In this example I will show you how to configure multiple SSIDs on a dual-band autonomous Cisco access point. The interface “Dot11Radio0” is for 2.4 GHz and “Dot11Radio1” for 5 GHz. We will configure three SSIDs for different VLANs.
Create your VLANs for your wireless network:
dot11 vlan-name Intern vlan 1
dot11 vlan-name Scanner vlan 10
dot11 vlan-name Guest vlan 20
create your SSIDs (bound to the VLANs):
dot11 ssid TestIntern
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
!
dot11 ssid TestScanner
vlan 10
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
!
dot11 ssid TestGuest
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
configuration of the 2.4 GHz interface
interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
! aes-ccm is for WPA2:
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TestGuest
!
ssid TestIntern
!
ssid TestScanner
!
antenna gain 0
stbc
beamform ofdm
mbssid
station-role root
Sub-interfaces for VLAN-tagging:
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
the same configuration for the 5 GHz interface:
interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TestGuest
!
ssid TestIntern
!
ssid TestScanner
!
antenna gain 0
no dfs band block
stbc
beamform ofdm
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
now we need to bridge the wireless data to our cable-network:
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning
the configuration ip address will be configured to the bridge interface:
interface BVI1
ip address 192.168.1.50 255.255.255.0
keep in mind that the “native” encapsulation in this example is “untagged VLAN 1” so if you configure a VLAN trunk to the access point, VLAN 1 needs to be untagged.
Have a nice weekend! :)
4 Responses
Hi Michel, I’ve been hoping that you would post something for Cisco Autonomous AP’s. I’ve been running two have 3600 series AP’s in my house in autonomous mode now for about a year and love them with a configuration very similar to yours. The only problem that I am continuing to have with them is Chromecast Multicasting. Googling it most forums say to disable “IP IGMP Snooping” tried that and it doesn’t work. Hoping you can help.
I have a Cisco c3560X as my core switch that I do all the routing through. I have “IP Multicast-Routing Distributed” enabled on the switch and “IP Pim Sparse-Dense-Mode” on the 3 vlans. Vlan 101 Wired Devices, Vlan 102 Wireless Devices, Vlan 103 Streaming Devices (Chromecast, Roku, SmartTv’s) Reason for the multicasting is so that I can connect to the Chromecast from both my Wired and Wireless Vlans.
Any thoughts are greatly appreciated! And as always thank you for another great post.
Hi Jason,
check out this link from cisco: http://www.cisco.com/c/en/us/td/docs/ios/12_2/ip/configuration/guide/fipr_c/1cfmulti.html
did you deactivate ip igmp snooping on every interface?
My complete config. This feeds into a Cisco ASA 5505 which hands out DHCP leases which in turn goes to an 887VAM for internet access. The 887 also has a zone-based firewall. All usernames/passwords are for lab use only.
AP1242#sh run
Building configuration…
Current configuration : 4553 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname AP1242
!
logging userinfo
logging rate-limit console 9
enable secret 5 $1$QFea$iZaNRA9izJc3ZHIjgLfaS/
enable password ***************
!
aaa new-model
!
!
!
aaa session-id common
clock timezone Sydney 10
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 2:00
no ip domain lookup
ip domain name bde.local
ip name-server 192.231.203.3
ip name-server 192.231.203.132
!
!
dot11 syslog
!
dot11 ssid 1142.20.bde
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 0 puf4CKqt7s
!
dot11 ssid 1142.30.bde
vlan 30
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 0 Arda9twTsV
!
!
!
username _router_admin_ password 0 ****************
!
!
ip ssh source-interface BVI1
ip ssh version 2
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption vlan 30 mode ciphers aes-ccm
!
ssid 1142.20.bde
!
ssid 1142.30.bde
!
mbssid
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
ip helper-address 20.1.1.2
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface Dot11Radio0.30
encapsulation dot1Q 30
ip helper-address 30.1.1.2
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption vlan 30 mode ciphers aes-ccm
!
ssid 1142.20.bde
!
ssid 1142.30.bde
!
no dfs band block
mbssid
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
ip helper-address 20.1.1.2
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface Dot11Radio1.30
encapsulation dot1Q 30
ip helper-address 30.1.1.2
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
bridge-group 30 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.20
encapsulation dot1Q 20
ip address 20.1.1.133 255.255.255.0
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
!
interface FastEthernet0.30
encapsulation dot1Q 30
ip address 30.1.1.133 255.255.255.0
no ip route-cache
bridge-group 30
no bridge-group 30 source-learning
bridge-group 30 spanning-disabled
!
interface BVI1
mac-address 003a.9889.6140
ip address 10.1.1.133 255.255.255.0
no ip route-cache
!
ip default-gateway 10.1.1.2
no ip http server
no ip http secure-server
ip http help-path http://www.google.com.au/
logging origin-id hostname
logging source-interface BVI1
logging 10.1.1.50
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
length 512
width 100
history size 100
escape-character 3
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
terminal-type exit
length 0
width 250
history size 100
transport preferred ssh
transport input ssh
escape-character 3
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
terminal-type exit
length 0
width 250
history size 100
transport preferred ssh
transport input ssh
escape-character 3
!
sntp server 150.203.1.10 version 3
sntp server 150.203.22.28 version 3
sntp server 192.231.203.2 version 3
sntp source-interface BVI1
end
AP1242#
My 5505 config:
5505-2# sh run
: Saved
:
: Serial Number: JMX1207Z0U4
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)33
!
hostname 5505-2
domain-name bde.local
enable password DYJXeMrCRONWOJ9M encrypted
passwd DYJXeMrCRONWOJ9M encrypted
names
!
interface Ethernet0/0
switchport access vlan 10
speed 100
duplex full
!
interface Ethernet0/1
switchport access vlan 10
speed 100
duplex full
!
interface Ethernet0/2
switchport access vlan 20
speed 100
duplex full
!
interface Ethernet0/3
switchport access vlan 20
speed 100
duplex full
!
interface Ethernet0/4
switchport access vlan 30
speed 100
duplex full
!
interface Ethernet0/5
! To Router
switchport access vlan 50
speed 100
duplex full
!
interface Ethernet0/6
switchport trunk allowed vlan 10,20
switchport mode trunk
!
interface Ethernet0/7
! To Access Point
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 10
switchport mode trunk
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan10
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.0
ipv6 address fe80::5505:2 link-local
ipv6 address 2001:aaaa:aaaa:3b10::5505:2/64
ipv6 enable
!
interface Vlan20
nameif wlan1
security-level 100
ip address 20.1.1.2 255.255.255.0
ipv6 address fe80::5505:2 link-local
ipv6 address 2001:aaaa:aaaa:3b20::5505:2/64
ipv6 enable
!
interface Vlan30
nameif wlan2
security-level 100
ip address 30.1.1.2 255.255.255.0
ipv6 address fe80::5505:2 link-local
ipv6 address 2001:aaaa:aaaa:3b30::5505:2/64
ipv6 enable
!
interface Vlan40
nameif spare
security-level 50
ip address 40.1.1.2 255.255.255.0
ipv6 address fe80::5505:2 link-local
ipv6 address 2001:aaaa:aaaa:3b40::5505:2/64
!
interface Vlan50
nameif outside
security-level 0
ip address 50.1.1.2 255.255.255.0
ipv6 address fe80::5505:2 link-local
ipv6 address 2001:aaaa:aaaa:3b50::5505:2/64
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.231.203.132
name-server 192.231.203.3
domain-name bde.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network dynnat.obj
range 50.1.1.10 50.1.1.254
object-group network inside_subnets.net.obj
network-object 10.1.1.0 255.255.255.0
network-object 20.1.1.0 255.255.255.0
network-object 30.1.1.0 255.255.255.0
no pager
logging enable
logging timestamp
logging trap notifications
logging device-id hostname
logging host inside 10.1.1.50
logging host inside 10.1.1.165
mtu inside 1500
mtu wlan1 1500
mtu wlan2 1500
mtu outside 1500
mtu spare 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source dynamic inside_subnets.net.obj dynnat.obj
ipv6 route outside ::/0 2001:aaaa:aaaa:3b50::8873
route outside 0.0.0.0 0.0.0.0 50.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 1440
ssh stricthostkeycheck
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 10.1.1.100-10.1.1.179 inside
dhcpd dns 192.231.203.132 192.231.203.3 interface inside
dhcpd lease 28800 interface inside
dhcpd domain bde.local interface inside
dhcpd option 42 ip 150.203.1.10 150.203.22.28 interface inside
dhcpd option 3 ip 10.1.1.2 interface inside
dhcpd enable inside
!
dhcpd address 20.1.1.100-20.1.1.179 wlan1
dhcpd dns 192.231.203.132 192.231.203.3 interface wlan1
dhcpd lease 28800 interface wlan1
dhcpd domain bde.local interface wlan1
dhcpd option 42 ip 150.203.1.10 150.203.22.28 interface wlan1
dhcpd option 3 ip 20.1.1.2 interface wlan1
dhcpd enable wlan1
!
dhcpd address 30.1.1.100-30.1.1.179 wlan2
dhcpd dns 192.231.203.132 192.231.203.3 interface wlan2
dhcpd lease 28800 interface wlan2
dhcpd domain bde.local interface wlan2
dhcpd option 42 ip 150.203.1.10 150.203.22.28 interface wlan2
dhcpd option 3 ip 30.1.1.2 interface wlan2
dhcpd enable wlan2
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.231.203.2 source outside
ntp server 150.203.22.28 source outside
ntp server 150.203.1.10 source outside prefer
tftp-server inside 10.1.1.87 /
ssl encryption aes256-sha1
username _router_admin_ password wvNHwLlMi6o8FiqS encrypted privilege 15
!
!
prompt hostname context
Cryptochecksum:607f6d38bbcbc8c470ea23fada4b71a0
: end
5505-2#