Cisco Aironet: multiple SSID’s
I have been playing with some Cisco Aironet’s today. Configuration is quite simple and straightforward, but maybe not for everyone:
- Broadcast two SSID’s, unsecure and secure
- Authentication via WPA version 2 pre-shared key
- Management IP adres in management VLAN
You are maybe thinking: “stand-alone access points, why no WLAN controller?” I agree, but be honest. Would you use a WLAN controller for less then 5 access points?
The snippet below shows the most important configuration for such a scenario.
dot11 mbssid
dot11 vlan-name secure vlan 11
dot11 vlan-name default vlan 1
dot11 vlan-name unsecure vlan 13
dot11 vlan-name management vlan 10
!
dot11 ssid unsecure
vlan 13
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <wpa pre-shared key>
!
dot11 ssid secure
vlan 11
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <wpa pre-shared key>
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 13 mode ciphers aes-ccm tkip
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 11 mode ciphers aes-ccm tkip
!
ssid unsecure
!
ssid secure
!
speed basic-1.0 basic-11.0 basic-54.0
channel 2412
station-role root
!
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 11
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
!
interface Dot11Radio0.13
encapsulation dot1Q 13
ip access-group internet-only in
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 13
bridge-group 13 subscriber-loop-control
bridge-group 13 block-unknown-source
no bridge-group 13 source-learning
no bridge-group 13 unicast-flooding
bridge-group 13 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.10
encapsulation dot1Q 10 native
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.11
encapsulation dot1Q 11
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
!
interface FastEthernet0.13
encapsulation dot1Q 13
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 13
no bridge-group 13 source-learning
bridge-group 13 spanning-disabled
!
interface BVI10
ip address 10.1.1.200 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.1.1
!
bridge 1 route ip
I hope this helps when you are configuring a Cisco Aironet with multiple SSID support.
Related Articles
4 Responses to “Cisco Aironet: multiple SSID’s”
Leave a Reply
Share this Blog
January 20th, 2010 at 9:20 am
Hey,
I thought TKIP (encryption vlan 13 mode ciphers tkip) is WPA1 and aes-ccmp is WPA2 (authentication key-management wpa version 2).
Did you check out if clients are connected with WPA2?
January 20th, 2010 at 3:23 pm
That’s true, it’s better to enable both.. The Apple IPhone for example will not be able to connect if you don’t enable AES-CCMP.
January 21st, 2010 at 6:21 pm
Wordo and Nico, you are both absolutely right. I was a bit to quick.
March 22nd, 2010 at 8:26 pm
Hi there,
Just to thank you very much, this is perfectly working on Cisco 1130AG :)
Cheers,
Julien from paris