Cisco Wireless AP – VLANs and Multiple SSIDs Part 2


UPDATED 2010-11-23: There were a couple of typos in the code & a few lines in the wrong order. Thanks to Vic for letting me know about them.

Hopefully after reading Part 1 you have a general idea of what is going on. In this part we will do the configuation needed on CS1 and start to configure wlan1. I strongly recommend connecting via the console for this but it should be possible (if you are careful in which order you enter the commands that you could do this over ssh/telnet). During this period wlan1 will be unavailable to the users but wlan2 will be running fine so they shouldn’t notice any down time.

Configure the switch

This should result in downtime (on wlan1 only) about as long as it takes you to enter the commands.

In NINet wlan1 is connected to the port 1/0/4 on cs1

sh run int gig 1/0/4


Building configuration...
Current configuration : 64 bytes
interface GigabitEthernet1/0/4
 switchport access vlan 2

Lets change it so that it will support multiple vlans traversing it.

int gig 1/0/4
 no switchport access vlan
 desc wlan1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport mode trunk

Now if we run that sh run int command above we get:

Building configuration...
Current configuration : 160 bytes
interface GigabitEthernet1/0/4
 description wlan1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 2
 switchport mode trunk

This means that all untagged traffic will talk on vlan 2 instead of vlan 1 (which is the default) this allows us to continue talking to the router via telnet/ssh for those of us who didn’t use the console.

Configure the Router

Backup and erase the config, only do this if you are connected via console, if you are connected via telnet/ssh you’ll need to read the whole article and enter the commands required and remove the old configuration.

copy system:running-config tftp://
wipe erase

Now lets reconfigure the router, connect and do not use the express wizard.

hostname wlan1
username admin privilege 15 password 

So now we have give the router back it’s name and added a user called “admin” to secure the router

aaa new-model
aaa group server radius rad_eap
server auth-port 1645 acct-port 1646
radius-server attribute 32 include-in-access-req format %h
radius-server host auth-port 1645 acct-port 1646 key 
radius-server vsa send accounting
aaa cache profile admin_cache
aaa group server radius rad_admin
 cache expiry 1
 cache authorization profile admin_cache
 cache authentication profile admin_cache
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server tacacs+ tac_admin
 cache expiry 1
 cache authorization profile admin_cache
 cache authentication profile admin_cache
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common

aaa new-model – Enables the AAA access control model.

aaa group server – Groups server hosts into lists and methods

radius-server host – Specifies and defines the IP address of the RADIUS server host.

aaa accounting – Enables AAA accounting of requested services for billing or security purposes when RADIUS or TACACS+ is used

aaa authorization – Sets parameters that restrict network access to a user.

dot11 mbssid
dot11 vlan-name MAIN vlan 2
dot11 vlan-name INET vlan 300
bridge irb

mbssid – Tells the router to allow all interfaces that support it to have multiple ssids
vlan-name – assigns a name to the vlan id, helps with readability though I must confess I am not exactly clear on why this is useful as there are several areas later that require the vlan number and will not accept the name..
bridge irb – allows bridging and routing between all interfaces

Setup the SSIDS


dot11 ssid NINet-INT
 vlan MAIN
 authentication open eap eap_methods
 authentication network-eap eap_methods
 authentication key-management wpa
 mbssid guest-mode


dot11 ssid NINet-EXT
 vlan INET
 authentication open
 authentication key-management wpa
 wpa-psk ascii 
 mbssid guest-mode

Here we have defined two SSIDs NINet-INT, the internal one, and NINet-EXT, the external/visitors one. We have also told the router that each one should be on a different VLAN. The “guest-mode” tells the router that the SSID should be broadcast.

Configuring the radio interfaces

interface Dot11Radio 1
interface Dot11radio 0
 no ip address
 no ip route-cache
 encryption mode ciphers aes-ccm tkip
 encryption vlan INET mode ciphers aes-ccm tkip
 encryption vlan MAIN mode ciphers aes-ccm tkip
 ssid NINet-INT
 ssid NINet-EXT
 station-role root

This has configured the main parts of both radio interfaces, we have used the “shutdown” command so that they do not come up and allow users to try to connect to them.

The following table gives you the channel number and the frequency to use for the “channel” command

Channel Number Channel Frequency
1 2412
2 2417
3 2422
4 2427
5 2432
6 2437
7 2442
8 2447
9 2452
10 2457
11 2462
12 2467
13 2472

It is recommended that each of the routers are are in seperate channels to reduce interference.

interface Dot11Radio 0.2
 encapsulation dot1Q 2 native
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
interface Dot11Radio 0.300
 encapsulation dot1Q 300
 no ip unreachables
 no ip proxy-arp
 no ip route-cache
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 block-unknown-source
 bridge-group 2 spanning-disabled
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding

Here we create the sub interfaces that handle the vlan traffic, one per vlan is created.
The one containing the native vlan doesn’t actaully require the bridge group to be defined as it is implicitly added to that group in order to preserve connectivity, however I explicitly add it for good measure.

See part three for the next part of the configuration.

Links to other parts

2 thoughts to “Cisco Wireless AP – VLANs and Multiple SSIDs Part 2”

  1. Hi Nick,

    To be honest it doesn’t matter. On the WAP I only define 2 VLANs and each SSID maps to 1, so all traffic connected via the WAP will be tagged before it hits the port the “native vlan 2” is only really for my traffic from the main network to manage the WAP via SSH iirc. VTP isn’t supported on the Aironet so again there will be no advertisement from there. That change also means if you want to add a VLAN to the WAP later you will need to remember to add it to the switch port thus making more changes to your network.

    The only upsides I really see is from a documentation perspective so you know what traffic to expect from a port e.g. “sh trunk”.

    In saying all of that if you can think of a compelling reason to lock down both ends then I am interested to hear it, personally I just didn’t see any point as per the reasons above.



  2. Wouldn’t it be a good idea to only allow the required vlans on the trunk that feeds the WAP in case you add vlans to the network in future that you don’t want on the wireless side?

    interface GigabitEthernet1/0/4
    description wlan1
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 2
    switchport trunk allowed vlan 2,300
    switchport mode trunk

Leave a Reply

Your email address will not be published. Required fields are marked *


This blog is kept spam free by WP-SpamFree.