Other stuff...

Cisco Aironet: multiple SSID’s

René Jorissen on November 25, 2009 12 Comments • Tags: #aironet #bridge #cisco #dot11 #dot11radio #guest #guestmode #irb #mbssid #mode #multiple #ssid #wpa

I have been playing with some Cisco Aironet’s today. Configuration is quite simple and straightforward, but maybe not for everyone:

  • Broadcast two SSID’s, unsecure and secure
  • Authentication via WPA version 2 pre-shared key
  • Management IP adres in management VLAN

You are maybe thinking: “stand-alone access points, why no WLAN controller?” I agree, but be honest. Would you use a WLAN controller for less then 5 access points?

The snippet below shows the most important configuration for such a scenario.

dot11 mbssid
dot11 vlan-name secure vlan 11
dot11 vlan-name default vlan 1
dot11 vlan-name unsecure vlan 13
dot11 vlan-name management vlan 10
!
dot11 ssid unsecure
vlan 13
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <wpa pre-shared key>
!
dot11 ssid secure
vlan 11
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii <wpa pre-shared key>
!
bridge irb
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 13 mode ciphers aes-ccm tkip
!
encryption mode ciphers aes-ccm tkip
!
encryption vlan 11 mode ciphers aes-ccm tkip
!
ssid unsecure
!
ssid secure
!
speed  basic-1.0 basic-11.0 basic-54.0
channel 2412
station-role root
!
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 11
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
!
interface Dot11Radio0.13
encapsulation dot1Q 13
ip access-group internet-only in
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 13
bridge-group 13 subscriber-loop-control
bridge-group 13 block-unknown-source
no bridge-group 13 source-learning
no bridge-group 13 unicast-flooding
bridge-group 13 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.10
encapsulation dot1Q 10 native
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.11
encapsulation dot1Q 11
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
!
interface FastEthernet0.13
encapsulation dot1Q 13
no ip unreachables
no ip route-cache
no cdp enable
bridge-group 13
no bridge-group 13 source-learning
bridge-group 13 spanning-disabled
!
interface BVI10
ip address 10.1.1.200 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.1.1
!
bridge 1 route ip

I hope this helps when you are configuring a Cisco Aironet with multiple SSID support.

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

  1. wordo says:

    Hey,

    I thought TKIP (encryption vlan 13 mode ciphers tkip) is WPA1 and aes-ccmp is WPA2 (authentication key-management wpa version 2).

    Did you check out if clients are connected with WPA2?

  2. nico says:

    That’s true, it’s better to enable both.. The Apple IPhone for example will not be able to connect if you don’t enable AES-CCMP.

  3. Wordo and Nico, you are both absolutely right. I was a bit to quick.

  4. Jux says:

    Hi there,

    Just to thank you very much, this is perfectly working on Cisco 1130AG :)

    Cheers,

    Julien from paris

  5. Nick says:

    Hi there, I am attempting to setup something similar and I have found your article extremely helpful, thank you.

    Just a quick question if I may however. I assume the switchport the ethernet interface connects to must be a trunk configured to pass the vlan info for your SSID vlans?

    Also must the nativ vlan ID’s of the access point and the Switch match? I assume so?

  6. @Nick,

    Both assumptions are correct. You need to configure the switch port as a trunk port with the corresponding VLANs. It isn’t always necessary to have the native VLAN matching on both ends, but I recommend to have them match.

    In the example above you will see that VLAN ID 10 is configured as the native VLAN. In this example you need to configure the native VLAN ID on the switch as 10 too.

  7. phoeneous says:

    Is it possible to configure two standalone 1142’s as one without a controller? Share same ssid’s?

  8. Yes, you can configure both the same way with the same ssid’s and encryption methods. You have to pay attention while configuring the radio management. Both aceess point should use different, unique channels to avoid interference.

  9. phoeneous says:

    So the channel is the only thing that would be different with the two configs? And the management IP too I assume.

  10. Of course the management IP address needs to be changed to prevent an IP conflict on the network.

  11. Dan Bino says:

    Hi, Great example.
    Why do you need the default vlan 1, if you use vlan 10 for managment ?
    Thanks.

  12. @Dan: you are right. VLAN 1 isn’t needed in this configuration example

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.