Multiple SSID With Multiple VLANs configuration example on Cisco Aironet APs


Dec 28, 2010 8:14 PM
Dec 28th, 2010


Configuration example using multiple VLANs with multiple SSIDs

Components used

  • Any MLS switch which runs IOS
  • Aironet Access Points


I assume that you have configured the DHCP pool on the IOS switch or the Router or on the dedicated DHCP server.


Assuming we have 3 VLANs (1,2 and 3) with native as 1 and mapping to 3 different SSIDs (one , two and three) on any Aironet Access Points.

  • SSID ONE uses WEP encryption
  • Assuming the AP Ethernet port is connected to fa 2/1 port of the switch.
  • Broadcasting all the 3 SSIDs.
  • Configuration on the AP

    1. Step 1

    >> Configure the SSID and Map it to respective VLANS..


    Conf t

    Dot11 ssid one

    Vlan 1

    Authentication open

    Mbssid Guest-mode



    Conf t

    Dot11 ssid two

    Vlan 2

      authentication open

      authentication key-management wpa

      wpa-psk ascii 7 <WPA key>

    Mbssid Guest-mode



    Conf t

    Dot11 ssid three

    Vlan 3

    authentication key-management wpa version 2

    wpa-psk ascii 7 <WPA key>

    Mbssid Guest-mode


    2. Step 2

    >> Assigning the Encryption to different SSIDs with respective VLANs.


    Int dot11 0


    ssid one

    ssid two

    ssid three

    encryption vlan 1 mode wep mandatory

    encryption vlan 1 key 1 size 40bit <10bit key>

    encryption vlan 2 mode ciphers tkip

    encryption vlan 3 mode ciphers aes-ccm

    3. Step 3

    >> Configuring the sub interface for Dot11 radio 0 and Ethernet.

    AP# configure terminal

    Enter configuration commands, one per line.  End with CNTL/Z.

    AP(config)# interface Dot11Radio0.1

    AP(config-subif)# encapsulation dot1Q 1 native

    AP(config-subif)#bridge group 1

    AP(config-subif)# interface FastEthernet0.1

    AP(config-subif)#bridge group 1

    AP(config-subif)# encapsulation dot1Q 1 native

    AP(config-subif)# end

    AP# write memory

    AP(config)# interface Dot11Radio0.2

    AP(config-subif)# encapsulation dot1Q 2

    AP(config-subif)#bridge group 2

    AP(config-subif)# interface FastEthernet0.2

    AP(config-subif)#bridge group 2

    AP(config-subif)# encapsulation dot1Q 2

    AP(config-subif)# end

    AP# write memory

    AP(config)# interface Dot11Radio0.3

    AP(config-subif)# encapsulation dot1Q 3

    AP(config-subif)#bridge group 3

    AP(config-subif)# interface FastEthernet0.3

    AP(config-subif)#bridge group 3

    AP(config-subif)# encapsulation dot1Q 3

    AP(config-subif)# end

    AP# write memory

    AP(config)#bridge irb

    Ap(config)# bridge 1 route ip

    Ap(config)# end


    4. Configuration on the Switch


    conf t

    int fa 2/1

    switchport mode trunk

    switchport trunk encapsulation dot1q

    switchport trunk native vlan 1

    switchport trunk allowed vlan 1,2,3


    5. Step 4

    >> Verification

    On the AP issue the command “show dot11 associations” and you need to see all the 3 SSIDs

    ap#show dot11 associations

    802.11 Client Stations on Dot11Radio0:

    SSID [one] :

    SSID [two] :

    SSID [three] :

    2.  Try pinging from the AP to the Switch VLAN interface, you should be able to ping.


    This is done by assigning the IP address to the BVI interface of the AP, that is.


    Conf t

    Int bvi 1

    Ip address <ip address> <mask>

    No shut



    Issue the command “show ip int br” on the AP and check if all the interfaces are up and running.

    This is it!!

    PS :

    Video as well on the same

    multiple SSID.bmp

    I have attached the Sample working Config from the Switch and the AP for 2 SSIDs.

    Average Rating: 5 (4 ratings)


    gdiazjr03 Wed, 12/29/2010 - 18:37

    Thanks for the great document.

    I do have a question...

    I am trying to do this sort of configuration with only two vlans. However I want the native vlan (1) to be without wireless and only wireless on guest vlan 600. My manager wants me to have vlan 1 for management but without wireless access.

    How can I have an IP address for both vlans and still have vlan 1 without wireless?

    THe ip address of the BVI is throwing me off.

    Can anyone offer suggestions?

    Thanks in advance.

    surbg Wed, 12/29/2010 - 18:45 (reply to gdiazjr03)


    Yes you can do that.. Dont MAP  the SSID to VLAN for VLAN 1, just make sure you have vlan 1 as native on the switch  and configure the DOT11 0.1 and Ethernet 0.1 subinterface on  the AP and let them be in BRIDGE GROUP 1 and then encapsulation dot1Q 1 native.

    This will do it for you!!

    gdiazjr03 Wed, 12/29/2010 - 18:54 (reply to surbg)

    Cool. So where do I put the management IP address for the native vlan 1? On ethernet0.1? or on the BVI?

    Where would I put the IP address for vlan 600? does the bridge group need to match vlan 600? i think it only goes to 255. Know what I mean?

    Thanks for your help. I need to complete this tomorrow.

    surbg Wed, 12/29/2010 - 19:06 (reply to gdiazjr03)


    >> So where do I put the management IP address for the native vlan 1? On ethernet0.1? or on the BVI?

    ANS - Its on the BVI interface.

    >> Where would I put the IP address for vlan  600?

    ANS - make sure you configure this on the switch.. and configure the trunk port between AP and the switch allowing vlan 600.

    does the bridge group need to match vlan 600? i think it only goes  to 255. Know what I mean?

    ANS - yes you are right!! that goes till (bridge group) 255.. MAP the SSID with VLAN 600 and then create the dot11 0.600, then encapsulate this with vlan 600 (encap dot1Q 600) then bridge it with bridge group 254!! under both the radio and ethernet..

    this will work

    gdiazjr03 Wed, 12/29/2010 - 19:34 (reply to surbg)

    Thanks so much for your help.

    I meant for question two...where can i give the AP an IP address on vlan 600?

    Would this be possible?

    surbg Wed, 12/29/2010 - 19:36 (reply to gdiazjr03)

    Since we are bridging the VLAN 600 traffic.. there is no need to give the VLAN 600 ip on the AP.. the bridging will take care of it..

    gdiazjr03 Thu, 12/30/2010 - 05:10 (reply to surbg)


    Is it possible with this config to keep the default on the vlan 600 side even though the BVI is addressed on vlan 1?

    Reason I ask is that vlan 600 ( is on a guest network with a guest DSL internet connection. We want all wireless users to use that egress. However we still want to be able to manage the AP on the vlan 1 side ( with no wireless on vlan 1.

    Is it possible?

    Thanks again!!!

    surbg Thu, 12/30/2010 - 06:08 (reply to gdiazjr03)

    If you have VLAN 600 in the network and if we are able reach VLAN 600 from VLAN 1, then everything will work fine..

    gdiazjr03 Thu, 12/30/2010 - 06:19 (reply to surbg)

    We don't want the vlans to be able to reach each other. Just layer 2 with no routing in between. Wireless users hit vlan 600 to DSL gateway and vlan 1 just for management that we can access from the network. We don't want to reach the vlan 600 side and don't want users on vlan 600 to reach vlan 1 side.

    Make sense? Thats where I am tied up.  

    What do you think?

    GauravGambhir Sat, 02/25/2012 - 19:41

    Hi Surendra,

    This is a fantastic doc, I am also facing issue is configuring the multilple ssid with multiple vlans. I will try out this on monday ie tomorrow. I will get back to you in case I am facing any issue.


    wannabe22 Thu, 07/12/2012 - 09:35


    i've the same problem, but i need 3 vlan and 2 MBSSID, the vlan 25 for administration, the vlan 20 Production and the vlan 90 Visitors, but only need 2 MBSSID (AP_Production to vlan 20 and AP_Visitor to vlan 90), the two SSID need encryption WEP 40bits, at the same time the vlan 20 "Production need use a ip helper address (, and the vlan 90 "Visitors"only internet access assign DHCP in this range / 27

    well my problem is i'm so newbie in cisco commands.

    i read for all internet and forums and dont find nothing


    gcurto Wed, 09/05/2012 - 04:24

    Hi Surendra, this document I´m makin same solution in our office, thank you again and the video is so great!

    I will try out this today. Best regards

    CompassIntl Tue, 09/25/2012 - 07:25


    Thanks for laying this out!...  But I've another related question:  Can you have a 'single' SSID accept multiple types of encryption?...

    Using your example, is it possible to modify the commands above to:

    authentication key-management wpa

    authentication key-management wpa version 2


    encryption vlan 2 mode ciphers tkip

    encryption vlan 2 mode ciphers aes-ccm

    could I allow vlan 2 above to accept both WPA & WPA2 ( tkip & aes-ccm )?

    Or if not possible in the way I did it above, is it possible (from the "users" perspective) to have 1 (one) ssid from which their computer / device will automatically select WPA2 or WPA?



    TitiBello Sun, 10/21/2012 - 10:15

    Hi Surendra,

    I was just given this task to see how i can configure a second ssid for guest access in our environment.

    this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.

    Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.

    Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.

    Please tell me what am I doing wrong.

    Do i need to redesign the whole network to have a native vlan other nthan the data vlan?

    Does the access point need to be aware of the voice vlan?

    Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?

    I will greatly appreciate your urgent response.

    Thanks in advanced.

    surbg Sun, 10/21/2012 - 21:31 (reply to TitiBello)


    Please post the show run frm the AP.. if possible post a new thread on the questions section of the forum

    I will have look in to the same and will get back to you!!



    steve.morris@nw... Sun, 03/10/2013 - 10:32

    Hi Surendra

    I've been working with your example here and it's working great.  I have stalled on one part though and I'm really struggling to get round it.  The management interface of the WAP is on vlan 3.  If I am on the switch and put "switchport trunk native vlan 3", the BVI interface becomes pingable but SSID three stops working.  Take the native line off again and the BVI port becomes unavailable but SSID 3 works fine again.

    Sorry if my questions shows up my inexperience!

    Thanks in advance for any assistance you can offer me


    steve.morris@nw... Sun, 03/10/2013 - 12:45 (reply to steve.morris@nw...)

    Sorry to bother, I've figured it.  In case anyone else is stuck, the bridge group on FA0.3 and Dot 0.3 needed to be 1 rather than 3  (note, I don't use vlan 1 for anything) and also FA0.3 and Dot 0.3 needed encaps dot1Q 3 NATIVE put in.  Thanks!

    boian.soloviov Tue, 07/23/2013 - 09:19 (reply to steve.morris@nw...)

    Steve, mind if you elaborate, because I still don' grasp it: on our whole environment we don't use VLAN1 as well - it is the native VLAN on all our catalyst switches but no IP port assigned anywhere, so sort of dummy. We use, say VLAN6 for admin - and that is where I would like to see the only IP address - I tried on gig0.6 as well as configuring bridge-group 6 on it and assigning the IP on interface BVI6, even configuring bridge 6 route ip. All to no avail I cannot ping this IP from the admin VLAN and vice versa.

    What is wrong here?

    I don't want any routing and actually bridging as well. I used Lancoms earlier and it was as simple as configuring 3 VLANs (for admin, corporate and guest lans, assigning the latter two to Dot Interfaces) and that was that - all the rest is taken care of DHCP/DNS/Gateway devices plugged to respective switchport mode access-Configured ports.

    Thanks for any help in advance!

    steve.morris@nw... Wed, 07/24/2013 - 01:52

    Hi Boian

    You'll have to bare with me here because it's been a little while since I got my WAPs working and now I just copy-alter-paste the entire running config into a new WAP.  However, I've just jumped onto one of my WAPs and I believe below is the key elements of the code that you need.  I've hand typed it so watch out for any typos!  This is on a Cisco 1131AG in autonomous mode.

    I have two VLANs, one for admin and one for guest.  VLAN 2 is for admin, VLAN 3 is for Guest.  (vlan 1 is shut down on the switch).  Whilst my switch is configured with a management IP address for VLAN 2, it's not necessary for this to work, providing that the subnet you are using is addressable from outside that subnet.

    basically, there are two vlans which means the wap needs two virtual radio interfaces, two virtual ethernet interfaces and the virtual radio interfaces need to be bridged to each other.  In my case, I've got radio interfaces 0.2 and 0.3, and ethernet interfaces 0.2 and 0.3.  For reasons I'm struggling to remember, the admin vlan needed to use bridging group 1

    This is how my WAP runs

    int dot11radio0

    encrypt vlan 2 mode ciphers aes-ccm

    encrypt vlan 3 mode ciphers aes-ccm

    broadcast-key change 86000


    ssid guest

    ssid admin

    int dot11radio0.2

    encapsulation dot1Q 2 native

    no ip route-cache

    bridge-group 1

    int dot11radio0.3

    encapsulation dot1Q 3

    no ip route-cache

    bridge-group 3

    int fa0.2

    encapsulation dot1Q 2 native

    no ip route-cache

    bridge-group 1

    int fa0.3

    encapsulation dot1Q 3

    no ip route-cache

    bridge-group 3

    dot11 ssid guest

    vlan 3

    authentication open

    authentication key-management wpa version 2

    mbssid guest-mode

    wpa-psk ascii [key goes here]

    dot11 ssid admin

    vlan 2

    authentication open

    authentication key-management wpa version 2

    mbssid guest-mode

    wpa-psk ascii [differeny key goes here]

    bridge irb

    int bvi1

    ip address [address] [mask]

    ip default-gateway [address]

    Then on the switch, the config looks like this:

    int fa0/1

    switchport trunk encapsulation dot1Q

    switchport mode trunk

    switchport trunk native vlan 2

    I had a lot of issues being able to get to the management interface of the WAP from the admin vlan and the issue surrounded the use of the native vlan - or to be precise, I wasn't using the native vlan commands.

    Does that help?


    boian.soloviov Sat, 07/27/2013 - 10:03 (reply to steve.morris@nw...)

    Steve thanks for the prompt answer. Sorry for my delay.

    Now actually it works, considering that I am using as you proposed bridge-group 1 for this purpose.

    But as a responsible CCNA I can only say: this config is RIDICULOUS!

    Not only should a router WORK as a router allowing interface #.# as VLAN interface AND switching it to directly attached port of another network component, but also a network administrator should be given the opportunity to choose whether to use bridge-groups at all ot not!

    Even at your proposed configuration I had to restart the device for the management IP to get working. And further more now its virtual MAC is staying on the VLAN1 as well on the VLAN6 of the switch's MAC table  (management VLAN6 configured as native on both ends), meaning for me that bridge group 1 is somehow adding VLAN1 header.

    And also the Aironet 1600 standalone modules delivery was MISERABLE! No user manual, no description, not even a power supply!

    This is the last time I purchase anything from these monkeys, really!!!

    surbg Sat, 07/27/2013 - 10:09 (reply to boian.soloviov)


    I really appreciate you guys discussion this here.. this is a docuemnt section.. for any technical questions. please post a question on Discussion forum and you will get better responses..



    boian.soloviov Fri, 08/02/2013 - 04:44 (reply to surbg)

    Surendra, you are right, sorry for that: this section is the wrong place for the otherwize right words.

    PS: blame only me, Steve has nothing to do with it (because you mention "guys" above) ;-p

    boian.soloviov Fri, 08/02/2013 - 04:55 (reply to steve.morris@nw...)

    One more technical feedback to Steve and other interested: actually you are not bound to bridge-group 1. my testing showed that actually mapping your admin VLAN - say 2 - to another bridge-group - say 2 as well - and then defining bvi2 ip address could work perfectly good, BUT only if you assign on the switch trunk port VLAN2 native. By the way you don't necessarily need to assign eth0.2 encapsulation dot1Q 2 native on the AP - without native it still runs. What really disturbs is that even in this scenario and shutdown bvi1 won't help to announce its MAC address on VLAN1 to the switch.

    Commands that don't work on Aironet 1600 were: "no bridge-group 1" on any interface, "no int bvi1", "no bridge 1" and "no bridge irp". No need to try them at all

    Domwilko1_2 Fri, 09/20/2013 - 11:03

    OK, What am I missing here. Step Three just does not work!

    I'm trying to implement WPA2PSK on a Cisco 1142 AP running (C1140-K9W7-M), Version 15.2(4)JA1, but I just can't seem to get it to work:

    ap(config)#Dot11 ssid three


    ap(config-ssid)#Vlan 3


    ap(config-ssid)#authentication key-management wpa version 2

    Error: open or network-eap authentication is required for WPA


    ap(config-ssid)#wpa-psk ascii 7 cisco123cisco123

    Error: Key-management WPA is requried for WPA-PSK

    I've tried enabling ciphers under the Dot11Radio0 interface (encrypt vlan 3 mode ciphers aes-ccm), but still won't work and I still get the error message for the WPA Version 2.

    Can someone please post a working configuration for WPA2PSK for a 1142N and explai?n what I'm missing


    caleiton Mon, 12/16/2013 - 14:22 (reply to Domwilko1_2)


    I know it is too late to answer your question, but just for the records, your problem here was because you were missing the following line:

    ap(config-ssid)#authentication open

    And then you should be able to configure the key-management without any problems.



    Login or Register to take actions

    Related Content

    Documents Leaderboard