Cisco Wireless AP – VLANs and Multiple SSIDs Part 2

Introduction

UPDATED 2010-11-23: There were a couple of typos in the code & a few lines in the wrong order. Thanks to Vic for letting me know about them.

Hopefully after reading Part 1 you have a general idea of what is going on. In this part we will do the configuation needed on CS1 and start to configure wlan1. I strongly recommend connecting via the console for this but it should be possible (if you are careful in which order you enter the commands that you could do this over ssh/telnet). During this period wlan1 will be unavailable to the users but wlan2 will be running fine so they shouldn’t notice any down time.

Configure the switch

This should result in downtime (on wlan1 only) about as long as it takes you to enter the commands.

In NINet wlan1 is connected to the port 1/0/4 on cs1


exit
sh run int gig 1/0/4

displays


Building configuration...
Current configuration : 64 bytes
!
interface GigabitEthernet1/0/4
switchport access vlan 2
end

Lets change it so that it will support multiple vlans traversing it.


int gig 1/0/4
no switchport access vlan
desc wlan1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
exit

Now if we run that sh run int command above we get:


Building configuration...
Current configuration : 160 bytes
!
interface GigabitEthernet1/0/4
description wlan1
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
end

This means that all untagged traffic will talk on vlan 2 instead of vlan 1 (which is the default) this allows us to continue talking to the router via telnet/ssh for those of us who didn’t use the console.

Configure the Router

Backup and erase the config, only do this if you are connected via console, if you are connected via telnet/ssh you’ll need to read the whole article and enter the commands required and remove the old configuration.


exit
copy system:running-config tftp://192.168.1.2/wlan1-orig.cfg
wipe erase
reload

Now lets reconfigure the router, connect and do not use the express wizard.


hostname wlan1
username admin privilege 15 password <PLAIN TEXT PASSWORD>

So now we have give the router back it’s name and added a user called “admin” to secure the router


aaa new-model
aaa group server radius rad_eap
server 192.168.1.1 auth-port 1645 acct-port 1646
exit
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key <RADIUS SECRET>
radius-server vsa send accounting
aaa cache profile admin_cache
all
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common

aaa new-model – Enables the AAA access control model.

aaa group server – Groups server hosts into lists and methods

radius-server host – Specifies and defines the IP address of the RADIUS server host.

aaa accounting – Enables AAA accounting of requested services for billing or security purposes when RADIUS or TACACS+ is used

aaa authorization – Sets parameters that restrict network access to a user.


dot11 mbssid
dot11 vlan-name MAIN vlan 2
dot11 vlan-name INET vlan 300
bridge irb

mbssid – Tells the router to allow all interfaces that support it to have multiple ssids
vlan-name – assigns a name to the vlan id, helps with readability though I must confess I am not exactly clear on why this is useful as there are several areas later that require the vlan number and will not accept the name..
bridge irb – allows bridging and routing between all interfaces

Setup the SSIDS

Internal


dot11 ssid NINet-INT
vlan MAIN
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
mbssid guest-mode

External


dot11 ssid NINet-EXT
vlan INET
authentication open
authentication key-management wpa
wpa-psk ascii <PASSPHRASE>
mbssid guest-mode

Here we have defined two SSIDs NINet-INT, the internal one, and NINet-EXT, the external/visitors one. We have also told the router that each one should be on a different VLAN. The “guest-mode” tells the router that the SSID should be broadcast.

Configuring the radio interfaces


interface Dot11Radio 1
shutdown
interface Dot11radio 0
shutdown
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
encryption vlan INET mode ciphers aes-ccm tkip
encryption vlan MAIN mode ciphers aes-ccm tkip
ssid NINet-INT
ssid NINet-EXT
channel <CHANNEL FREQ>
station-role root

This has configured the main parts of both radio interfaces, we have used the “shutdown” command so that they do not come up and allow users to try to connect to them.

The following table gives you the channel number and the frequency to use for the “channel” command

Channel Number Channel Frequency
1 2412
2 2417
3 2422
4 2427
5 2432
6 2437
7 2442
8 2447
9 2452
10 2457
11 2462
12 2467
13 2472

It is recommended that each of the routers are are in seperate channels to reduce interference.


interface Dot11Radio 0.2
encapsulation dot1Q 2 native
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio 0.300
encapsulation dot1Q 300
no ip unreachables
no ip proxy-arp
no ip route-cache
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
bridge-group 2 spanning-disabled
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding

Here we create the sub interfaces that handle the vlan traffic, one per vlan is created.
The one containing the native vlan doesn’t actaully require the bridge group to be defined as it is implicitly added to that group in order to preserve connectivity, however I explicitly add it for good measure.

See part three for the next part of the configuration.

Links to other parts

2 thoughts to “Cisco Wireless AP – VLANs and Multiple SSIDs Part 2”

  1. Hi Nick,

    To be honest it doesn’t matter. On the WAP I only define 2 VLANs and each SSID maps to 1, so all traffic connected via the WAP will be tagged before it hits the port the “native vlan 2” is only really for my traffic from the main network to manage the WAP via SSH iirc. VTP isn’t supported on the Aironet so again there will be no advertisement from there. That change also means if you want to add a VLAN to the WAP later you will need to remember to add it to the switch port thus making more changes to your network.

    The only upsides I really see is from a documentation perspective so you know what traffic to expect from a port e.g. “sh trunk”.

    In saying all of that if you can think of a compelling reason to lock down both ends then I am interested to hear it, personally I just didn’t see any point as per the reasons above.

    Regards,

    Ryan

  2. Wouldn’t it be a good idea to only allow the required vlans on the trunk that feeds the WAP in case you add vlans to the network in future that you don’t want on the wireless side?

    interface GigabitEthernet1/0/4
    description wlan1
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 2
    switchport trunk allowed vlan 2,300
    switchport mode trunk
    end

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This blog is kept spam free by WP-SpamFree.