How to program Aironet 1200 for 3 VLANs

Answered Question
May 16th, 2012

Hello. I'll admit to being a Cisco IOS newbie up-front.

I work in a small private high school. We had two dozen Aironet 1200 access points and a controller donated to us from a local hospital that no longer needed them. My boss would like me to set one up with 3 VLANs:

- encrypted VLAN for staff

- encrypted VLAN for students

- unencrypted VLAN for guests

Ultimately, we'd like the staff VLAN to have access to all internal network resources, the student VLAN to have access to several pre-defined printers, and the guest VLAN is web-only access. Whether the controller we were given will accommodate that, we won't know until we get one Aironet 1200 programmed and connected to the controller. For the time being, I just want to get this access point programmed with the 3 VLANs.

I'm easily able to get it running a single SSID (non-VLAN) network and confirm that I can use that network fine. However, I need to set up these 3 VLANs and am hoping someone can walk me through programming it. I can connect to it via telnet if that'll let me program it faster.

Any suggestions? help?

I have this problem too.
0 votes
Correct Answer by maldehne about 2 years 10 months ago

Hello David

I would be more than glad to contribute to this.

Lets assume the following scenario , you have three ssids:

ssid1 : staff --> vlan1 wpa-psk

ssid 2:students -->vlan2 wep

ssid3:guests-->vlan3 open authentication

Assuming vlan 1 :192.168.1.0/24

                vlan 2:192.168.2.0/24

                vlan 3:192.168.3.0/24

L3 Switch ----- AP

AP(config)#dot11 ssid staff

               # vlan 1

               #authentication open

              #authentication key-management wpa

              #exit

AP(config)#dot11 ssid students

              #vlan 2

              #authentication open

              #exit

AP(config)#dot11 ssid guests

               #vlan 3

              #authentication open

              #guest-mode

              #exit

AP(config)#interface dot11radio 0

               # encryption vlan 1 mode ciphers tkip

               #encryption vlan 2 mode wep mandatory

               # encryption vlan 2 key 1 size 128bit .......

               #ssid staff

               #ssid students

               # ssid guests

               #no shut

               #exit

* Assuming vlan 1 is the trunk native vlan *

AP(config)#interface d0.1

              #encapsulation dot1q 1 native

              #bridge-group 1

             #exit

AP(config)#interface d0.2

               #encapsulation dot1q 2

              #bridge-group 2

             #exit

AP(config)#interface d0.3

               #encapsulation dot1q 3

              #bridge-group 3

             #exit

AP(config)#interface fa0.1

               #encapsulation dot1q 1 native

              #bridge-group 1

             #exit

AP(config)#interface fa0.2

               #encapsulation dot1q 2

              #bridge-group 2

             #exit

AP(config)#interface fa0.3

               #encapsulation dot1q 3

              #bridge-group 3

             #exit

AP(config)#interface bvi1

               #ip add 192.168.1.2 255.255.255.0

               # no shut

On the Switch:

SW(config)# vlan 1

                 #vlan 2

                 # vlan 3

SW(config)# interface vlan 1

                # ip add 192.168.1.1 255.255.255.0

                # no shut

               #exit

SW(config)# interface vlan 2

                # ip add 192.168.2.1 255.255.255.0

                # no shut

               #exit

SW(config)# interface vlan 3

                # ip add 192.168.3.1 255.255.255.0

                # no shut

               #exit

* Now configure the switch port connecting the AP as dot1q trunk with native vlan being 1*

SW(config-if)#switchport trunk encapsulation dot1q

                   # switchport trunk native vlan 1

                   #switchport mode trunk

                   # exit

Make sure that you define DHCP pools for clients in the various vlans which i assume you already have it.

I hope this has been informative to you.

Regards

----------------------------------------------------------------------

Please make sure to rate correct answers

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Scott Fella Wed, 05/16/2012 - 08:14

David,

What model/part # is your AP and wlc? We need this information first to see if the ap and wlc are compatible.

Sent from Cisco Technical Support iPhone App

david.allie.2357 Thu, 05/17/2012 - 07:22

Scott,

The Aironet 1200 is model AIR-AP1231G-A-K9. The controller is the Cisco 1130 Wireless LAN Solution Engine.

-- David

Scott Fella Thu, 05/17/2012 - 07:49

Well the 1130 is an old platform (WLSE) and you probably will not ever use that.  You will have to manually configure each access point to do what you want it to do.  Here is a guide on configureing multiple ssids:

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37ssid.html

david.allie.2357 Thu, 05/17/2012 - 09:03

Wow, I had a feeling that this project was going to be problematic. I'm going to look at the info/link you shared and will try to program the Aironet 1200 on my desk. I'll let you know tomorrow how it goes.

Thanks.

Correct Answer
maldehne Thu, 05/17/2012 - 09:44

Hello David

I would be more than glad to contribute to this.

Lets assume the following scenario , you have three ssids:

ssid1 : staff --> vlan1 wpa-psk

ssid 2:students -->vlan2 wep

ssid3:guests-->vlan3 open authentication

Assuming vlan 1 :192.168.1.0/24

                vlan 2:192.168.2.0/24

                vlan 3:192.168.3.0/24

L3 Switch ----- AP

AP(config)#dot11 ssid staff

               # vlan 1

               #authentication open

              #authentication key-management wpa

              #exit

AP(config)#dot11 ssid students

              #vlan 2

              #authentication open

              #exit

AP(config)#dot11 ssid guests

               #vlan 3

              #authentication open

              #guest-mode

              #exit

AP(config)#interface dot11radio 0

               # encryption vlan 1 mode ciphers tkip

               #encryption vlan 2 mode wep mandatory

               # encryption vlan 2 key 1 size 128bit .......

               #ssid staff

               #ssid students

               # ssid guests

               #no shut

               #exit

* Assuming vlan 1 is the trunk native vlan *

AP(config)#interface d0.1

              #encapsulation dot1q 1 native

              #bridge-group 1

             #exit

AP(config)#interface d0.2

               #encapsulation dot1q 2

              #bridge-group 2

             #exit

AP(config)#interface d0.3

               #encapsulation dot1q 3

              #bridge-group 3

             #exit

AP(config)#interface fa0.1

               #encapsulation dot1q 1 native

              #bridge-group 1

             #exit

AP(config)#interface fa0.2

               #encapsulation dot1q 2

              #bridge-group 2

             #exit

AP(config)#interface fa0.3

               #encapsulation dot1q 3

              #bridge-group 3

             #exit

AP(config)#interface bvi1

               #ip add 192.168.1.2 255.255.255.0

               # no shut

On the Switch:

SW(config)# vlan 1

                 #vlan 2

                 # vlan 3

SW(config)# interface vlan 1

                # ip add 192.168.1.1 255.255.255.0

                # no shut

               #exit

SW(config)# interface vlan 2

                # ip add 192.168.2.1 255.255.255.0

                # no shut

               #exit

SW(config)# interface vlan 3

                # ip add 192.168.3.1 255.255.255.0

                # no shut

               #exit

* Now configure the switch port connecting the AP as dot1q trunk with native vlan being 1*

SW(config-if)#switchport trunk encapsulation dot1q

                   # switchport trunk native vlan 1

                   #switchport mode trunk

                   # exit

Make sure that you define DHCP pools for clients in the various vlans which i assume you already have it.

I hope this has been informative to you.

Regards

----------------------------------------------------------------------

Please make sure to rate correct answers

david.allie.2357 Fri, 05/18/2012 - 07:16

Thanks maldehne, these are the commands I finally used for testing purposes, based on your suggestion:

enable

configure terminal

interface dot11radio0

ssid chs-staff

vlan 1

authentication open

encryption vlan 1 mode wep mandatory

encryption vlan 1 key 1 size 128 11111111111111111111111111 transmit-key

exit

interface dot11radio0.1

encapsulation dot1q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

exit

interface fastEthernet0.1

encapsulation dot1q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

exit

interface dot11radio0

ssid chs-students

vlan 2

authentication open

encryption vlan 2 mode wep mandatory

encryption vlan 2 key 1 size 128 22222222222222222222222222 transmit-key

exit

interface dot11radio0.2

encapsulation dot1q 2

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

exit

interface fastEthernet0.2

encapsulation dot1q 2

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

exit

interface dot11radio0

ssid chs-guests

vlan 3

authentication open

guest-mode

exit

interface dot11radio0.3

encapsulation dot1q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

exit

interface fastEthernet0.3

encapsulation dot1q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3 spanning-disabled

exit

interface dot11radio0

station role root

preamble-short

dot11 extension aironet

no shutdown

end

copy running-config startup-config

I'm able to connect on all three networks. Now, we'll set up the DHCP pools, configure the switch for the 3 VLANs, and add rules to the firewall to specify what resources can/cannot be accessed depending on role.

Thanks everyone!

maldehne Sun, 05/20/2012 - 02:43

Great

Actions

Login or Register to take actions

This Discussion

Posted May 16, 2012 at 6:54 AM
Stats:
Replies:7 Overall Rating:5
Views:1477 Votes:0
Shares:0
Tags: No tags.
 

Discussions Leaderboard

Rank Username Points
1
Scott Fella
9,991
2
Leo Laohoo
4,466
3
George Stefanick
2,717
4
Stephen Rodriguez
2,579
5
Manannalage ras...
2,495
Rank Username Points
Scott Fella
88
Manannalage ras...
85
Freerk Terpstra
45
Sandeep Choudhary
31
Leo Laohoo
26