I should probably know this, but can't figure out a search term to answer in my setup. I have created a VLAN specifically for guests on my existing infrastructure. I have a 4402 and a 5508 WLC and a WCS. I want to add a second SSID (guest_wireless) to each AP and have it go only to VLAN 8, along with my existing production SSID (prod_wireless, VLAN 7). I don't want to neccesarily setup the Lobby Ambassador and all of that, but would prefer to give a WEP key to vendors as they may be on legacy devices (manufacturing environment).
In a nutshell, at least one of the controllers must have a dynamic interface on vlan8 with a vlan8 IP address. Call it Guest? Create a WLAN with SSID guest and map it to the Guest interface. Set up your security on that WLAN. Push that WLAN to APs or groups of APs joined to that controller.
If some APs are joined to the other controller (that doesn't have a vlan8 dynamic interface), use the "guest anchoring" function to ship guest traffic to the (anchor) controller that does have a vlan8 interface. If the two controllers aren't in the same mobility group there are some additional contortions to go through but it is still very doable.
So the LWAPs can be in multiple AP Groups and therefore have multiple SSIDs? When creating a new interface on the controller, I am assuming it must be in a different subnet? I tried adding it in the same subnet as the management interface and was not allowed.
>So the LWAPs can be in multiple AP Groups and therefore have multiple SSIDs?
The other way around. A single AP group can have multiple WLANs, with their corresponding SSIDs assigned to the AP group. I've never tried putting an AP into multiple groups but I don't think it's allowed.
AP group "Warehouse" has WLANs CAD & Scanners (different SSIDs) assigned. APs in this group have two SSIDs.
AP group "FrontOffice" has WLANs Prod & CAD & Guest (different SSIDs) assigned. APs in this group have three SSIDs.
Each WLAN/SSID is mapped to a different dynamic controller interface.
>When creating a new interface on the controller, I am assuming it must be in a different subnet?
Yes. In your case, vlan8 for guest.
>I tried adding it in the same subnet as the management interface and was not allowed.
Sounds about right. The management interface is not a dynamic interface. Each WLAN needs a DYNAMIC interface (read vlan interface) where traffic to/from a particular WLAN/SSID is switched onto its wired vlan. An exception to this is the guest anchoring function. Here a WLAN is mapped to the management interface. Traffic for that WLAN is then shipped to an anchor controller that does have a dynamic interface on the desired vlan.