Introduction
UPDATED 2010-11-23: There were a couple of typos in the code & a few lines in the wrong order. Thanks to Vic for letting me know about them.
Hopefully after reading Part 1 you have a general idea of what is going on. In this part we will do the configuation needed on CS1 and start to configure wlan1. I strongly recommend connecting via the console for this but it should be possible (if you are careful in which order you enter the commands that you could do this over ssh/telnet). During this period wlan1 will be unavailable to the users but wlan2 will be running fine so they shouldn’t notice any down time.
Configure the switch
This should result in downtime (on wlan1 only) about as long as it takes you to enter the commands.
In NINet wlan1 is connected to the port 1/0/4 on cs1
exit sh run int gig 1/0/4
displays
Building configuration... Current configuration : 64 bytes ! interface GigabitEthernet1/0/4 switchport access vlan 2 end
Lets change it so that it will support multiple vlans traversing it.
int gig 1/0/4 no switchport access vlan desc wlan1 switchport trunk encapsulation dot1q switchport trunk native vlan 2 switchport mode trunk exit
Now if we run that sh run int command above we get:
Building configuration... Current configuration : 160 bytes ! interface GigabitEthernet1/0/4 description wlan1 switchport trunk encapsulation dot1q switchport trunk native vlan 2 switchport mode trunk end
This means that all untagged traffic will talk on vlan 2 instead of vlan 1 (which is the default) this allows us to continue talking to the router via telnet/ssh for those of us who didn’t use the console.
Configure the Router
Backup and erase the config, only do this if you are connected via console, if you are connected via telnet/ssh you’ll need to read the whole article and enter the commands required and remove the old configuration.
exit copy system:running-config tftp://192.168.1.2/wlan1-orig.cfg wipe erase reload
Now lets reconfigure the router, connect and do not use the express wizard.
hostname wlan1 username admin privilege 15 password
So now we have give the router back it’s name and added a user called “admin” to secure the router
aaa new-model aaa group server radius rad_eap server 192.168.1.1 auth-port 1645 acct-port 1646 exit radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 keyradius-server vsa send accounting aaa cache profile admin_cache all aaa group server radius rad_admin cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache aaa group server radius rad_mac aaa group server radius rad_acct aaa group server radius rad_pmip aaa group server radius dummy aaa group server tacacs+ tac_admin cache expiry 1 cache authorization profile admin_cache cache authentication profile admin_cache aaa authentication login default local aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization exec default local aaa accounting network acct_methods start-stop group rad_acct aaa session-id common
aaa new-model – Enables the AAA access control model.
aaa group server – Groups server hosts into lists and methods
radius-server host – Specifies and defines the IP address of the RADIUS server host.
aaa accounting – Enables AAA accounting of requested services for billing or security purposes when RADIUS or TACACS+ is used
aaa authorization – Sets parameters that restrict network access to a user.
dot11 mbssid dot11 vlan-name MAIN vlan 2 dot11 vlan-name INET vlan 300 bridge irb
mbssid – Tells the router to allow all interfaces that support it to have multiple ssids
vlan-name – assigns a name to the vlan id, helps with readability though I must confess I am not exactly clear on why this is useful as there are several areas later that require the vlan number and will not accept the name..
bridge irb – allows bridging and routing between all interfaces
Setup the SSIDS
Internal
dot11 ssid NINet-INT vlan MAIN authentication open eap eap_methods authentication network-eap eap_methods authentication key-management wpa mbssid guest-mode
External
dot11 ssid NINet-EXT vlan INET authentication open authentication key-management wpa wpa-psk asciimbssid guest-mode
Here we have defined two SSIDs NINet-INT, the internal one, and NINet-EXT, the external/visitors one. We have also told the router that each one should be on a different VLAN. The “guest-mode” tells the router that the SSID should be broadcast.
Configuring the radio interfaces
interface Dot11Radio 1 shutdown interface Dot11radio 0 shutdown no ip address no ip route-cache encryption mode ciphers aes-ccm tkip encryption vlan INET mode ciphers aes-ccm tkip encryption vlan MAIN mode ciphers aes-ccm tkip ssid NINet-INT ssid NINet-EXT channelstation-role root
This has configured the main parts of both radio interfaces, we have used the “shutdown” command so that they do not come up and allow users to try to connect to them.
The following table gives you the channel number and the frequency to use for the “channel” command
| Channel Number | Channel Frequency |
|---|---|
| 1 | 2412 |
| 2 | 2417 |
| 3 | 2422 |
| 4 | 2427 |
| 5 | 2432 |
| 6 | 2437 |
| 7 | 2442 |
| 8 | 2447 |
| 9 | 2452 |
| 10 | 2457 |
| 11 | 2462 |
| 12 | 2467 |
| 13 | 2472 |
It is recommended that each of the routers are are in seperate channels to reduce interference.
interface Dot11Radio 0.2 encapsulation dot1Q 2 native no ip unreachables no ip proxy-arp no ip route-cache no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source bridge-group 1 spanning-disabled no bridge-group 1 source-learning no bridge-group 1 unicast-flooding interface Dot11Radio 0.300 encapsulation dot1Q 300 no ip unreachables no ip proxy-arp no ip route-cache no cdp enable bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 block-unknown-source bridge-group 2 spanning-disabled no bridge-group 2 source-learning no bridge-group 2 unicast-flooding
Here we create the sub interfaces that handle the vlan traffic, one per vlan is created.
The one containing the native vlan doesn’t actaully require the bridge group to be defined as it is implicitly added to that group in order to preserve connectivity, however I explicitly add it for good measure.
See part three for the next part of the configuration.
Links to other parts
Hi Nick,
To be honest it doesn’t matter. On the WAP I only define 2 VLANs and each SSID maps to 1, so all traffic connected via the WAP will be tagged before it hits the port the “native vlan 2” is only really for my traffic from the main network to manage the WAP via SSH iirc. VTP isn’t supported on the Aironet so again there will be no advertisement from there. That change also means if you want to add a VLAN to the WAP later you will need to remember to add it to the switch port thus making more changes to your network.
The only upsides I really see is from a documentation perspective so you know what traffic to expect from a port e.g. “sh trunk”.
In saying all of that if you can think of a compelling reason to lock down both ends then I am interested to hear it, personally I just didn’t see any point as per the reasons above.
Regards,
Ryan
Wouldn’t it be a good idea to only allow the required vlans on the trunk that feeds the WAP in case you add vlans to the network in future that you don’t want on the wireless side?
interface GigabitEthernet1/0/4
description wlan1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport trunk allowed vlan 2,300
switchport mode trunk
end