cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2523
Views
0
Helpful
2
Replies

Multiple SSID With Multiple VLANs configuration on Cisco Aironet APs: Assotiated clients cannot obtain IP addresses

Tibell
Level 1
Level 1

Hi Surendra,

I was just given this task to see how i can configure a second ssid for guest access in our environment.

this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.

Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.

Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.

My AP config is attached below.

Please tell me what am I doing wrong.

Do i need to redesign the whole network to have a native vlan other nthan the data vlan?

Does the access point need to be aware of the voice vlan?

Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?

I will greatly appreciate your urgent response.

Thanks in advanced.

2 Replies 2

kcnajaf
Level 7
Level 7

Hi,

As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.

int vlan 20

ip helper-address 192.168.33.xxx

int vlan 60

ip helper-address 130.20.1.xxx

I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.

Modify the AP config as below since you are using data vlan as the native vlan

interface Dot11Radio0.20

encapsulation dot1Q 20 native

interface FastEthernet0.20

encapsulation dot1Q 20 native

Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.

interface FastEthernet0.20

encapsulation dot1Q 20 native

no ip route-cache

bridge-group 20

no bridge-group 20 source-learning

bridge-group 20 spanning-disabled

!

interface FastEthernet0.60

encapsulation dot1Q 60

no ip route-cache

bridge-group 60

no bridge-group 60 source-learning

bridge-group 60 spanning-disabled

Hope this helps.

Regards

Najaf

kennith981
Level 1
Level 1

Tested and Working on Cisco Aironet 2602

Network topology

vlan 10 - this is where the access point sits and gets its IP from

vlan 20 - Network1

vlan 30 - Network2

 

1. First On the Switch

interface <interface name> 
switchport trunk encapsulation dot1q
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,30
 switchport mode trunk

2. Setup SSID for Network One (repeat for any other network)

dot11 ssid <ssid name>
authentication open
authentication key-management wpa ver 2
vlan <vlan number>
wpa-psk ascii <password>
mbssid guest-mode
exit

3. Setup Sub interface on the radio

int dot11radio <0 for 2,4ghz or 1 for 5ghz>.<vlan number>
encapsulation dot1q <vlan number>
bridge-group <vlan number>
exit

4. Creating Sub interface on AP ethernet

int g0.<vlan number>
encapsulation dot1q <vlan number>
bridge-group <vlan number>
exit

5. Add this SSID to Main Radio

int dot11radio <0 for 2.4ghz or 1 for 5ghz>
mbssid
encryption vlan <vlan number> mode ciphers aes
ssid <ssid>
channel <least-congestion for 2.4ghz or dfs for 5ghz>
no shut

6. Repeat 3 to 5 for other SSID and VLANS needs

 

Note: I use vlan number a indentifier and makes it easier to follow when reviewing config.

Example: setting up SSID cisco-20 for vlan 20 access and 2.4 and 5ghz wifi access

dot11 ssid cisco-20
authentication open
authentication key-management wpa ver 2
vlan 20
wpa-psk ascii ciscovlan20
mbssid guest-mode
exit

int dot11radio 0.20
encapsulation dot1q 20
bridge-group 20
exit

int dot11radio 1.20
encapsulation dot1q 20
bridge-group 20
exit

int g0.20
encapsulation dot1q 20
bridge-group 20
exit

int dot11radio 0
mbssid
encryption vlan 20 mode ciphers aes
ssid cisco-20
channel least-congestion
no shut

int dot11radio 1
mbssid
encryption vlan 20 mode ciphers aes
ssid cisco-20
channel dfs
no shut

 

 

Review Cisco Networking for a $25 gift card