Armed with a Cisco 877W or an AironetAP it would be good to have multiple SSID’s assigned to their own VLAN’s with their own WPA passwords.
The only restriction is that only one SSID can broadcast it’s name (guest-mode). In my application I have a “public” SSID with limited access and then addition ones which connect to other devices.
Define your SSID’s along with their vlans etc.
dot11 ssid PUBLIC vlan 1 authentication open authentication key-management wpa guest-mode wpa-psk ascii PUBLICPASSWORD dot11 ssid PRIVATE1 vlan 2 authentication open authentication key-management wpa wpa-psk ascii PRIVATEPASSWORD1 dot11 ssid PRIVATE2 vlan 3 authentication open authentication key-management wpa wpa-psk ascii PRIVATEPASSWORD2
Next setup your radio interface
interface Dot11Radio0 no ip address no ip route-cache encryption vlan 1 mode ciphers tkip encryption vlan 2 mode ciphers tkip encryption vlan 3 mode cipthers tkip ssid PUBLIC ssid PRIVATE1 ssid PRIVATE2 speed default (you may wish to leave this at defaults) channel least-congested (you may wish to hard code this) station-role root rts threshold 2312
Now configure “integrated routing and bridging” which allows the L3 interfaces to be integrated with multiple bridged interfaces.
bridge irb bridge 1 protocol ieee bridge 1 route ip bridge 2 protocol ieee bridge 2 route ip bridge 3 protocol ieee bridge 3 route ip
Now join the create layer 2 radio interfaces in each bridge group.
interface Dot11Radio0.1 no ip address encapsulation dot1q 1 native bridge-group 1 bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled interface Dot11Radio0.2 no ip address encapsulation dot1q 2 native bridge-group 2 bridge-group 2 bridge-group 2 subscriber-loop-control bridge-group 2 block-unknown-source no bridge-group 2 source-learning no bridge-group 2 unicast-flooding bridge-group 2 spanning-disabled interface Dot11Radio0.3 no ip address encapsulation dot1q 3 native bridge-group 3 bridge-group 3 bridge-group 3 subscriber-loop-control bridge-group 3 block-unknown-source no bridge-group 3 source-learning no bridge-group 3 unicast-flooding bridge-group 3 spanning-disabled
Now if you have an 877W and the vlans exist then you just need to put the VLAN interfaces intot the bridge groups.
interface Vlan1 no ip address bridge-group 1 interface Vlan2 no ip address bridge-group 2 interface Vlan3 no ip address bridge-group 3
(or if you have you have physical interfaces)
interface FastEthernet0/0.1 encapsulation dot1q 1 native no ip address bridge-group 1 interface FastEthernet0/0.2 encapsulation dot1q 2 no ip address bridge-group 2 interface FastEthernet0/0.3 encapsulation dot1q 3 no ip address bridge-group 1
Now create the Layer3 interface associated with the bridge groups.
interface BVI1 ip address 10.10.1.1 255.255.255.0 interface BVI2 ip address 10.10.2.1 255.255.255.0 interface BVI3 ip address 10.10.3.1 255.255.255.0
The is other non multi-SSID specific config on this device which is outside the scope of the note. Including for example creating the VLAN’s in the first place an also configuring connected devices.