Encrypting Aironet 1410 bridge link using multiple VLANs

Unanswered Question

I've looked at the documentation available for Aironet 1400 series, and still would like to see a single document showing an example of

the best encryption/authentication available for bridge links using multiple VLANs.

As I understand it, 1400 series can support WPA-PSK using AES, which would work for me.  I just can't picture how to integrate chapters 9 and 10 for the 'WEP and WEP Features' + 'Configuring Authentication Types' instructions.

I'm looking either for an example config, or a step-by-step that did all steps consecutively.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Tue, 06/01/2010 - 08:41

What doc are you refering to?  If you want to encrypt the link from root bridge to non-root bridge, then WPA/TKIP-PSK is what you should use.  Here is a link to how to setup your link ssid to WPA: http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.2_15_JA/configuration/guide/p15auth.html#wp1044935

Don't worry about the example they show on the WEP, just use the configuration from the above link for your encryption.

Configuring a VLAN

Configuring your bridge to support VLANs is a five-step process:

1. Create subinterfaces on the radio and Ethernet interfaces.

2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.

3. Assign a bridge group to each VLAN.

4. (Optional) Enable WEP on the native VLAN. <-- Use WPA-PSK

5. Assign the bridge's SSID to the native VLAN.


Here is an example of vlan 1 (native) will be your management and your wireless link.  vlan 10 & 20 will pass through the link.

BR# configure terminal
BR(config)# interface dot11radio0.1
BR(config-subif)# encapsulation dot1q 1 native
BR(config-subif)# bridge group 1
BR(config-subif)# exit
BR(config)# interface fastEthernet0.1
BR(config-subif)# encapsulation dot1q 1 native
BR(config-subif)# bridge group 1
BR(config)# interface fastEthernet0.10
BR(config-subif)# encapsulation dot1q 10
BR(config-subif)# bridge group 10
BR(config)# interface fastEthernet0.20
BR(config-subif)# encapsulation dot1q 20
BR(config-subif)# bridge group 20
BR(config-subif)# exit
BR(config)# interface dot11radio0
BR(config-if)# ssid batman
BR(config-ssid)# vlan 1
BR(config-ssid)# infrastructure-ssid
BR(config-ssid)# end

Thanks for the help.  I had no problem getting the VLANs

set up.  My question was solely with security (encryption and authentication).  If I follow this:

bridge# configure terminal
bridge(config)# configure interface dot11radio 0
bridge(config-if)# ssid batman
bridge(config-ssid)# wpa-psk ascii batmobile65
bridge(config-ssid)# end
and repeat for each WLAN SSID, will that give me the best security possible?
How would I set the encryption to AES or 3DES, or is that handled automatically in the WPA-PSK?
or, restated:
is the WPA-PSK setting for authentication only, encryption only, or both?
Thanks in advance.

Scott Fella Tue, 06/01/2010 - 09:45

You only need to use encryption on the wireless link from one bridge to another.  This link will pass all the other vlans from one side to the other.



This Discussion



Trending Topics - Security & Network