How to program Aironet 1200 for 3 VLANs

Answered Question
May 16th, 2012

Hello. I'll admit to being a Cisco IOS newbie up-front.

I work in a small private high school. We had two dozen Aironet 1200 access points and a controller donated to us from a local hospital that no longer needed them. My boss would like me to set one up with 3 VLANs:

- encrypted VLAN for staff

- encrypted VLAN for students

- unencrypted VLAN for guests

Ultimately, we'd like the staff VLAN to have access to all internal network resources, the student VLAN to have access to several pre-defined printers, and the guest VLAN is web-only access. Whether the controller we were given will accommodate that, we won't know until we get one Aironet 1200 programmed and connected to the controller. For the time being, I just want to get this access point programmed with the 3 VLANs.

I'm easily able to get it running a single SSID (non-VLAN) network and confirm that I can use that network fine. However, I need to set up these 3 VLANs and am hoping someone can walk me through programming it. I can connect to it via telnet if that'll let me program it faster.

Any suggestions? help?

I have this problem too.
0 votes
Correct Answer by maldehne about 1 year 11 months ago

Hello David

I would be more than glad to contribute to this.

Lets assume the following scenario , you have three ssids:

ssid1 : staff --> vlan1 wpa-psk

ssid 2:students -->vlan2 wep

ssid3:guests-->vlan3 open authentication

Assuming vlan 1 :192.168.1.0/24

                vlan 2:192.168.2.0/24

                vlan 3:192.168.3.0/24

L3 Switch ----- AP

AP(config)#dot11 ssid staff

               # vlan 1

               #authentication open

              #authentication key-management wpa

              #exit

AP(config)#dot11 ssid students

              #vlan 2

              #authentication open

              #exit

AP(config)#dot11 ssid guests

               #vlan 3

              #authentication open

              #guest-mode

              #exit

AP(config)#interface dot11radio 0

               # encryption vlan 1 mode ciphers tkip

               #encryption vlan 2 mode wep mandatory

               # encryption vlan 2 key 1 size 128bit .......

               #ssid staff

               #ssid students

               # ssid guests

               #no shut

               #exit

* Assuming vlan 1 is the trunk native vlan *

AP(config)#interface d0.1

              #encapsulation dot1q 1 native

              #bridge-group 1

             #exit

AP(config)#interface d0.2

               #encapsulation dot1q 2

              #bridge-group 2

             #exit

AP(config)#interface d0.3

               #encapsulation dot1q 3

              #bridge-group 3

             #exit

AP(config)#interface fa0.1

               #encapsulation dot1q 1 native

              #bridge-group 1

             #exit

AP(config)#interface fa0.2

               #encapsulation dot1q 2

              #bridge-group 2

             #exit

AP(config)#interface fa0.3

               #encapsulation dot1q 3

              #bridge-group 3

             #exit

AP(config)#interface bvi1

               #ip add 192.168.1.2 255.255.255.0

               # no shut

On the Switch:

SW(config)# vlan 1

                 #vlan 2

                 # vlan 3

SW(config)# interface vlan 1

                # ip add 192.168.1.1 255.255.255.0

                # no shut

               #exit

SW(config)# interface vlan 2

                # ip add 192.168.2.1 255.255.255.0

                # no shut

               #exit

SW(config)# interface vlan 3

                # ip add 192.168.3.1 255.255.255.0

                # no shut

               #exit

* Now configure the switch port connecting the AP as dot1q trunk with native vlan being 1*

SW(config-if)#switchport trunk encapsulation dot1q

                   # switchport trunk native vlan 1

                   #switchport mode trunk

                   # exit

Make sure that you define DHCP pools for clients in the various vlans which i assume you already have it.

I hope this has been informative to you.

Regards

----------------------------------------------------------------------

Please make sure to rate correct answers

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Scott Fella Wed, 05/16/2012 - 08:14

David,

What model/part # is your AP and wlc? We need this information first to see if the ap and wlc are compatible.

Sent from Cisco Technical Support iPhone App

david.allie.2357 Thu, 05/17/2012 - 07:22

Scott,

The Aironet 1200 is model AIR-AP1231G-A-K9. The controller is the Cisco 1130 Wireless LAN Solution Engine.

-- David

david.allie.2357 Thu, 05/17/2012 - 09:03

Wow, I had a feeling that this project was going to be problematic. I'm going to look at the info/link you shared and will try to program the Aironet 1200 on my desk. I'll let you know tomorrow how it goes.

Thanks.

Correct Answer
maldehne Thu, 05/17/2012 - 09:44

Hello David

I would be more than glad to contribute to this.

Lets assume the following scenario , you have three ssids:

ssid1 : staff --> vlan1 wpa-psk

ssid 2:students -->vlan2 wep

ssid3:guests-->vlan3 open authentication

Assuming vlan 1 :192.168.1.0/24

                vlan 2:192.168.2.0/24

                vlan 3:192.168.3.0/24

L3 Switch ----- AP

AP(config)#dot11 ssid staff

               # vlan 1

               #authentication open

              #authentication key-management wpa

              #exit

AP(config)#dot11 ssid students

              #vlan 2

              #authentication open

              #exit

AP(config)#dot11 ssid guests

               #vlan 3

              #authentication open

              #guest-mode

              #exit

AP(config)#interface dot11radio 0

               # encryption vlan 1 mode ciphers tkip

               #encryption vlan 2 mode wep mandatory

               # encryption vlan 2 key 1 size 128bit .......

               #ssid staff

               #ssid students

               # ssid guests

               #no shut

               #exit

* Assuming vlan 1 is the trunk native vlan *

AP(config)#interface d0.1

              #encapsulation dot1q 1 native

              #bridge-group 1

             #exit

AP(config)#interface d0.2

               #encapsulation dot1q 2

              #bridge-group 2

             #exit

AP(config)#interface d0.3

               #encapsulation dot1q 3

              #bridge-group 3

             #exit

AP(config)#interface fa0.1

               #encapsulation dot1q 1 native

              #bridge-group 1

             #exit

AP(config)#interface fa0.2

               #encapsulation dot1q 2

              #bridge-group 2

             #exit

AP(config)#interface fa0.3

               #encapsulation dot1q 3

              #bridge-group 3

             #exit

AP(config)#interface bvi1

               #ip add 192.168.1.2 255.255.255.0

               # no shut

On the Switch:

SW(config)# vlan 1

                 #vlan 2

                 # vlan 3

SW(config)# interface vlan 1

                # ip add 192.168.1.1 255.255.255.0

                # no shut

               #exit

SW(config)# interface vlan 2

                # ip add 192.168.2.1 255.255.255.0

                # no shut

               #exit

SW(config)# interface vlan 3

                # ip add 192.168.3.1 255.255.255.0

                # no shut

               #exit

* Now configure the switch port connecting the AP as dot1q trunk with native vlan being 1*

SW(config-if)#switchport trunk encapsulation dot1q

                   # switchport trunk native vlan 1

                   #switchport mode trunk

                   # exit

Make sure that you define DHCP pools for clients in the various vlans which i assume you already have it.

I hope this has been informative to you.

Regards

----------------------------------------------------------------------

Please make sure to rate correct answers

david.allie.2357 Fri, 05/18/2012 - 07:16

Thanks maldehne, these are the commands I finally used for testing purposes, based on your suggestion:

enable

configure terminal

interface dot11radio0

ssid chs-staff

vlan 1

authentication open

encryption vlan 1 mode wep mandatory

encryption vlan 1 key 1 size 128 11111111111111111111111111 transmit-key

exit

interface dot11radio0.1

encapsulation dot1q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

exit

interface fastEthernet0.1

encapsulation dot1q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

exit

interface dot11radio0

ssid chs-students

vlan 2

authentication open

encryption vlan 2 mode wep mandatory

encryption vlan 2 key 1 size 128 22222222222222222222222222 transmit-key

exit

interface dot11radio0.2

encapsulation dot1q 2

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

exit

interface fastEthernet0.2

encapsulation dot1q 2

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

exit

interface dot11radio0

ssid chs-guests

vlan 3

authentication open

guest-mode

exit

interface dot11radio0.3

encapsulation dot1q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

exit

interface fastEthernet0.3

encapsulation dot1q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3 spanning-disabled

exit

interface dot11radio0

station role root

preamble-short

dot11 extension aironet

no shutdown

end

copy running-config startup-config

I'm able to connect on all three networks. Now, we'll set up the DHCP pools, configure the switch for the 3 VLANs, and add rules to the firewall to specify what resources can/cannot be accessed depending on role.

Thanks everyone!

Actions

Login or Register to take actions

This Discussion

Posted May 16, 2012 at 6:54 AM
Stats:
Replies:7 Avg. Rating:5
Views:1226 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard