01-17-2021 02:35 AM - edited 07-05-2021 01:01 PM
Here is what im looking for,
1.
Dot11Radio0 to be used for Ring door bell, dehumidifier etc on 2.4ghz - bifrost-utilities ssid
Dot11Radio1 to be used for mobile phones on 5ghz - bifrost-dave_and_emma ssid
Im unable to have bifrost-utilities and bifrost-dave_and_emma on the same vlan1, so whats my options
2.
Also i have another issue, i cannot obtain dhcp ip on anything apart from bifrost-dave_and_emma, this is not so important.
3. How do i configure Dot11Radio2, i know i have one, but unsure.
Can someone assist, you have probably seen this before so i apologise,
just wanting some assistance as im not too cisco savy when it comes to wireless and vlans
thanks
dave
Config dump as follows
bifrost-cisco3702i#show running-config
Building configuration...
Current configuration : 13113 bytes
!
! Last configuration change at 09:44:40 GMT Sun Jan 17 2021 by sivesrutherfordd
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname bifrost-cisco3702i
!
!
logging rate-limit console 9
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
clock timezone GMT 0 0
no ip source-route
ip routing
ip cef
ip domain name bifrost.co.uk
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 192.168.0.42
ip name-server 1.1.1.1
ip name-server 1.0.0.1
ip dhcp excluded-address 192.168.0.30 192.168.0.39
ip dhcp excluded-address 192.168.1.50 192.168.1.254
ip dhcp excluded-address 192.168.2.50 192.168.2.254
ip dhcp excluded-address 192.168.3.50 192.168.3.254
!
ip dhcp pool bifrost-dave_and_emma
import all
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.42 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1
domain-name the-bifrost.co.uk
default-router 192.168.0.100
lease 0 10
!
ip dhcp pool bifrost-lab
import all
network 192.168.2.0 255.255.255.0
domain-name the-bifrost.co.uk
dns-server 192.168.0.42
default-router 192.168.2.100
lease 0 10
!
ip dhcp pool visitor
import all
network 192.168.3.0 255.255.255.0
domain-name the-bifrost.co.uk
dns-server 192.168.0.42 8.8.8.8 8.8.4.4
default-router 192.168.3.100
lease 0 10
!
ip dhcp pool Sony-Z5-Premium
host 192.168.0.50 255.255.255.0
client-identifier 0158.4822.79ae.1d
client-name Sony-Z5-Premium
!
ip dhcp pool Sony-xz-Premium
host 192.168.0.51 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name Sony-xz-Premium
!
ip dhcp pool Microsoft-SurfacePro
host 192.168.0.60 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name Microsoft-SurfacePro
!
ip dhcp pool Yamaha-RX-777
host 192.168.0.80 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name Yamaha-RX-777
!
ip dhcp pool Microsoft-XBOX-One-S
host 192.168.0.81 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name Microsoft-XBOX-One-S
!
ip dhcp pool Amazon-Fire-TV
host 192.168.0.82 255.255.255.0
hardware-address 00bb.3ae6.5b0b
client-name Amazon-Fire-TV
!
ip dhcp pool Lightwave-RF-Hub
host 192.168.0.90 255.255.255.0
hardware-address xxxxxxxxxxxxx
client-name Lightwave-RF-Hub
!
ip dhcp pool AppleMac-Pro-11
host 192.168.0.2 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name AppleMac-Pro-11
!
ip dhcp pool Samsung-UE55JS8500-Wired
host 192.168.0.83 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name Samsung-UE55JS8500-Wired
!
ip dhcp pool SamsungUE55JS8500-Wireless
host 192.168.0.84 255.255.255.0
client-identifier xxxxxxxxxxxxx
!
ip dhcp pool UCAM247-NC308W-Living
host 192.168.0.91 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name UCAM247-NC308W-Living
!
ip dhcp pool HP-DeskJet-2632
host 192.168.0.70 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name HP-DeskJet-2632
!
ip dhcp pool bifrost-gaming
import all
network 192.168.1.0 255.255.255.0
domain-name the-bifrost.co.uk
dns-server 8.8.8.8 8.8.4.4 193.36.79.101 193.36.79.100
default-router 192.168.1.100
lease 0 10
!
ip dhcp pool HP-LaserJet-4050TN
host 192.168.0.71 255.255.255.0
hardware-address xxxxxxxxxxxxx
client-name HP-LaserJet-4050TN
!
ip dhcp pool HP-OfficeJet-4500
host 192.168.0.72 255.255.255.0
client-name HP-OfficeJet-4500
!
ip dhcp pool OS-Windows98-Frigg
host 192.168.0.4 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name OS-Windows98-Frigg
!
ip dhcp pool OS-Windows10-Midgard
host 192.168.0.1 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name OS-Windows10-Midgard
!
ip dhcp pool OS-MacOSElCapitan-Hod
host 192.168.0.6 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name OS-MacOSElCapitan-Hod
!
ip dhcp pool OS-Android-Vale
host 192.168.0.52 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name OS-Android-Vale
!
ip dhcp pool OS-Android-Vidar
host 192.168.0.53 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name OS-Android-Vidar
!
ip dhcp pool RING-Doorbell-Backyard
host 192.168.0.93 255.255.255.0
hardware-address xxxxxxxxxxxxx
client-name RING-Doorbell-Backyard
!
ip dhcp pool Amazon-FireTVCube-LivingRoom
host 192.168.0.85 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name Amazon-FireTVCube-LivingRoom
!
ip dhcp pool LG-43UM7450PLA-Wireless
host 192.168.0.86 255.255.255.0
client-identifier xxxxxxxxxxxxx
!
ip dhcp pool Raspberry-PI-Wired
host 192.168.0.20 255.255.255.0
client-identifier xxxxxxxxxxxxx
!
ip dhcp pool OS-AppleMac-Hod4
host 192.168.0.9 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name OS-AppleMac-Hod4
!
ip dhcp pool OS-AppleMac-Hod2
host 192.168.0.7 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name OS-AppleMac-Hod2
!
ip dhcp pool OS-AppleMac-Hod3
host 192.168.0.8 255.255.255.0
client-identifier xxxxxxxxxxxxx
client-name OS-AppleMac-Hod3
!
ip dhcp pool Google-Chromecast-Wireless
host 192.168.0.87 255.255.255.0
hardware-address xxxxxxxxxxxxx
!
ip dhcp pool Amazon-Echo-Wireless
host 192.168.0.94 255.255.255.0
hardware-address xxxxxxxxxxxxx
!
ip dhcp pool Redmi-Note9Pro-Wireless
host 192.168.0.59 255.255.255.0
client-identifier xxxxxxxxxxxxx
!
ip dhcp pool Candy-Washing-Machine
host 192.168.0.95 255.255.255.0
hardware-address xxxxxxxxxxxxx
!
ip dhcp pool Snapmaker-A350
host 192.168.0.73 255.255.255.0
client-identifier 0154.6503.6d33.41
!
ip dhcp pool RING-Camera-DiningRoom
host 192.168.0.96 255.255.255.0
hardware-address xxxxxxxxxxxxx
client-name RING-Camera-DiningRoom
!
ip dhcp pool RING-Camera-ITRoom
host 192.168.0.92 255.255.255.0
hardware-address xxxxxxxxxxxxx
client-name RING-Camera-ITRoom
!
ip dhcp pool RING-Doorbell-FrontDoor
host 192.168.0.97 255.255.255.0
hardware-address xxxxxxxxxxxxx
client-name RING-Doorbell-FrontDoor
!
!
!
!
dot11 mbssid
dot11 pause-time 100
dot11 syslog
!
dot11 ssid bifrost-utilities
vlan 2
max-associations 3
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxx
!
dot11 ssid bifrost-dave_and_emma
vlan 1
max-associations 3
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid bifrost-gaming
vlan 10
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid bifrost-lab
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid bifrost-visitor
vlan 30
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
no ipv6 cef
!
!
username Cisco password 7 xxxxxxxxxxxxxxxx
username xxxxxxxxxxxxxd privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxx
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid bifrost-utilities
!
ssid bifrost-dave_and_emma
!
ssid bifrost-gaming
!
ssid bifrost-lab
!
ssid bifrost-visitor
!
antenna gain 0
stbc
channel 2412
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.30
encapsulation dot1Q 30
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid bifrost-dave_and_emma
!
ssid bifrost-lab
!
ssid bifrost-visitor
!
antenna gain 0
peakdetect
no dfs band block
stbc
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1.30
encapsulation dot1Q 30
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface Dot11Radio2
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid bifrost-dave_and_emma
!
ssid bifrost-lab
!
ssid bifrost-visitor
!
antenna gain 0
stbc
no mbssid
power local 18
station-role root
monitor frames endpoint ip address 0.0.0.1 port 10 truncate 0
!
interface Dot11Radio2.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio2.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio2.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio2.30
encapsulation dot1Q 30
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
!
interface GigabitEthernet0.30
encapsulation dot1Q 30
bridge-group 30
bridge-group 30 spanning-disabled
no bridge-group 30 source-learning
!
interface BVI1
mac-address 5c83.8f03.7dc4
mtu 9014
ip address 192.168.0.102 255.255.255.0
ip virtual-reassembly in
!
interface BVI10
mac-address 5c83.8f03.7dc5
mtu 9014
ip address 192.168.1.102 255.255.255.0
ip virtual-reassembly in
!
interface BVI20
mac-address 5c83.8f03.7dc6
mtu 9014
ip address 192.168.2.102 255.255.255.0
ip virtual-reassembly in
!
interface BVI30
mac-address 5c83.8f03.7dc7
mtu 9014
ip address 192.168.3.102 255.255.255.0
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 192.168.0.100
ip route 192.168.1.0 255.255.255.0 192.168.1.100
ip route 192.168.2.0 255.255.255.0 192.168.2.100
ip route 192.168.3.0 255.255.255.0 192.168.3.100
ip ssh version 2
!
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
bridge 30 protocol ieee
bridge 30 route ip
!
!
banner motd ^CCCCC
******************************************
* Unauthorized access prohibited
*
* You are connected to CISCO 3702i Access Point
* at ip 192.168.0.102
*
******************************************
^C
!
line con 0
line vty 0 4
exec-timeout 0 0
privilege level 15
login local
length 0
transport input ssh
!
sntp server 194.35.252.7
end
bifrost-cisco3702i#
01-18-2021 02:55 AM
Config too long to look at in detail - I'd recommend doing the DHCP on a router/switch/server - not the AP!
Anyway to your questions:
1. Im unable to have bifrost-utilities and bifrost-dave_and_emma on the same vlan1, so whats my options
While the wlan bssid must be on different wireless vlans they can be bridged to the same physical vlan (same bridge group).
2. Also i have another issue, i cannot obtain dhcp ip on anything apart from bifrost-dave_and_emma, this is not so important.
See answer to 1 - if it works for one it will work for the other when they're in the same bridge group.
Also be aware that native vlan behaviour changed between older and newer IOS versions so switchport config must change accordingly. Refer to the release notes where you'll see:
Autonomous AP Will Treat The Sub-interface Tied To Bridge-group1 As The Native Vlan
====================================================================
When using a configuration on an autonomous AP where there is no native VLAN defined, each
interface is being dot1q tagged, communication will fail after upgrading to release 15.2(4)JB3a or later.
It appears that the configuration is still correct after the upgrade, but the AP sends the untagged frames
for bridge-group 1, even though the encapsulation is not defined as native. The autonomous AP will treat
the sub-interface tied to bridge-group 1 as the native VLAN, even if it is not defined with the native
keyword: "encapsulation dot1 <vlan> native". The VLAN associated with bridge-group 1 must be set to
native on the connecting switchport configuration
The workaround for this is to configure VLAN 100 (for example) as the native VLAN on the connected
switchport trunk, even though the encapsulation is not specified as native on the AP.
3. How do i configure Dot11Radio2, i know i have one, but unsure.
Looks like you asked this a year ago and got the answer then, more or less. https://community.cisco.com/t5/wireless/wireless-config-needs-reviewing/m-p/4003213
Dot11Radio2 is only present if you have the Hyperlocation module installed (so presumably you do). That radio is for listening (location, IDS etc) not for use as a service radio. Since you aren't using it (you'd need the corresponding Cisco management systems to implement hyperlocation and/or IDS/IPS) you'd be better off removing it as it increases the AP power requirement and they've been known to cause random crashes sometimes.
01-18-2021 02:20 PM
I tried bridging vlan 1 and 2 , am i close to a solution ?. I cannot see the 5ghz ssid being broadcast yet also,
removed the dhcp info for the moment
regards dave
bifrost-cisco3702i#show running-config
Building configuration...
bifrost-cisco3702i#
bifrost-cisco3702i#show running-config
Building configuration...
Current configuration : 13449 bytes
!
! Last configuration change at 22:16:30 GMT Mon Jan 18 2021 by sivesrutherfordd
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname bifrost-cisco3702i
!
!
logging rate-limit console 9
enable secret 5 XXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
clock timezone GMT 0 0
no ip source-route
ip routing
ip cef
ip domain name bifrost.co.uk
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 192.168.0.42
ip dhcp excluded-address 192.168.0.30 192.168.0.39
ip dhcp excluded-address 192.168.1.50 192.168.1.254
ip dhcp excluded-address 192.168.2.50 192.168.2.254
ip dhcp excluded-address 192.168.3.50 192.168.3.254
!
ip dhcp pool bifrost-dave_and_emma
import all
network 192.168.0.0 255.255.255.0
dns-server 192.168.0.42 8.8.8.8 8.8.4.4
domain-name the-bifrost.co.uk
default-router 192.168.0.100
lease 0 10
!
ip dhcp pool bifrost-lab
import all
network 192.168.2.0 255.255.255.0
domain-name the-bifrost.co.uk
dns-server 192.168.0.42
default-router 192.168.2.100
lease 0 10
!
ip dhcp pool visitor
import all
network 192.168.3.0 255.255.255.0
domain-name the-bifrost.co.uk
dns-server 192.168.0.42 8.8.8.8 8.8.4.4
default-router 192.168.3.100
lease 0 10
!
ip dhcp pools < REMOVED >
!
dot11 mbssid
dot11 pause-time 100
dot11 syslog
!
dot11 ssid bifrost-dave_and_emma
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
!
dot11 ssid bifrost-dave_and_emma-5Ghz
vlan 2
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
!
dot11 ssid bifrost-gaming
vlan 10
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
!
dot11 ssid bifrost-lab
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
!
dot11 ssid bifrost-utilities
vlan 1
max-associations 3
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
!
dot11 ssid bifrost-visitor
vlan 30
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXXXXXXXXXXXXXXXXXXX
!
!
!
no ipv6 cef
!
!
username Cisco password 7 XXXXXXXXXXXXXXXXXXXX
username sivesrutherfordd privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXX
!
!
bridge irb
!
!
!
interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
encryption vlan 1 mode ciphers aes-ccm tkip
!
ssid bifrost-dave_and_emma
!
ssid bifrost-gaming
!
ssid bifrost-lab
!
ssid bifrost-visitor
!
antenna gain 0
stbc
channel 2412
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
no bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio0.30
encapsulation dot1Q 30
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface Dot11Radio1
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
ssid bifrost-dave_and_emma-5Ghz
!
ssid bifrost-lab
!
ssid bifrost-visitor
!
antenna gain 0
peakdetect
no dfs band block
stbc
channel dfs
station-role root
!
interface Dot11Radio1.2
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
no bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio1.30
encapsulation dot1Q 30
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface Dot11Radio2
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
ssid bifrost-dave_and_emma-5Ghz
!
ssid bifrost-lab
!
ssid bifrost-visitor
!
antenna gain 0
stbc
no mbssid
power local 18
station-role root
monitor frames endpoint ip address 0.0.0.1 port 10 truncate 0
!
interface Dot11Radio2.2
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
no bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio2.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio2.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio2.30
encapsulation dot1Q 30
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
interface GigabitEthernet0
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
!
interface GigabitEthernet0.30
encapsulation dot1Q 30
bridge-group 30
bridge-group 30 spanning-disabled
no bridge-group 30 source-learning
!
interface BVI1
mac-address 5c83.8f03.7dc4
mtu 9014
ip address 192.168.0.102 255.255.255.0
ip virtual-reassembly in
!
interface BVI10
mac-address 5c83.8f03.7dc5
mtu 9014
ip address 192.168.1.102 255.255.255.0
ip virtual-reassembly in
!
interface BVI20
mac-address 5c83.8f03.7dc6
mtu 9014
ip address 192.168.2.102 255.255.255.0
ip virtual-reassembly in
!
interface BVI30
mac-address 5c83.8f03.7dc7
mtu 9014
ip address 192.168.3.102 255.255.255.0
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 192.168.0.100
ip route 192.168.1.0 255.255.255.0 192.168.1.100
ip route 192.168.2.0 255.255.255.0 192.168.2.100
ip route 192.168.3.0 255.255.255.0 192.168.3.100
ip ssh version 2
!
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
bridge 30 protocol ieee
bridge 30 route ip
!
!
banner motd ^CCCCC
******************************************
* Unauthorized access prohibited
*
* You are connected to CISCO 3702i Access Point
* at ip 192.168.0.102
*
******************************************
^C
!
line con 0
line vty 0 4
exec-timeout 0 0
privilege level 15
login local
length 0
transport input ssh
!
sntp server 194.35.252.7
end
bifrost-cisco3702i#
01-19-2021 03:58 AM
No, you still seem to have each SSID on a different bridge-group!
And I don't even see bifrost-utilities in that config at all!
And remember you cannot use Radio2 - don't know what effect that config will have.
Here's an example config - rest of config removed to only show what we want. In this example SSID1 (wlan vlan 10) and SSID3 (wlan vlan 110) are both on bridge-group 1 which is on vlan 10 (on the LAN) so they get exactly the same behaviour.
dot11 mbssid
dot11 syslog
!
dot11 ssid SSID1
vlan 10
authentication open
mbssid guest-mode
!
dot11 ssid 802.1x
vlan 220
authentication open eap eap-login
authentication key-management wpa
mbssid guest-mode
!
dot11 ssid SSID3
vlan 110
authentication open
mbssid guest-mode
!
dot11 ssid SSID4
vlan 112
authentication open
authentication key-management wpa
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
dot11 aaa csid ietf
dot11 guest
!
bridge irb
!
interface Dot11Radio0
description 802.11 2.4GHz bgn
no ip address
no ip route-cache
!
encryption vlan 220 mode ciphers aes-ccm
!
encryption vlan 112 mode ciphers aes-ccm
!
ssid SSID1
!
ssid 802.1x
!
ssid SSID3
!
ssid SSID4
!
antenna gain 0
stbc
beamform ofdm
speed basic-12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel least-congested 2412 2437 2462
station-role root fallback shutdown
rts threshold 2312
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 port-protected
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.10
description VLAN for SSID1 Open SSID
encapsulation dot1Q 10
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.110
description VLAN for Open SSID SSID3
encapsulation dot1Q 110
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.112
description VLAN for SSID4
encapsulation dot1Q 112
no ip route-cache
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 port-protected
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface Dot11Radio0.220
description VLAN for 802.1x SSID
encapsulation dot1Q 220
no ip route-cache
bridge-group 33
bridge-group 33 subscriber-loop-control
bridge-group 33 spanning-disabled
bridge-group 33 port-protected
bridge-group 33 block-unknown-source
no bridge-group 33 source-learning
no bridge-group 33 unicast-flooding
!
interface Dot11Radio1
description 802.11 5GHz a n
no ip address
no ip route-cache
!
encryption vlan 220 mode ciphers aes-ccm
!
encryption vlan 112 mode ciphers aes-ccm
!
ssid SSID1
!
ssid 802.1x
!
ssid SSID3
!
ssid SSID4
!
antenna gain 0
peakdetect
no dfs band block
stbc
beamform ofdm
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel dfs
station-role root
no cdp enable
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 port-protected
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.10
description VLAN for SSID1 SSID
encapsulation dot1Q 10
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.110
description VLAN for Open SSID SSID3
encapsulation dot1Q 110
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.112
description VLAN for SSID4
encapsulation dot1Q 112
no ip route-cache
no cdp enable
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 port-protected
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
!
interface Dot11Radio1.220
description VLAN for 802.1x SSID
encapsulation dot1Q 220
no ip route-cache
bridge-group 33
bridge-group 33 subscriber-loop-control
bridge-group 33 spanning-disabled
bridge-group 33 port-protected
bridge-group 33 block-unknown-source
no bridge-group 33 source-learning
no bridge-group 33 unicast-flooding
!
interface GigabitEthernet0
description Link to Switchport
no ip address
duplex auto
speed auto
bridge-group 4
bridge-group 4 spanning-disabled
no bridge-group 4 source-learning
!
interface GigabitEthernet0.10
description VLAN for All SSIDs except SSID4 and 802.1x
encapsulation dot1Q 10 native
bridge-group 1
!
interface GigabitEthernet0.33
description VLAN for 802.1x SSID
encapsulation dot1Q 33
no cdp enable
bridge-group 33
bridge-group 33 spanning-disabled
no bridge-group 33 source-learning
!
interface GigabitEthernet0.112
description VLAN for SSID4
encapsulation dot1Q 112
bridge-group 3
!
interface BVI1
ip address a.b.c.d x.x.x.x
no ip redirects
no ip unreachables
no ip proxy-arp
!
ip default-gateway a.b.c.z
!
bridge 1 route ip
!
This config has port-protected applied for user isolation which you probably don't want on a home network before you copy/paste all the config. Also be aware that IOS doesn't allow some changes to bridge-group config to be made on running-config - you have to edit the config, copy to startup-config and reload the AP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide