Multiple SSIDs with Cisco Access Points

In this example I will show you how to configure multiple SSIDs on a dual-band autonomous Cisco access point. The interface “Dot11Radio0” is for 2.4 GHz and “Dot11Radio1” for 5 GHz. We will configure three SSIDs for different VLANs.

Create your VLANs for your wireless network:

dot11 vlan-name Intern vlan 1
dot11 vlan-name Scanner vlan 10
dot11 vlan-name Guest vlan 20

create your SSIDs (bound to the VLANs):

dot11 ssid TestIntern
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
!
dot11 ssid TestScanner
vlan 10
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
!
dot11 ssid TestGuest
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]

configuration of the 2.4 GHz interface

interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
! aes-ccm is for WPA2:
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TestGuest
!
ssid TestIntern
!
ssid TestScanner
!
antenna gain 0
stbc
beamform ofdm
mbssid
station-role root

Sub-interfaces for VLAN-tagging:

interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding

the same configuration for the 5 GHz interface:

interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TestGuest
!
ssid TestIntern
!
ssid TestScanner
!
antenna gain 0
no dfs band block
stbc
beamform ofdm
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding

now we need to bridge the wireless data to our cable-network:

interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning

the configuration ip address will be configured to the bridge interface:

interface BVI1
ip address 192.168.1.50 255.255.255.0

keep in mind that the “native” encapsulation in this example is “untagged VLAN 1” so if you configure a VLAN trunk to the access point, VLAN 1 needs to be untagged.

 

Have a nice weekend! 🙂

 

2 thoughts on “Multiple SSIDs with Cisco Access Points”

  1. Hi Michel, I’ve been hoping that you would post something for Cisco Autonomous AP’s. I’ve been running two have 3600 series AP’s in my house in autonomous mode now for about a year and love them with a configuration very similar to yours. The only problem that I am continuing to have with them is Chromecast Multicasting. Googling it most forums say to disable “IP IGMP Snooping” tried that and it doesn’t work. Hoping you can help.

    I have a Cisco c3560X as my core switch that I do all the routing through. I have “IP Multicast-Routing Distributed” enabled on the switch and “IP Pim Sparse-Dense-Mode” on the 3 vlans. Vlan 101 Wired Devices, Vlan 102 Wireless Devices, Vlan 103 Streaming Devices (Chromecast, Roku, SmartTv’s) Reason for the multicasting is so that I can connect to the Chromecast from both my Wired and Wireless Vlans.

    Any thoughts are greatly appreciated! And as always thank you for another great post.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.