Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pros and cons for one bridge with two ssid vs two bridge with one ssid per bridge

Hello,

I am currently running three AIR-AP1232AG-A-K9, and have two SSID running.  The current Config is below, right it has two bridge, one for each SSID.  it was recommend to me that i would only need one bridge, however no real pros and cons were given. 

what are the pros and cons to one bridge with two ssid vs two bridge with one ssid per bridge?

------------------ current running config ------------------

Building configuration...

Current configuration : 8332 bytes

!

! Last configuration change at 00:40:47 AZT Sun May 27 2012

!

version 12.3

service nagle

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service linenumber

service pt-vty-logging

service sequence-numbers

!

hostname ap2

!

logging count

logging rate-limit 512 except critical

logging console critical

enable secret 5 <removed>

!

clock timezone AZT -7

clock save interval 8

ip subnet-zero

no ip source-route

no ip gratuitous-arps

ip options drop

ip tcp synwait-time 10

no ip domain lookup

ip domain name jeremycrews.home

ip host rtwan.jeremycrews.home 192.168.16.1 192.168.16.33

ip host ap1.jeremycrews.home 192.168.16.2 192.168.16.34

ip host ap2.jeremycrews.home 192.168.16.3 192.168.16.35

ip host ap3.jeremycrews.home 192.168.16.4 192.168.16.36

ip host ooma.jeremycrews.home 192.168.16.5

ip host xbox.jeremycrews.home 192.168.16.6

ip host wii.jeremycrews.home 192.168.16.7

ip host ps3.jeremycrews.home 192.168.16.8

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip dhcp bootp ignore

!

!

ip ssh time-out 20

ip ssh authentication-retries 2

ip ssh version 2

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting update periodic 60

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 syslog

!

dot11 ssid guestonpg

   vlan 2

   authentication open

   authentication key-management wpa optional

   guest-mode

   wpa-psk ascii 7 101F5F415730070E1F10

   information-element ssidl advertisement

!

dot11 ssid playground

   vlan 1

   authentication open

   authentication key-management wpa optional

   wpa-psk ascii 7 0652577119195E41574441

   information-element ssidl advertisement

!

dot11 holdoff-time 60

dot11 ids eap attempts 3 period 60

dot11 network-map

!

!

dot1x timeout reauth-period server

username <removed> privilege 15 secret 5 <removed>

username <removed> privilege 15 secret 5 <removed>

archive

log config

  logging enable

  logging size 255

  notify syslog

  hidekeys

path tftp://192.168.16.12/ap2-config

write-memory

time-period 10080

!

bridge irb

!

!

interface Null0

no ip unreachables

!

interface Loopback0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

!

interface Dot11Radio0

description Radio b/g

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

!

encryption vlan 1 mode ciphers aes-ccm tkip wep128

!

encryption vlan 2 mode ciphers aes-ccm tkip wep128

!

broadcast-key vlan 1 change 3600 membership-termination capability-change

!

broadcast-key vlan 2 change 3600 membership-termination capability-change

!

!

ssid guestonpg

!

ssid playground

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

rts threshold 2312

mobile station period 20 threshold 70

beacon privacy guest-mode

l2-filter bridge-group-acl

!

interface Dot11Radio0.1

description Home WLAN b/g

encapsulation dot1Q 1 native

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 port-protected

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2

encapsulation dot1Q 2

ip access-group guestAccess in

ip access-group guestAccess out

no ip proxy-arp

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 port-protected

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio1

description Radio a

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

!

encryption vlan 1 mode ciphers aes-ccm tkip wep128

!

encryption vlan 2 mode ciphers aes-ccm tkip wep128

!

broadcast-key vlan 1 change 3600 membership-termination capability-change

!

broadcast-key vlan 2 change 3600 membership-termination capability-change

!

!

ssid guestonpg

!

ssid playground

!

dfs band 3 block

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

channel dfs

station-role root

rts threshold 2312

mobile station period 20 threshold 70

beacon privacy guest-mode

l2-filter bridge-group-acl

infrastructure-client

!

interface Dot11Radio1.1

description Home WLAN a

encapsulation dot1Q 1 native

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 port-protected

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1.2

description Guest WLAN a

encapsulation dot1Q 2

ip access-group guestAccess in

ip access-group guestAccess out

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 port-protected

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface FastEthernet0

description RTWAN 192.168.16.1 192.168.16.33

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.1

description Home LAN Fa

encapsulation dot1Q 1 native

ip helper-address 192.168.16.1

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.2

description Guest LAN Fa

encapsulation dot1Q 2

ip helper-address 192.168.16.33

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface BVI1

description Home Bridge LAN to WLAN

ip address 192.168.16.3 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

!

interface BVI2

description Guest Bridge LAN to WLAN

ip address 192.168.16.35 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

no ip route-cache

!

ip default-gateway 192.168.16.1

no ip http server

ip http authentication aaa

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

!

ip access-list extended guestAccess

permit tcp any any established

permit tcp any any eq www

permit udp any any eq bootps

permit udp any any eq bootpc

deny   ip any any

access-list 22 permit 192.168.16.0 0.0.0.63

snmp-server community <removed> RW 22

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty

snmp-server enable traps entity

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server enable traps wlan-wep

snmp-server enable traps config

snmp-server enable traps syslog

snmp-server enable traps cpu threshold

snmp-server enable traps aaa_server

snmp-server host 192.168.16.10 <removed>

radius-server attribute 32 include-in-access-req format %h

radius-server host 192.168.16.1 auth-port 1645 acct-port 1646 key 7 <removed>

radius-server vsa send accounting

bridge 1 protocol ieee

bridge 1 route ip

bridge 2 protocol ieee

!

!

!

line con 0

password 7 <removed>

logging synchronous

transport output ssh

line vty 0 4

password 7 <removed>

logging synchronous

transport preferred ssh

transport output ssh

line vty 5 15

password 7 <removed>

logging synchronous

transport preferred ssh

transport output ssh

!

scheduler allocate 4000 1000

scheduler interval 500

process cpu threshold type total rising 80 interval 10 falling 40 interval 10

sntp server 192.168.16.1

sntp broadcast client

end

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Pros and cons for one bridge with two ssid vs two bridge with on

Hi Jeremy,

The access point only supports to have one BVI1 interfaced configured with an IP address since it is a basic layer 2 device.

Since it is IOS based you can try to configure an Ip address to more then one BVI1 but this will not work since the AP only supports an IP address configured on the BVI1 interface for managment of the unit.

Know the access point allows us to configure VLANs and for VLANS to work we need to link each VLAN to an specifc bridge group leaving always the bridge group one that is linked to the BVI1 for the VLAN the access point has an IP address of and set as native VLAN.

Here is the link that explains how VLANs work on the access points.

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml

If you work with VLANs you can have different subnets or VLANs linked to each SSID and each SSID with an specifc security method.

3 REPLIES
Bronze

Pros and cons for one bridge with two ssid vs two bridge with on

Hi ,

I review the confguration and both show configured as access points and not bridges.

When we work with 1 SSID it is becasue you have one flat network and the network devices and wireless clients are on the same subnet or VLAN.

When we work with more then 1 SSID it is becasue you have segmented your network on to VLANS, for example managment VLAN, guest VLAN, user VLAN ,etc. So for each VLAN you create and SSID and link to the correct VLAN and then with the specifc Security method per WLAN.

New Member

Pros and cons for one bridge with two ssid vs two bridge with on

Hello,

      Interesting, what i mean by bridge is nto bridge mode by have two BVI interfaces.  So here a better idea are the any pros and cons to running two ssid thruogh the same bridge group?

Bronze

Pros and cons for one bridge with two ssid vs two bridge with on

Hi Jeremy,

The access point only supports to have one BVI1 interfaced configured with an IP address since it is a basic layer 2 device.

Since it is IOS based you can try to configure an Ip address to more then one BVI1 but this will not work since the AP only supports an IP address configured on the BVI1 interface for managment of the unit.

Know the access point allows us to configure VLANs and for VLANS to work we need to link each VLAN to an specifc bridge group leaving always the bridge group one that is linked to the BVI1 for the VLAN the access point has an IP address of and set as native VLAN.

Here is the link that explains how VLANs work on the access points.

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml

If you work with VLANs you can have different subnets or VLANs linked to each SSID and each SSID with an specifc security method.

1404
Views
5
Helpful
3
Replies
CreatePlease login to create content