Cisco Multiple SSID assigned to VLAN

Posted on August 3, 2009 by mickvaites

Armed with a Cisco 877W or an AironetAP it would be good to have multiple SSID’s assigned to their own VLAN’s with their own WPA passwords.

The only restriction is that only one SSID can broadcast it’s name (guest-mode). In my application I have a “public” SSID with limited access and then addition ones which connect to other devices.

Define your SSID’s along with their vlans etc.

dot11 ssid PUBLIC
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii PUBLICPASSWORD

dot11 ssid PRIVATE1
vlan 2
authentication open
authentication key-management wpa
wpa-psk ascii PRIVATEPASSWORD1

dot11 ssid PRIVATE2
vlan 3
authentication open
authentication key-management wpa
wpa-psk ascii PRIVATEPASSWORD2


Next setup your radio interface

interface Dot11Radio0
no ip address
no ip route-cache

encryption vlan 1 mode ciphers tkip
encryption vlan 2 mode ciphers tkip
encryption vlan 3 mode cipthers tkip

ssid PUBLIC
ssid PRIVATE1
ssid PRIVATE2

speed default (you may wish to leave this at defaults)
channel least-congested (you may wish to hard code this)
station-role root
rts threshold 2312


Now configure “integrated routing and bridging” which allows the L3 interfaces to be integrated with multiple bridged interfaces.

bridge irb

bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip


Now join the create layer 2 radio interfaces in each bridge group.

interface Dot11Radio0.1
no ip address
encapsulation dot1q 1 native
bridge-group 1
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled

interface Dot11Radio0.2
no ip address
encapsulation dot1q 2 native
bridge-group 2
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled

interface Dot11Radio0.3
no ip address
encapsulation dot1q 3 native
bridge-group 3
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled


Now if you have an 877W and the vlans exist then you just need to put the VLAN interfaces intot the bridge groups.

interface Vlan1
no ip address
bridge-group 1

interface Vlan2
no ip address
bridge-group 2

interface Vlan3
no ip address
bridge-group 3


(or if you have you have physical interfaces)

interface FastEthernet0/0.1
encapsulation dot1q 1 native
no ip address
bridge-group 1

interface FastEthernet0/0.2
encapsulation dot1q 2
no ip address
bridge-group 2

interface FastEthernet0/0.3
encapsulation dot1q 3
no ip address
bridge-group 1

Now create the Layer3 interface associated with the bridge groups.

interface BVI1
ip address 10.10.1.1 255.255.255.0

interface BVI2
ip address 10.10.2.1 255.255.255.0

interface BVI3
ip address 10.10.3.1 255.255.255.0


The is other non multi-SSID specific config on this device which is outside the scope of the note. Including for example creating the VLAN’s in the first place an also configuring connected devices.

Good luck

Mick

This entry was posted in Cisco, Security. Bookmark the permalink.