Dual SSIDs

[MulLa]

Hi All,

I'm trying to configure 2 seperate SSIDs on my Aironet 1200 as some clients are unable to support RAIDUS authentication. I'm planning to create 2x SSIDs with 2 seperate VLANs and have the non-RAIDUS VLAN only having access to the internet (since that's all they need).

Not too sure what port I should set on the switch port that the access point is going into? When I sent it as an access port in the native VLAN it seemed to work alright. By that I mean the native VLAN worked fine (haven't tested the second VLAN as yet). When I turn it into a trunk so I can carry both VLANs everything stopped working.

Any idea on how I should setup the switch port?


Thanks in advance!

 

[spidey07]

set it up as a dot1q trunk port.

You also need to create the vlans on the AP - this is done with sub interfaces on the dot11radio interface and on the fast ethernet interface. Then you use the vlan command under the ssid defintion to assign the ssid to a wireless vlan. It's pretty straight forward actually.

 

[jlazzaro]

your going to need to dot1q the port connected to the ap, define the native vlan (ie untagged) and tagged vlans on both the ap and the switch.

interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 306
switchport trunk allowed vlan 1,305,306,1002-1005
switchport mode trunk
end

post your config...

 

[MulLa]

Thanks for the quick response!

Looks like it seemed to be working. Seemed that I've forgotten to set the native vlan on the switch port that's connected to the AP. Since the switch itself have a different native vlan I'm guess that's why it didn't work?

Below is my config that I think is relevant to confirm that I've done it correctly. Now it's time to configure that VLAN router!!!

Catalyst 2950 (only supports dot1q)
interface FastEthernet0/22
switchport trunk native vlan 120
switchport mode trunk
spanning-tree portfast
spanning-tree bpduguard enable

Aironet 1200
interface Dot11Radio0.120
encapsulation dot1Q 120 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.130
encapsulation dot1Q 130
no ip route-cache
bridge-group 130
bridge-group 130 subscriber-loop-control
bridge-group 130 block-unknown-source
no bridge-group 130 source-learning
no bridge-group 130 unicast-flooding
bridge-group 130 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface FastEthernet0.120
encapsulation dot1Q 120 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.130
encapsulation dot1Q 130
no ip route-cache
bridge-group 130
no bridge-group 130 source-learning
bridge-group 130 spanning-disabled


thanks once again!!

 

[Cooky]

The config looks good, although I'm not sure why you and jlazzaro want to use native VLAN.
As long as the vlan's are configured on both AP and trunk port, they should be fine.

 

[nweaver]

Originally posted by: Cooky
The config looks good, although I'm not sure why you and jlazzaro want to use native VLAN.
As long as the vlan's are configured on both AP and trunk port, they should be fine.

actually, they arn't....those ap's have funky dot1q trunk support, you have to meke sure the native vlan is vlan1, or they freak out (or did, a few months ago)

 

[MulLa]

Hm... My wireless PCs which are on VLAN120 seemed to loose connection if I don't assign as the native on the AP. I've gone through various Cisco docs which suggest that native VLAN isn't necessary in this situation. Maybe I'll look into this once I get the "less secured" clients up and running first.

Thanks everyone for your help. I'll be back if I'm stuck again

 

[Cooky]

Thanks for pointing that out...we never use native VLAN so I had no idea...for large rollouts we use 4400 controllers so we don't have to worry about it anyway.

 

[spidey07]

Your BVI interface should be in the native VLAN. That causes people confusion sometimes.

 

[MulLa]

Originally posted by: spidey07
Your BVI interface should be in the native VLAN. That causes people confusion sometimes.

Hm... That might explain why I must set VLAN120 as the native in the AP as the BVI interface is in VLAN120.

Since I'm still a n00b I have another question. Does the native VLAN for the AP have to match the native VLAN on the switch? If they do what if I don't want my wired native VLAN propergated to the wireless network?

Thanks.

 

[spidey07]

You lost me.

The BVI has to be in the native VLAN - this is for the control plane traffic. From there your wireless VLANs are just tagged.

I thought something funny was off on your config...your .120 subinterface is in bridge group 1. the native VLAN is for management only - not wireless vlans. This comes into play when you are doing multicasting and other intricate VLAN features.

If you want to see what is going on "show bridge" will help. Remember, the AP is nothing more than a bridge - treat it as such.