Hi Rob,

Thank you, I'm very well.

Great link and it explain that it can't be done:

- vlan vlan-id

(Optional) Assign the SSID to a VLAN on

your network.

Client devices that associate using the

SSID are grouped into this VLAN.

You can assign only one SSID to a VLAN.

Greets,

Norbert

There is a way to do it in that you put all SSIds into the same bridge group and the bridge group is a single VLAN. I was looking at doing this for a client on a WLSE but it was just getting far to complex, also difficult to manage. Its definitly not best practice and doesnt enhance security. Id say it cant be done though technically it can but its not pretty.

I had this issue and investigated it and set it up in a small lab, then decided there was no real way that it would be manageble

Hi Wynneit,

I am looking for how to configure multiple SSIDs on same VLAN. Would you mind explaining me more about it or could you please provide me an example of configuration?

Thank you very much,

Nitass

Hi Nitass,

here is an example with multiple SSID's on the default-vlan (works only on the default one!!!)

.....

dot11 ssid test1

authentication open

authentication key-management wpa

wpa-psk ascii 7 75A6D

!

dot11 ssid test2

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 64940

....

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid test1

!

ssid test2

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.254.21 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.254.1

no ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

control-plane

!

bridge 1 route ip

Hi alig.norbet,

Thank you so much. :-) I'll try and let you know if getting any problems.

Thanks again,

Nitass

Hi alig.norbert,

I'm Nitass's friend i tried your example config but cannot see 2 SSID on client.

I use AP1121G,

Thank.

Jakkrit

WHy would you want 2 ssids on the client? The client will be able to see both ssids if you use mbssid command and connect to either, I will post a config in the next few days for non default vlan if you still need it when I get some lab time.

Hi Both,

This is Nitass. Thank you both very much for help. The reason to have 2 SSIDs on the same VLAN is to separate security policy (i.e. authentication, encryption) on each SSID. Anyway, I have heard from my colleague (Mr.Jakkrit) that he had to create sub interfaces for each SSID to let alig.norbert configuration work. I do not understand why we need to configure like that because actually, you know, we need only 1 VLAN. The test configuration is listed below. Could you please advice?

dot11 ssid test1

vlan 1

authentication …(snip)…

information-element ssidl advertisement

!

dot11 ssid test2

vlan 2

authentication …(snip)…

information-element ssidl advertisement

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid test1

!

ssid test2

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.10.1 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.10.254

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

control-plane

!

bridge 1 route ip

Thanks,

Nitass

Hi Nitass

My sample only works with the default(native)-vlan. So, no vlan configuration, as well no encapsulation config (fastethernet).

The dotRadio- and the fastethernet-interface must be in the same bridge-group. The connection form accesspoint to switch shouldn't be trunk.

BTW. you can only broadcast one single SSID as guest-mode, the second one is hidden.

your config should look somehow like this:

dot11 ssid test1

!!!!!vlan 1

authentication …(snip)…

information-element ssidl advertisement

!

dot11 ssid test2

!!!vlan 2

authentication …(snip)…

information-element ssidl advertisement

!

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

ssid test1

!

ssid test2

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 192.168.10.1 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.10.254

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

control-plane

!

bridge 1 route ip

Greets,

Norbert

Hi Norbert,

I see. Please let me try again and I will let you know if getting any problems.

Thank you very much,

Nitass

You can broadcast both ssids with mbssid

Noted with thanks.

Nitass

Hi,

Thank you very much. I got it right now. Anyway, I could broadcast only 1 SSID. I have tried “mbssid” but it did not work. I understand VLAN is needed for mbssid. Please let me know if you have any suggestions. The following is my configuration.

ap#sh run

Building configuration...

Current configuration : 1471 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

no logging console

enable secret 5 xxxxxxxxxx

!

ip subnet-zero

!

!

no aaa new-model

!

dot11 ssid test1

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 010703174F5A575D7218

!

dot11 ssid test2

authentication open

authentication key-management wpa

wpa-psk ascii 7 120D000406595D56797F

!

!

!

username xxxxx password 7 xxxxxxxxxx

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers tkip

!

ssid test1

!

ssid test2

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

hold-queue 80 in

!

interface BVI1

ip address 192.168.2.171 255.255.255.0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!

!

control-plane

!

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

end

Thanks again,

Nitass