Multiple SSIDs with Cisco Access Points

In this example I will show you how to configure multiple SSIDs on a dual-band autonomous Cisco access point. The interface “Dot11Radio0” is for 2.4 GHz and “Dot11Radio1” for 5 GHz. We will configure three SSIDs for different VLANs.

Create your VLANs for your wireless network:

dot11 vlan-name Intern vlan 1
dot11 vlan-name Scanner vlan 10
dot11 vlan-name Guest vlan 20

create your SSIDs (bound to the VLANs):

dot11 ssid TestIntern
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
!
dot11 ssid TestScanner
vlan 10
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
!
dot11 ssid TestGuest
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]

configuration of the 2.4 GHz interface

interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
! aes-ccm is for WPA2:
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TestGuest
!
ssid TestIntern
!
ssid TestScanner
!
antenna gain 0
stbc
beamform ofdm
mbssid
station-role root

Sub-interfaces for VLAN-tagging:

interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding

the same configuration for the 5 GHz interface:

interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TestGuest
!
ssid TestIntern
!
ssid TestScanner
!
antenna gain 0
no dfs band block
stbc
beamform ofdm
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding

now we need to bridge the wireless data to our cable-network:

interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning

the configuration ip address will be configured to the bridge interface:

interface BVI1
ip address 192.168.1.50 255.255.255.0

keep in mind that the “native” encapsulation in this example is “untagged VLAN 1” so if you configure a VLAN trunk to the access point, VLAN 1 needs to be untagged.

 

Have a nice weekend! 🙂

 

4 thoughts on “Multiple SSIDs with Cisco Access Points”

  1. Hi Michel, I’ve been hoping that you would post something for Cisco Autonomous AP’s. I’ve been running two have 3600 series AP’s in my house in autonomous mode now for about a year and love them with a configuration very similar to yours. The only problem that I am continuing to have with them is Chromecast Multicasting. Googling it most forums say to disable “IP IGMP Snooping” tried that and it doesn’t work. Hoping you can help.

    I have a Cisco c3560X as my core switch that I do all the routing through. I have “IP Multicast-Routing Distributed” enabled on the switch and “IP Pim Sparse-Dense-Mode” on the 3 vlans. Vlan 101 Wired Devices, Vlan 102 Wireless Devices, Vlan 103 Streaming Devices (Chromecast, Roku, SmartTv’s) Reason for the multicasting is so that I can connect to the Chromecast from both my Wired and Wireless Vlans.

    Any thoughts are greatly appreciated! And as always thank you for another great post.

  2. My complete config. This feeds into a Cisco ASA 5505 which hands out DHCP leases which in turn goes to an 887VAM for internet access. The 887 also has a zone-based firewall. All usernames/passwords are for lab use only.

    AP1242#sh run
    Building configuration…

    Current configuration : 4553 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    service internal
    !
    hostname AP1242
    !
    logging userinfo
    logging rate-limit console 9
    enable secret 5 $1$QFea$iZaNRA9izJc3ZHIjgLfaS/
    enable password ***************
    !
    aaa new-model
    !
    !
    !
    aaa session-id common
    clock timezone Sydney 10
    clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 2:00
    no ip domain lookup
    ip domain name bde.local
    ip name-server 192.231.203.3
    ip name-server 192.231.203.132
    !
    !
    dot11 syslog
    !
    dot11 ssid 1142.20.bde
    vlan 20
    authentication open
    authentication key-management wpa version 2
    mbssid guest-mode
    wpa-psk ascii 0 puf4CKqt7s
    !
    dot11 ssid 1142.30.bde
    vlan 30
    authentication open
    authentication key-management wpa version 2
    mbssid guest-mode
    wpa-psk ascii 0 Arda9twTsV
    !
    !
    !
    username _router_admin_ password 0 ****************
    !
    !
    ip ssh source-interface BVI1
    ip ssh version 2
    bridge irb
    !
    !
    interface Dot11Radio0
    no ip address
    no ip route-cache
    !
    encryption vlan 20 mode ciphers aes-ccm
    !
    encryption vlan 30 mode ciphers aes-ccm
    !
    ssid 1142.20.bde
    !
    ssid 1142.30.bde
    !
    mbssid
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Dot11Radio0.20
    encapsulation dot1Q 20
    ip helper-address 20.1.1.2
    no ip route-cache
    bridge-group 20
    bridge-group 20 subscriber-loop-control
    bridge-group 20 block-unknown-source
    no bridge-group 20 source-learning
    no bridge-group 20 unicast-flooding
    bridge-group 20 spanning-disabled
    !
    interface Dot11Radio0.30
    encapsulation dot1Q 30
    ip helper-address 30.1.1.2
    no ip route-cache
    bridge-group 30
    bridge-group 30 subscriber-loop-control
    bridge-group 30 block-unknown-source
    no bridge-group 30 source-learning
    no bridge-group 30 unicast-flooding
    bridge-group 30 spanning-disabled
    !
    interface Dot11Radio1
    no ip address
    no ip route-cache
    !
    encryption vlan 20 mode ciphers aes-ccm
    !
    encryption vlan 30 mode ciphers aes-ccm
    !
    ssid 1142.20.bde
    !
    ssid 1142.30.bde
    !
    no dfs band block
    mbssid
    channel dfs
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Dot11Radio1.20
    encapsulation dot1Q 20
    ip helper-address 20.1.1.2
    no ip route-cache
    bridge-group 20
    bridge-group 20 subscriber-loop-control
    bridge-group 20 block-unknown-source
    no bridge-group 20 source-learning
    no bridge-group 20 unicast-flooding
    bridge-group 20 spanning-disabled
    !
    interface Dot11Radio1.30
    encapsulation dot1Q 30
    ip helper-address 30.1.1.2
    no ip route-cache
    bridge-group 30
    bridge-group 30 subscriber-loop-control
    bridge-group 30 block-unknown-source
    no bridge-group 30 source-learning
    no bridge-group 30 unicast-flooding
    bridge-group 30 spanning-disabled
    !
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    !
    interface FastEthernet0.20
    encapsulation dot1Q 20
    ip address 20.1.1.133 255.255.255.0
    no ip route-cache
    bridge-group 20
    no bridge-group 20 source-learning
    bridge-group 20 spanning-disabled
    !
    interface FastEthernet0.30
    encapsulation dot1Q 30
    ip address 30.1.1.133 255.255.255.0
    no ip route-cache
    bridge-group 30
    no bridge-group 30 source-learning
    bridge-group 30 spanning-disabled
    !
    interface BVI1
    mac-address 003a.9889.6140
    ip address 10.1.1.133 255.255.255.0
    no ip route-cache
    !
    ip default-gateway 10.1.1.2
    no ip http server
    no ip http secure-server
    ip http help-path http://www.google.com.au/
    logging origin-id hostname
    logging source-interface BVI1
    logging 10.1.1.50
    bridge 1 protocol ieee
    bridge 1 route ip
    !
    !
    !
    line con 0
    exec-timeout 0 0
    logging synchronous
    length 512
    width 100
    history size 100
    escape-character 3
    stopbits 1
    line vty 0 4
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    terminal-type exit
    length 0
    width 250
    history size 100
    transport preferred ssh
    transport input ssh
    escape-character 3
    line vty 5 15
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    terminal-type exit
    length 0
    width 250
    history size 100
    transport preferred ssh
    transport input ssh
    escape-character 3
    !
    sntp server 150.203.1.10 version 3
    sntp server 150.203.22.28 version 3
    sntp server 192.231.203.2 version 3
    sntp source-interface BVI1
    end

    AP1242#

  3. My 5505 config:

    5505-2# sh run
    : Saved
    :
    : Serial Number: JMX1207Z0U4
    : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
    :
    ASA Version 9.2(4)33
    !
    hostname 5505-2
    domain-name bde.local
    enable password DYJXeMrCRONWOJ9M encrypted
    passwd DYJXeMrCRONWOJ9M encrypted
    names
    !
    interface Ethernet0/0
    switchport access vlan 10
    speed 100
    duplex full
    !
    interface Ethernet0/1
    switchport access vlan 10
    speed 100
    duplex full
    !
    interface Ethernet0/2
    switchport access vlan 20
    speed 100
    duplex full
    !
    interface Ethernet0/3
    switchport access vlan 20
    speed 100
    duplex full
    !
    interface Ethernet0/4
    switchport access vlan 30
    speed 100
    duplex full
    !
    interface Ethernet0/5
    ! To Router
    switchport access vlan 50
    speed 100
    duplex full
    !
    interface Ethernet0/6
    switchport trunk allowed vlan 10,20
    switchport mode trunk
    !
    interface Ethernet0/7
    ! To Access Point
    switchport trunk allowed vlan 10,20,30
    switchport trunk native vlan 10
    switchport mode trunk
    !
    interface Vlan1
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Vlan10
    nameif inside
    security-level 100
    ip address 10.1.1.2 255.255.255.0
    ipv6 address fe80::5505:2 link-local
    ipv6 address 2001:aaaa:aaaa:3b10::5505:2/64
    ipv6 enable
    !
    interface Vlan20
    nameif wlan1
    security-level 100
    ip address 20.1.1.2 255.255.255.0
    ipv6 address fe80::5505:2 link-local
    ipv6 address 2001:aaaa:aaaa:3b20::5505:2/64
    ipv6 enable
    !
    interface Vlan30
    nameif wlan2
    security-level 100
    ip address 30.1.1.2 255.255.255.0
    ipv6 address fe80::5505:2 link-local
    ipv6 address 2001:aaaa:aaaa:3b30::5505:2/64
    ipv6 enable
    !
    interface Vlan40
    nameif spare
    security-level 50
    ip address 40.1.1.2 255.255.255.0
    ipv6 address fe80::5505:2 link-local
    ipv6 address 2001:aaaa:aaaa:3b40::5505:2/64
    !
    interface Vlan50
    nameif outside
    security-level 0
    ip address 50.1.1.2 255.255.255.0
    ipv6 address fe80::5505:2 link-local
    ipv6 address 2001:aaaa:aaaa:3b50::5505:2/64
    !
    ftp mode passive
    clock timezone EST 10
    clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 192.231.203.132
    name-server 192.231.203.3
    domain-name bde.local
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network dynnat.obj
    range 50.1.1.10 50.1.1.254
    object-group network inside_subnets.net.obj
    network-object 10.1.1.0 255.255.255.0
    network-object 20.1.1.0 255.255.255.0
    network-object 30.1.1.0 255.255.255.0
    no pager
    logging enable
    logging timestamp
    logging trap notifications
    logging device-id hostname
    logging host inside 10.1.1.50
    logging host inside 10.1.1.165
    mtu inside 1500
    mtu wlan1 1500
    mtu wlan2 1500
    mtu outside 1500
    mtu spare 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (any,outside) source dynamic inside_subnets.net.obj dynnat.obj
    ipv6 route outside ::/0 2001:aaaa:aaaa:3b50::8873
    route outside 0.0.0.0 0.0.0.0 50.1.1.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    crypto ipsec security-association pmtu-aging infinite
    crypto ca trustpool policy
    telnet timeout 1440
    ssh stricthostkeycheck
    ssh 10.1.1.0 255.255.255.0 inside
    ssh timeout 60
    ssh version 2
    ssh key-exchange group dh-group1-sha1
    console timeout 0

    dhcpd address 10.1.1.100-10.1.1.179 inside
    dhcpd dns 192.231.203.132 192.231.203.3 interface inside
    dhcpd lease 28800 interface inside
    dhcpd domain bde.local interface inside
    dhcpd option 42 ip 150.203.1.10 150.203.22.28 interface inside
    dhcpd option 3 ip 10.1.1.2 interface inside
    dhcpd enable inside
    !
    dhcpd address 20.1.1.100-20.1.1.179 wlan1
    dhcpd dns 192.231.203.132 192.231.203.3 interface wlan1
    dhcpd lease 28800 interface wlan1
    dhcpd domain bde.local interface wlan1
    dhcpd option 42 ip 150.203.1.10 150.203.22.28 interface wlan1
    dhcpd option 3 ip 20.1.1.2 interface wlan1
    dhcpd enable wlan1
    !
    dhcpd address 30.1.1.100-30.1.1.179 wlan2
    dhcpd dns 192.231.203.132 192.231.203.3 interface wlan2
    dhcpd lease 28800 interface wlan2
    dhcpd domain bde.local interface wlan2
    dhcpd option 42 ip 150.203.1.10 150.203.22.28 interface wlan2
    dhcpd option 3 ip 30.1.1.2 interface wlan2
    dhcpd enable wlan2
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 192.231.203.2 source outside
    ntp server 150.203.22.28 source outside
    ntp server 150.203.1.10 source outside prefer
    tftp-server inside 10.1.1.87 /
    ssl encryption aes256-sha1
    username _router_admin_ password wvNHwLlMi6o8FiqS encrypted privilege 15
    !
    !
    prompt hostname context
    Cryptochecksum:607f6d38bbcbc8c470ea23fada4b71a0
    : end
    5505-2#

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.