Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Bridging multiple SSID's and VLAN's?

I am trying to setup a point to point bridge link.  I need both ends to support wireless clients so I know that one end will be setup as a root bridge wireless clients and the other end non-root bridge wireless clients.

I have three SSID's on each end connected to three VLAN's.  I am using a 1230g access point for this.

I am unable to get the two units to connect to each other.  I am using LEAP on the primary SSID which is setup for infrastructure-ssid with a user name and password.

On the root bridge I am never seeing the remote bridge even try to authenticate.

I know that when bridging multiple vlans you only need to encrypt the first vlan but all three SSID's are using encryption for the users.

Is what I am trying to do even possible?

Seth

4 REPLIES
Cisco Employee

Re: Bridging multiple SSID's and VLAN's?

Hi,

maybe you can post your 2 configurations so we can see more clearly ?

In summary, the infrastructure ssid must be the native vlan. And you can select the encryption with "encryption vlan xxxx" for each vlan.

But I'm trying to understand what you want to achieve : Do you have 3 SSIDs on each side, serving clients and you also want to bridge those 3 vlans ??

You can have one ssid bridging several vlans but I'm highly skeptical on a "3 SSIDs serving clients + being bridged as well" scenario although I never tried it.

Nicolas

===

Don't forget to rate answers that you find useful

New Member

Re: Bridging multiple SSID's and VLAN's?

Here is the config for the ROOT bridge.  I used the same config on the NON-ROOT except changed the station role.

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1230a
!
enable secret 5 $1$5Ev5$9LS3BF8wbNO1xTCdrvOKr.
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.1.25 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
server 192.168.1.25
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server 192.168.1.25 auth-port 1812 acct-port 1813
!
aaa group server radius rad_eap2
server 192.168.1.25 auth-port 1812 acct-port 1813
!
aaa group server radius infrastructure
server 192.168.1.25 auth-port 1812 acct-port 1813
!
aaa group server radius client
server 192.168.1.25 auth-port 1812 acct-port 1813
!
aaa authentication login default cache tac_admin group tac_admin local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authentication login eap_methods2 group rad_eap2
aaa authentication login method_infrastructure group infrastructure
aaa authentication login method_client group client
aaa authorization exec default cache tac_admin group tac_admin local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
aaa session-id common
dot11 syslog
!
dot11 ssid Office
   vlan 192
   authentication network-eap eap_methods1
   authentication key-management wpa cckm
   guest-mode
   infrastructure-ssid
!
dot11 ssid Directors
   vlan 22
   authentication network-eap eap_methods2
   authentication key-management wpa cckm
  
!
dot11 ssid Guest
   vlan 112
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 13061E010803452922372B3C
!
!
!
username Cisco password 7 112A1016141D
username seth privilege 15 password 7 02050D480809
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 192 mode ciphers tkip
!
encryption vlan 22 mode ciphers aes-ccm
!
encryption vlan 112 mode ciphers tkip
!
ssid Office
!
ssid Directors
!
ssid Guest
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root bridge wireless-clients
!
interface Dot11Radio0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 subscriber-loop-control
bridge-group 22 spanning-disabled
!
interface Dot11Radio0.112
encapsulation dot1Q 112
no ip route-cache
bridge-group 112
bridge-group 112 subscriber-loop-control
bridge-group 112 spanning-disabled
!
interface Dot11Radio0.192
encapsulation dot1Q 192 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 spanning-disabled
!
interface FastEthernet0.112
encapsulation dot1Q 112
no ip route-cache
bridge-group 112
bridge-group 112 spanning-disabled
!
interface FastEthernet0.192
encapsulation dot1Q 192 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.1.35 255.255.255.0
no ip route-cache
!
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1
!
tacacs-server host 192.168.1.25 key 7 121A0C041104
tacacs-server directed-request
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.25 auth-port 1812 acct-port 1813 key 7 094F471A1A0A

radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

Cisco Employee

Re: Bridging multiple SSID's and VLAN's?

Hi,

so it's like I understood it. I don't see a technical way it could even work (i.e. I would be surprised if it works).

Let's say one AP receives a frame on an SSID. Normally it forwards it on the wired side. And frames receives on the wired side in a vlan are forwarded to wireless side.

Here, the AP receives the frame from a wireless client, it would need to maybe send it to the wired side but also maybe bridge it through the bridge SSID ... That can loop packets quite a lot.

Nicolas

===

Don't forget to rate answers that you find useful

New Member

Re: Bridging multiple SSID's and VLAN's?

Ok, it works now.  I took the advice of someone who once told me that if your config does not work then you should clear it all out and start over.  So that is what I did.  And now it works.  Of course the down side to having multiple SSID's on a bridge link is that you cannot use the MBSSID feature.  So if you want to broadcast your SSID to allow users to see it, then it will have to be the SSID tied to the native VLAN which will also be your infrastructure SSID.

Here is the config.

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1230a
!
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 192.168.1.25 auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
server 192.168.1.25
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server 192.168.1.25 auth-port 1812 acct-port 1813
!
aaa group server radius rad_eap2
server 192.168.1.25 auth-port 1812 acct-port 1813
!
aaa authentication login default cache tac_admin group tac_admin local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authentication login eap_methods2 group rad_eap2
aaa authorization exec default cache tac_admin group tac_admin local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
aaa session-id common
dot11 syslog
!
dot11 ssid Office
   vlan 192
   authentication open eap eap_methods1
   authentication network-eap eap_methods1
   authentication key-management wpa
   guest-mode
   infrastructure-ssid
!
dot11 ssid Directors
   vlan 22
   authentication network-eap eap_methods2
   authentication key-management wpa
!
dot11 ssid Guest
   vlan 112
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 121A0C0411044D0723382727
!
!
!
username Cisco password 7 01300F175804
username seth privilege 15 password 7 094F471A1A0A
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 192 mode ciphers tkip
!
encryption vlan 22 mode ciphers aes-ccm
!
encryption vlan 112 mode ciphers tkip
!
ssid Office
!
ssid Directors
!
ssid Guest
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
power local cck 1
power local ofdm 1
channel 2412
station-role root bridge wireless-clients
!
interface Dot11Radio0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 subscriber-loop-control
bridge-group 22 spanning-disabled
!
interface Dot11Radio0.112
encapsulation dot1Q 112
no ip route-cache
bridge-group 112
bridge-group 112 subscriber-loop-control
bridge-group 112 spanning-disabled
!
interface Dot11Radio0.192
encapsulation dot1Q 192 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 22
bridge-group 22 spanning-disabled
!
interface FastEthernet0.112
encapsulation dot1Q 112
no ip route-cache
bridge-group 112
bridge-group 112 spanning-disabled
!
interface FastEthernet0.192
encapsulation dot1Q 192 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.1.35 255.255.255.0
no ip route-cache
!
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1
!
tacacs-server host 192.168.1.25 key 7 13061E010803
tacacs-server directed-request
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.25 auth-port 1812 acct-port 1813 key 7 02050D480809

radius-server vsa send accounting
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
!
end

826
Views
0
Helpful
4
Replies