Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Multiple SSID With Multiple VLANs configuration example on Cisco Aironet APs

 

 

Introduction

Configuration example using multiple VLANs with multiple SSIDs

Components used

  • Any MLS switch which runs IOS
  • Aironet Access Points

Assumption

I assume that you have configured the DHCP pool on the IOS switch or the Router or on the dedicated DHCP server.

Design

Assuming we have 3 VLANs (1,2 and 3) with native as 1 and mapping to 3 different SSIDs (one , two and three) on any Aironet Access Points.

  • SSID ONE uses WEP encryption
  • SSID TWO uses WPA-PSK
  • SSID THREE uses WPA-2-PSK
  • Assuming the AP Ethernet port is connected to fa 2/1 port of the switch.
  • Broadcasting all the 3 SSIDs.

Configuration on the AP - Step 1

>> Configure the SSID and Map it to respective VLANS..

Enable
Conf t
Dot11 ssid one
Vlan 1
Authentication open
Mbssid Guest-mode
End
Enable
Conf t
Dot11 ssid two
Vlan 2
  authentication open
  authentication key-management wpa
  wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
End
Enable
Conf t
Dot11 ssid three
Vlan 3
authentication key-management wpa version 2
wpa-psk ascii 7 <WPA key>
Mbssid Guest-mode
End

 

Step 2 - Assigning the Encryption to different SSIDs with respective VLANs

Enable
Int dot11 0
Mbssid
ssid one
ssid two
ssid three
encryption vlan 1 mode wep mandatory
encryption vlan 1 key 1 size 40bit <10bit key>
encryption vlan 2 mode ciphers tkip
encryption vlan 3 mode ciphers aes-ccm

Step 3 - Configuring the sub interface for Dot11 radio 0 and Ethernet.

AP# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
AP(config)# interface Dot11Radio0.1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)#bridge group 1
AP(config-subif)# interface FastEthernet0.1
AP(config-subif)#bridge group 1
AP(config-subif)# encapsulation dot1Q 1 native
AP(config-subif)# end
AP# write memory
AP(config)# interface Dot11Radio0.2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)#bridge group 2
AP(config-subif)# interface FastEthernet0.2
AP(config-subif)#bridge group 2
AP(config-subif)# encapsulation dot1Q 2
AP(config-subif)# end
AP# write memory
AP(config)# interface Dot11Radio0.3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)#bridge group 3
AP(config-subif)# interface FastEthernet0.3
AP(config-subif)#bridge group 3
AP(config-subif)# encapsulation dot1Q 3
AP(config-subif)# end
AP# write memory
AP(config)#bridge irb
Ap(config)# bridge 1 route ip
Ap(config)# end
Ap#wr

Configuration on the Switch

en
conf t
int fa 2/1
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2,3
end

Step 4 - Verification

On the AP issue the command “show dot11 associations” and you need to see all the 3 SSIDs

ap#show dot11 associations
802.11 Client Stations on Dot11Radio0:
SSID [one] :
SSID [two] :
SSID [three] :

 

2.  Try pinging from the AP to the Switch VLAN interface, you should be able to ping.

MANAGING THE AP WITH MANAGEMENT IP ADDRESS

This is done by assigning the IP address to the BVI interface of the AP, that is.

Enable
Conf t
Int bvi 1
Ip address <ip address> <mask>
No shut
End

 

Verify

Issue the command “show ip int br” on the AP and check if all the interfaces are up and running.

This is it!!

PS :

Video as well on the same

multiple SSID.bmp

 

I have attached the Sample working Config from the Switch and the AP for 2 SSIDs.

 

Comments
New Member

Thanks for the great document.

I do have a question...

I am trying to do this sort of configuration with only two vlans. However I want the native vlan (1) to be without wireless and only wireless on guest vlan 600. My manager wants me to have vlan 1 for management but without wireless access.

How can I have an IP address for both vlans and still have vlan 1 without wireless?

THe ip address of the BVI is throwing me off.

Can anyone offer suggestions?

Thanks in advance.

Cisco Employee

Hi,

Yes you can do that.. Dont MAP  the SSID to VLAN for VLAN 1, just make sure you have vlan 1 as native on the switch  and configure the DOT11 0.1 and Ethernet 0.1 subinterface on  the AP and let them be in BRIDGE GROUP 1 and then encapsulation dot1Q 1 native.

This will do it for you!!

New Member

Cool. So where do I put the management IP address for the native vlan 1? On ethernet0.1? or on the BVI?

Where would I put the IP address for vlan 600? does the bridge group need to match vlan 600? i think it only goes to 255. Know what I mean?

Thanks for your help. I need to complete this tomorrow.

Cisco Employee

Hi,

>> So where do I put the management IP address for the native vlan 1? On ethernet0.1? or on the BVI?

ANS - Its on the BVI interface.

>> Where would I put the IP address for vlan  600?

ANS - make sure you configure this on the switch.. and configure the trunk port between AP and the switch allowing vlan 600.

does the bridge group need to match vlan 600? i think it only goes  to 255. Know what I mean?

ANS - yes you are right!! that goes till (bridge group) 255.. MAP the SSID with VLAN 600 and then create the dot11 0.600, then encapsulate this with vlan 600 (encap dot1Q 600) then bridge it with bridge group 254!! under both the radio and ethernet..

this will work

New Member

Thanks so much for your help.

I meant for question two...where can i give the AP an IP address on vlan 600?

Would this be possible?

Cisco Employee

Since we are bridging the VLAN 600 traffic.. there is no need to give the VLAN 600 ip on the AP.. the bridging will take care of it..

New Member

Sweet!

Thanks so much for your help!!!!

Cisco Employee

Its my pleasure !! and thank u posting on CSC!!

New Member

Surenda,

Is it possible with this config to keep the default on the vlan 600 side even though the BVI is addressed on vlan 1?

Reason I ask is that vlan 600 (172.16.11.0/24) is on a guest network with a guest DSL internet connection. We want all wireless users to use that egress. However we still want to be able to manage the AP on the vlan 1 side (192.168.3.0/24) with no wireless on vlan 1.

Is it possible?

Thanks again!!!

Cisco Employee

If you have VLAN 600 in the network and if we are able reach VLAN 600 from VLAN 1, then everything will work fine..

New Member

We don't want the vlans to be able to reach each other. Just layer 2 with no routing in between. Wireless users hit vlan 600 to DSL gateway 172.16.11.1 and vlan 1 just for management that we can access from the network. We don't want to reach the vlan 600 side and don't want users on vlan 600 to reach vlan 1 side.

Make sense? Thats where I am tied up.  

What do you think?

New Member

Got it working buddy!

Thanks again!!!

Thanks Surendra for providing this useful informaiton.

Regards,

Vinay

New Member

Hi Surendra,

This is a fantastic doc, I am also facing issue is configuring the multilple ssid with multiple vlans. I will try out this on monday ie tomorrow. I will get back to you in case I am facing any issue.

Dinesh

Cisco Employee

thanku!! lemme know for any assistance!!

New Member

Hello.

i've the same problem, but i need 3 vlan and 2 MBSSID, the vlan 25 for administration, the vlan 20 Production and the vlan 90 Visitors, but only need 2 MBSSID (AP_Production to vlan 20 and AP_Visitor to vlan 90), the two SSID need encryption WEP 40bits, at the same time the vlan 20 "Production need use a ip helper address (10.106.10.65), and the vlan 90 "Visitors"only internet access assign DHCP in this range 192.168.10.160 / 27

well my problem is i'm so newbie in cisco commands.

i read for all internet and forums and dont find nothing

thanks

New Member

Hi Surendra, this document I´m makin same solution in our office, thank you again and the video is so great!

I will try out this today. Best regards

New Member

Surendra,

Thanks for laying this out!...  But I've another related question:  Can you have a 'single' SSID accept multiple types of encryption?...

Using your example, is it possible to modify the commands above to:

authentication key-management wpa

authentication key-management wpa version 2

&&

encryption vlan 2 mode ciphers tkip

encryption vlan 2 mode ciphers aes-ccm

could I allow vlan 2 above to accept both WPA & WPA2 ( tkip & aes-ccm )?

Or if not possible in the way I did it above, is it possible (from the "users" perspective) to have 1 (one) ssid from which their computer / device will automatically select WPA2 or WPA?

Thanks,

George

New Member

Hi Surendra,

I was just given this task to see how i can configure a second ssid for guest access in our environment.

this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.

Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.

Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.

Please tell me what am I doing wrong.

Do i need to redesign the whole network to have a native vlan other nthan the data vlan?

Does the access point need to be aware of the voice vlan?

Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?

I will greatly appreciate your urgent response.

Thanks in advanced.

Cisco Employee

Hi,

Please post the show run frm the AP.. if possible post a new thread on the questions section of the forum

I will have look in to the same and will get back to you!!

Regards

Surendra

Hi Surendra

I've been working with your example here and it's working great.  I have stalled on one part though and I'm really struggling to get round it.  The management interface of the WAP is on vlan 3.  If I am on the switch and put "switchport trunk native vlan 3", the BVI interface becomes pingable but SSID three stops working.  Take the native line off again and the BVI port becomes unavailable but SSID 3 works fine again.

Sorry if my questions shows up my inexperience!

Thanks in advance for any assistance you can offer me

Steve

Sorry to bother, I've figured it.  In case anyone else is stuck, the bridge group on FA0.3 and Dot 0.3 needed to be 1 rather than 3  (note, I don't use vlan 1 for anything) and also FA0.3 and Dot 0.3 needed encaps dot1Q 3 NATIVE put in.  Thanks!

New Member

Steve, mind if you elaborate, because I still don' grasp it: on our whole environment we don't use VLAN1 as well - it is the native VLAN on all our catalyst switches but no IP port assigned anywhere, so sort of dummy. We use, say VLAN6 for admin - and that is where I would like to see the only IP address - I tried on gig0.6 as well as configuring bridge-group 6 on it and assigning the IP on interface BVI6, even configuring bridge 6 route ip. All to no avail I cannot ping this IP from the admin VLAN and vice versa.

What is wrong here?

I don't want any routing and actually bridging as well. I used Lancoms earlier and it was as simple as configuring 3 VLANs (for admin, corporate and guest lans, assigning the latter two to Dot Interfaces) and that was that - all the rest is taken care of DHCP/DNS/Gateway devices plugged to respective switchport mode access-Configured ports.

Thanks for any help in advance!

Hi Boian

You'll have to bare with me here because it's been a little while since I got my WAPs working and now I just copy-alter-paste the entire running config into a new WAP.  However, I've just jumped onto one of my WAPs and I believe below is the key elements of the code that you need.  I've hand typed it so watch out for any typos!  This is on a Cisco 1131AG in autonomous mode.

I have two VLANs, one for admin and one for guest.  VLAN 2 is for admin, VLAN 3 is for Guest.  (vlan 1 is shut down on the switch).  Whilst my switch is configured with a management IP address for VLAN 2, it's not necessary for this to work, providing that the subnet you are using is addressable from outside that subnet.

basically, there are two vlans which means the wap needs two virtual radio interfaces, two virtual ethernet interfaces and the virtual radio interfaces need to be bridged to each other.  In my case, I've got radio interfaces 0.2 and 0.3, and ethernet interfaces 0.2 and 0.3.  For reasons I'm struggling to remember, the admin vlan needed to use bridging group 1

This is how my WAP runs

int dot11radio0

encrypt vlan 2 mode ciphers aes-ccm

encrypt vlan 3 mode ciphers aes-ccm

broadcast-key change 86000

mbssid

ssid guest

ssid admin

int dot11radio0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

int dot11radio0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

int fa0.2

encapsulation dot1Q 2 native

no ip route-cache

bridge-group 1

int fa0.3

encapsulation dot1Q 3

no ip route-cache

bridge-group 3

dot11 ssid guest

vlan 3

authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii [key goes here]

dot11 ssid admin

vlan 2

authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii [differeny key goes here]

bridge irb

int bvi1

ip address [address] [mask]

ip default-gateway [address]

Then on the switch, the config looks like this:

int fa0/1

switchport trunk encapsulation dot1Q

switchport mode trunk

switchport trunk native vlan 2

I had a lot of issues being able to get to the management interface of the WAP from the admin vlan and the issue surrounded the use of the native vlan - or to be precise, I wasn't using the native vlan commands.

Does that help?

Steve

New Member

Steve thanks for the prompt answer. Sorry for my delay.

Now actually it works, considering that I am using as you proposed bridge-group 1 for this purpose.

But as a responsible CCNA I can only say: this config is RIDICULOUS!

Not only should a router WORK as a router allowing interface #.# as VLAN interface AND switching it to directly attached port of another network component, but also a network administrator should be given the opportunity to choose whether to use bridge-groups at all ot not!

Even at your proposed configuration I had to restart the device for the management IP to get working. And further more now its virtual MAC is staying on the VLAN1 as well on the VLAN6 of the switch's MAC table  (management VLAN6 configured as native on both ends), meaning for me that bridge group 1 is somehow adding VLAN1 header.

And also the Aironet 1600 standalone modules delivery was MISERABLE! No user manual, no description, not even a power supply!

This is the last time I purchase anything from these monkeys, really!!!

Cisco Employee

Hi

I really appreciate you guys discussion this here.. this is a docuemnt section.. for any technical questions. please post a question on Discussion forum and you will get better responses..

Regards

Surendra

New Member

Surendra, you are right, sorry for that: this section is the wrong place for the otherwize right words.

PS: blame only me, Steve has nothing to do with it (because you mention "guys" above) ;-p

New Member

One more technical feedback to Steve and other interested: actually you are not bound to bridge-group 1. my testing showed that actually mapping your admin VLAN - say 2 - to another bridge-group - say 2 as well - and then defining bvi2 ip address could work perfectly good, BUT only if you assign on the switch trunk port VLAN2 native. By the way you don't necessarily need to assign eth0.2 encapsulation dot1Q 2 native on the AP - without native it still runs. What really disturbs is that even in this scenario and shutdown bvi1 won't help to announce its MAC address on VLAN1 to the switch.

Commands that don't work on Aironet 1600 were: "no bridge-group 1" on any interface, "no int bvi1", "no bridge 1" and "no bridge irp". No need to try them at all

New Member

OK, What am I missing here. Step Three just does not work!

I'm trying to implement WPA2PSK on a Cisco 1142 AP running (C1140-K9W7-M), Version 15.2(4)JA1, but I just can't seem to get it to work:

ap(config)#Dot11 ssid three

ap(config-ssid)#

ap(config-ssid)#Vlan 3

ap(config-ssid)#

ap(config-ssid)#authentication key-management wpa version 2

Error: open or network-eap authentication is required for WPA

ap(config-ssid)#

ap(config-ssid)#wpa-psk ascii 7 cisco123cisco123

Error: Key-management WPA is requried for WPA-PSK

I've tried enabling ciphers under the Dot11Radio0 interface (encrypt vlan 3 mode ciphers aes-ccm), but still won't work and I still get the error message for the WPA Version 2.

Can someone please post a working configuration for WPA2PSK for a 1142N and explai?n what I'm missing

Thanks.

New Member

Dominic,

I know it is too late to answer your question, but just for the records, your problem here was because you were missing the following line:

ap(config-ssid)#authentication open

And then you should be able to configure the key-management without any problems.

Thanks

New Member

I tried to configure two Cisco 1410s as point to point , one as root and the other as non root with multiple SSIDs/vlans. However, as soon as I configure a subinterface, my dot11radio interface goes down.

Any thoughts would be greatly appreciated. here's my config:

 

 ip domain name VAUG-RAP-01
dot11 ssid RAP01-BAP01-1

   vlan 1
!
dot11 ssid RAP01-BAP01-2
   vlan 2
!
dot11 ssid RAP05-BAP05-800

 

vlan 800
   authentication open

 

ip domain name VAUG-RAP-01
!
!
!
dot11 ssid RAP01-BAP01-1
   vlan 1
!
dot11 ssid RAP01-BAP01-2
   vlan 2
!
dot11 ssid RAP05-BAP05-800

dot11 ssid RAP01-BAP01-801
   vlan 801
!
dot11 ssid RAP01-BAP01-802
   vlan 802
!
dot11 ssid RAP01-BAP02-2
   vlan 2

bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 800 mode ciphers tkip
 !
 ssid RAP01-BAP01-1
 !
 ssid RAP01-BAP01-2
 !
 ssid RAP01-BAP01-800
 !
 ssid RAP01-BAP01-801
 !
 ssid RAP01-BAP01-802
 !
 channel 5745
 station-role root bridge
 rts threshold 4000
 concatenation
 infrastructure-client
!
interface Dot11Radio0.1
 encapsulation dot1Q 800 native
 no ip route-cache
 bridge-group 1
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
!
interface Dot11Radio0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
!
interface Dot11Radio0.101
 encapsulation dot1Q 801
 no ip route-cache
 bridge-group 101
!
interface Dot11Radio0.102
 encapsulation dot1Q 802
 no ip route-cache
 bridge-group 102
!
interface FastEthernet0
 no ip addressexit


 no ip route-cache
!
interface FastEthernet0.1
 encapsulation dot1Q 800 native
 no ip route-cache
 bridge-group 1
!
interface FastEthernet0.2
 encapsulation dot1Q 2
 no ip route-cache
 bridge-group 2
!
interface FastEthernet0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
!
interface FastEthernet0.101
 encapsulation dot1Q 801
 no ip route-cache
 bridge-group 101
!
interface FastEthernet0.102
 encapsulation dot1Q 802
 no ip route-cache
 bridge-group 102
!
interface BVI1
 ip address 10.74.20.61 255.255.255.192
 no ip route-cache
!
ip default-gateway 10.74.20.1

 

 

New Member

Hello freemanslim

Well, you have too many SSIDs configured.

For a P2P bridge link, only one SSID is needed, I suggest you to remove all except the one from VLAN 800.

According to your configuration, the IP on your BVI is 10.74.20.61, and this should belong to  VLAN 800. So the SSID that you need to create, should belong to VLAN 800.

You need at least to configure the SSID with: "authentication open" and my recommendation add it some encryption to it.
Right now, you do have encryption on the radio for VLAN 800, but you do not have WPA configured on the SSID, therefore this is why the radio is not starting (plus the fact of all the unneeded SSIDs)

However, you do need the subinterfaces on the Radio interface and on the FastEthernet interfaces. The SSID will act as a trunk and will carry all the VLANs between the two bridges using only one SSID.

Let me know if this helps

New Member

Great article! 

I am configuring an aironet device for 1st time (1602i here).

I managed to configure everything (and everything works) except I cant access the device, I am managing it thru line con 0.

I have configured VLAN 10 as management VLAN in my network, so I configured BVI int in that ip range.

So, my question is, what should I create for VLAN 10 (int ge0.10, dot11 ssid, dot11radio 0.10) ???

Should VLAN 10 be the native vlan??

and if I create all those under route-bridge 10, should I configure bridge 10 route ip ???

thanks,

 

thanks 

New Member

Hi Pepi Stojanovski,

You could be talking about two different issues. According to your notes you can't access the AP through line con 0 (console session). The configuration of the subinterfaces or VLANs should not affect the accessibility of the device through console, the only thing that could prevent you to access Console, is if you lost the password. Try with different terminal software (Like Putty or SecureCRT)

 

For the VLANs, if you add VLAN support, you do need to create  ge0.10 and dot11radio 0.10, and these needs to be on bridge-group 1 with native vlan 10.

No bridge 10 route ip is needed, in fact on an access point, even with multiple VLANs and bridge-groups, the only really needed is bridge 1 route ip.

 

Hope this helps

 

New Member

Hi Carlos, 

thanks for the help : )

in fact, I am able to access the device only thru line con 0.

 

I'll try with the vlan's config and let you know!

 

 

New Member

Carlos,

I just forgot to config the trunk port on the switch with VLAN 10 as native : )

all good now,

 

thanks!

New Member

I have Cisco AP Aironet 1100 and I have 5 vlans in my network as the fallowing:

vlan101 with name (APmangm101)
vlan4 with name (Voice4)
vlan6 with name (User6)
vlan8 with name (inter8)

and vlan100 is native vlan

step1
I configured the SSID and Map it to respective VLANs (vlan4,vlan6,vla8)as the fallowing:

Dot11 ssid Voice4
vlan 4
authentication open
authentication key-managment wpa
wpa-psk ascii admin4444
mbssid guest-mode
exit

Dot11 ssid User6
vlan 6
authentication open
authentication key-managment wpa
wpa-psk ascii admin666
mbssid guest-mode
exit

Dot11 ssid inter8
vlan8
authentication open
authentication key-managment wpa
wpa-psk ascii admin888
mbssid guest-mode
exit

Step 2
Assigning the encryption to different SSIDs with repective Vlans.


int dot11Radio 0
mbssid
encryption vlan 4 mode ciphers aes-ccm
encryption vlan 6 mode ciphers aes-ccm
encryption vlan 8 mode ciphers aes-ccm
ssid Voice4
ssid User6
ssid inter8

Step 3
Configuring the sub interface for Dot11 radio 0 and Ethernet

interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 100
exit

interface fastethernet0.100
bridge-group 100
encapsulation dot1Q 100 native
exit


interface Dot11Radio0.101
encapsulation dot1Q 101
bridge-group 101
exit


interface fastethernet0.101
bridge-group 101
encapsulation dot1Q 101
exit


interface Dot11Radio0.4
encapsulation dot1Q 4
bridge-group 4
exit


interface fastethernet0.4
bridge-group 4
encapsulation dot1Q 4
exit


interface Dot11Radio0.6
encapsulation dot1Q 6
bridge-group 6
exit


interface fastethernet0.6
bridge-group 6
encapsulation dot1Q 6
exit

interface Dot11Radio0.8
encapsulation dot1Q 8
bridge-group 8
exit


interface fastethernet0.8
bridge-group 8
encapsulation dot1Q 8
exit

bridge irb
bridge 1 route ip
exit


Step 4
Configuration on the switch

int g1/0/3
switchport mode trunk
switchport trunk native vlan 100
switchport trunk allowed vlan 100,101,4,6,8
exit

=======================================================
My question:
1-The AP is work with Multi SSID and I can connect to any SSID and and do ping to any network, but when try to do ping to AP's IP management (172.16.101.20) I can't do it and can't access ass webpage to AP?
2-whene I type this command (At the bottom) the AP is disconnect and I can't ping to it even reload it by manually:

 interface fastethernet0.100
 bridge-group 100

why it disconnect?
 
Note:
interface BVI1
 ip address 172.16.101.20 255.255.255.0


 ip default-gateway 172.16.101.254

 

New Member

Hello Essam,

I know what the problem is, usually when you configure an access point, the main interface of the AP is interface BVI1, and the IP address 172.16.101.20 according to your description, belongs to VLAN 100.

This means, that BVI1 is going to be mapped to VLAN 100.

BVI1 literally means Bridge Virtual Interface 1, in other words, means bridge-group 1.

interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 100

So when you state above on the subinterface the native VLAN 100 belongs to bridge-group 100, mainly you are locking up the AP. Because it is not being mapped to BVI1, it is being mapped to BVI100.
I know that BVI100 does not exist and does not need to be configured, but it is the same as saying bridge-group 100
The only interface that needs an IP address on an autonomous AP is the BVI1, therefore the native VLAN should always be mapped to this interface. BVI1 = bridge-group 1

In other words, the configuration should look like this:

interface Dot11Radio0.100
encapsulation dot1Q 100 native
bridge-group 1

 

This needs to be modified in both the radio and fastethernet interface.

Try this and let me know if this works.

 

New Member

Thank you so match  Carlos Leiton and everything is OK now

But according to the configuration if i need to use AP's IP on [vlan101 with name (APmangm101)] and not in same vlan 100 (native vlan) , What is suitable configuration to do it? because with my configuration (I told you) I can connect to any SSID and and do ping to any network, but when try to do ping to AP's IP management (172.16.101.20) I can't do it and can't access ass webpage to AP?

In other word , If I need to keep vlan 100 is native vlan , but the management IP of AP in vlan 101, How can I configure it?.

New Member

If we talk about the old school, the native vlan should always be mapped to the BVI1 interface.
Therefore, if you want VLAN100 to be the native, then you should map it to bridge-group 1.
But if you allow me to make a recommendation, the easiest answer and the best way to configure this, if you want to use AP's IP address on Vlan101, then VLAN 101 should be mapped to bridge-group 1 and make this the native VLAN  on the AP and on the switch port.

New Member

Hi Carlos Leiton, my name is Ricardo and I´m having the same scenario just like Essam H did above, but I have a question, do I need to configure QOS on the AP for the voice vlan or the QOS on the switch will do this job??

I think i need to put some qos on the AP but, I dont know what commands will achieve this.

I´m little bit confuse about this..

Thanks you!

Best regards.

Hi Surendra,

 

I just wanted to thank you especially for a great post, and also other peoples discussions. Has cleared up loads of little queries I had with configuring cisco AP's.

 

Many thanks and keep up the good work.

 

Kind Regards

Ezeddean

New Member

I am having a problem getting CDP working over some Aironet wireless bridges. I have created a thread here, but no one has replied. I was hoping that maybe someone has an idea?

 

https://supportforums.cisco.com/discussion/12502911/cdp-shows-co-bridge-cpe-bridge-not-cpe-bridge-co-bridge

 

New Member

Creating two SSID on a Cisco Aironet AP1242G-A-K9 both using WPA2

Hello everyone,

I have entry level trying to create two SSID using WPA2 on a Cisco AP 1242G on a Cisco Catalyst 3550 switch. Basiclly, I need one SSID call "HHD-Only" and the other "Corp-Users". The "HHD-Only" are for handheld devices (not smartphones, ipad or tablets) and Corp-Users for our employees wireless devices. What is the easier or smart way to perform this task?

Thanks

New Member

Hi Freddy,

the easier and smart way to do this is to commission someone with knowledge to do that for you :)

No, jokes aside, doesn't Surrendra's script above help you to infer the correct configuration for your occasion?

Best

New Member

Hi,

I'm trying to find how to configure a guest ssid on an air-sap1602i-a-k9 access point. I'd like the guest ssid seperate from the current internal work ssid. 

Can someone help me with this?

Sincerely,

Sam

New Member

Sam,

Surendra's document match exactly your needs.

You need two VLANs which will be mapped to two different SSIDs, one for guests and one for your internal network.

I would suggest you configuring your two SSIDs as in the example of SSID #3 given by Surendra, which is WPA2+PSK, unless you want to use a different authentication method.

New Member

Surendra, thank you for your very helpful article. My question is do we have to use bridge-group 1 and BVI1? If I am using VLAN10, 20 & 30 could I instead start at bridge-group 10 and BVI10 and go on to bridge-group 20/BVI20 then bridge-group 30/BVI30? I have read on other forums that bridge-group 1 & BVI1 are required for this to work. Matt.

New Member

Hello Carlos,

i am having same issue as freemanslim does which i am able ping all ip broadcasted from ssid except to Management IP  also not able to telnet,ssh and https. as you  suggested to essam to to configure int dotradio.100 and put in bridge-group 1 which i tried to configure but it forbidden me saying "Configuration of subinterfaces and main interface within the same bridge group is not permitted"   . so can you have any other solution for me which will be much appreciated.

New Member

hi ,

thank for the tuto ...

...but i still didn't manage to make it work

I have a AP cisco aironet 3600 and a Netgear M5300-28g

In the netgear i have some VLAN, in particular : vlan 1 = default, vlan 300 = Group, Vlan 301 = Client. I also have a DHCP include who's procure IP to each vlan.

It's connected to the AP on port 20 on giga (it's config in trunk mode like you say)

i'd like to diffuse 2 SSID one for each vlan on the AP so i create the 3 vlan with their encryption (like you say) and 3 SSID (one nativ and 2 on multi Beacon), the network interface Dot1radio X are also in place.

In the end i can see the SSIDs and connect on static ip but the DHCP doesn't work. 

I know there is some command for the DHCP like "dhcp-server" or "dhcp-relay" but despise all my test it's still doesn't work .

I could use some help please.

gothh

P.S. I'm a frenchie so please forgive my langage's mistake