSWORD>
!
dot11 ssid SSID-3
   vlan 3
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii <SSID_3_PASSWORD>
!
interface Dot11Radio0
 encryption vlan 1 mode ciphers aes-ccm
 encryption vlan 2 mode ciphers aes-ccm
 encryption vlan 3 mode ciphers aes-ccm
 mbssid
 ssid SSID-1
 ssid SSID-2
 ssid SSID-3
 no shut
!
interface Dot11Radio1
 channel width 40-above
 encryption vlan 1 mode ciphers aes-ccm
 encryption vlan 2 mode ciphers aes-ccm
 encryption vlan 3 mode ciphers aes-ccm
 mbssid
 ssid SSID-1
 ssid SSID-2
 ssid SSID-3
 no shut
!
interface Dot11Radio0.1
 encapsulation dot1Q 1
 bridge-group 10
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 bridge-group 20
!
interface Dot11Radio0.3
 encapsulation dot1Q 3
 bridge-group 30
!
interface Dot11Radio0.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface Dot11Radio1.1
 encapsulation dot1Q 1
 bridge-group 10
!
interface Dot11Radio1.2
 encapsulation dot1Q 2
 bridge-group 20
!
interface Dot11Radio1.3
 encapsulation dot1Q 3
 bridge-group 30
!
interface Dot11Radio1.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1
 bridge-group 10
!
interface GigabitEthernet0.2
 encapsulation dot1Q 2
 bridge-group 20
!
interface GigabitEthernet0.3
 encapsulation dot1Q 3
 bridge-group 30
!
interface GigabitEthernet0.999
 encapsulation dot1Q 999 native
 bridge-group 1
!
interface BVI1
 ip address 192.168.99.101 255.255.255.0
ip default-gateway 192.168.99.1
!
end
write memory

Here is the switch port configuration those AP connects. In your case make sure AP management vlan replaced 999 value.

 description AP-01
 switchport trunk native vlan 999
 switchport trunk allow vlan 1-3, 999
 switchport mode trunk

Once you do this all your 3 AP advertise these 3 SSIDs. When user connect to SSID-1 they will be on vlan 1, SSID-2 users will be on vlan 2 & SSID-3 users will be on vlan 3.

Hope this is what your looking for :)

****** Please do not forget to rate our responses if that is useful to you ******

HTH

Rasika

butchoi_seso · ‎11-17-2014

Thanks again! i have 3 quick question before i go to the configurations.

1. Can i use same password for all the SSID?

2. Can i use same SSID for all the AP's?

3. Is this necessary to trunk all the ports in L3?

description AP-01
 switchport trunk native vlan 999
 switchport trunk allow vlan 1-3, 999
 switchport mode trunk

Rasika Nayanajith · ‎11-17-2014

Hi,

1. Can i use same password for all the SSID?

Yes,

 2. Can i use same SSID for all the AP's?

Yes, if you want to all those SSID advertise by all 3 APs. In this way user move from one level to other level, will roam to the other AP without dropping their connection (assuming you have proper wireless coverage)

3. Is this necessary to trunk all the ports in L3?

Yes, If you want to pass multiple vlan to AP, you have to configure switchport connected to AP as a Trunk Port. Trunk port config is L2

**** Pls rate all useful responses ******

HTH

Rasika

butchoi_seso · ‎11-18-2014

Hi rasika,

Here is my configurations FOR ALL THE 2 AP's, i did not include AP3. for your comments.

Building configuration...

Current configuration : 3652 bytes
!
! Last configuration change at 22:32:37 UTC Mon Feb 24 2014
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LEDO_AP
!
!
logging rate-limit console 9
enable secret 5 $1$SBYI$730mrJamTyAoJhM1BrXD10
!
no aaa new-model
no ip source-route
no ip cef
!
!
!
!
dot11 syslog
!
dot11 ssid TODO_AP1
   vlan 20
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 03035704040E2D5C411E1C17
!
!
!
!
!
username CISCO password 7 032752180500
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TODO_AP1
!
antenna gain 0
mbssid
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1
!
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.3
encapsulation dot1Q 3
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface Dot11Radio0.999
encapsulation dot1Q 999 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TODO_AP1
!
antenna gain 0
peakdetect
dfs band 3 block
mbssid
channel width 40-above
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1
!
interface Dot11Radio1.2
encapsulation dot1Q 2
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1.3
encapsulation dot1Q 3
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface Dot11Radio1.999
encapsulation dot1Q 999 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.1
encapsulation dot1Q 1
!
interface GigabitEthernet0.2
encapsulation dot1Q 2
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
!
interface GigabitEthernet0.3
encapsulation dot1Q 3
bridge-group 30
bridge-group 30 spanning-disabled
no bridge-group 30 source-learning
!
interface GigabitEthernet0.999
encapsulation dot1Q 999 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface BVI1
mac-address 7426.ac1a.c49d
ip address 172.22.7.x 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
!
ip default-gateway 172.22.7.x
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
transport input all
!
end

Tommorow i will schedule the testing, im still requesting to trunk the L3.

Rasika Nayanajith · ‎11-18-2014

You have used vlan 10 & 20 instead of 1 & 2 as you originally posted.

You can simply copy the config I have given & change the SSID_Name, Password,

Depend on the IP range you have to give for AP management you can change the BVI IP & default gateway. remember that vlan has to be native (or untagged). vlan 999 used as example in my case.

HTH

Rasika

**** Pls rate all useful responses ****

butchoi_seso · ‎11-18-2014

HI Raska,

Yes i changed it because that's the vlan configurations in our L3 switch. cause vlan 10 - admin1- vlan 20 admin2

For BVI IP address 172.22.7.34 255.255.255.0

ip default-gateway 172.22.7.2

Please advise!

Thanks