Cisco Multiple SSID assigned to VLAN

Armed with a Cisco 877W or an AironetAP it would be good to have multiple SSID’s assigned to their own VLAN’s with their own WPA passwords.

The only restriction is that only one SSID can broadcast it’s name (guest-mode). In my application I have a “public” SSID with limited access and then addition ones which connect to other devices.

Define your SSID’s along with their vlans etc.

dot11 ssid PUBLIC
  vlan 1
  authentication open
  authentication key-management wpa
  wpa-psk ascii PUBLICPASSWORD

dot11 ssid PRIVATE1
  vlan 2
  authentication open
  authentication key-management wpa
  wpa-psk ascii PRIVATEPASSWORD1

dot11 ssid PRIVATE2
  vlan 3
  authentication open
  authentication key-management wpa
  wpa-psk ascii PRIVATEPASSWORD2

Next setup your radio interface

interface Dot11Radio0
  no ip address
  no ip route-cache

  encryption vlan 1 mode ciphers tkip
  encryption vlan 2 mode ciphers tkip
  encryption vlan 3 mode cipthers tkip

  ssid PUBLIC
  ssid PRIVATE1
  ssid PRIVATE2

  speed default (you may wish to leave this at defaults)
  channel least-congested (you may wish to hard code this)
  station-role root
  rts threshold 2312

Now configure “integrated routing and bridging” which allows the L3 interfaces to be integrated with multiple bridged interfaces.

bridge irb

bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
bridge 3 protocol ieee
bridge 3 route ip

Now join the create layer 2 radio interfaces in each bridge group.

interface Dot11Radio0.1
  no ip address
  encapsulation dot1q 1 native
  bridge-group 1
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled

interface Dot11Radio0.2
  no ip address
  encapsulation dot1q 2 native
  bridge-group 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled

interface Dot11Radio0.3
  no ip address
  encapsulation dot1q 3 native
  bridge-group 3
  bridge-group 3
  bridge-group 3 subscriber-loop-control
  bridge-group 3 block-unknown-source
  no bridge-group 3 source-learning
  no bridge-group 3 unicast-flooding
  bridge-group 3 spanning-disabled

Now if you have an 877W and the vlans exist then you just need to put the VLAN interfaces intot the bridge groups.

interface Vlan1
  no ip address
  bridge-group 1

interface Vlan2
  no ip address
  bridge-group 2

interface Vlan3
  no ip address
  bridge-group 3

(or if you have you have physical interfaces)

interface FastEthernet0/0.1
  encapsulation dot1q 1 native
  no ip address
  bridge-group 1

interface FastEthernet0/0.2
  encapsulation dot1q 2
  no ip address
  bridge-group 2

interface FastEthernet0/0.3
  encapsulation dot1q 3
  no ip address
  bridge-group 1

Now create the Layer3 interface associated with the bridge groups.

interface BVI1
  ip address

interface BVI2
  ip address

interface BVI3
  ip address

The is other non multi-SSID specific config on this device which is outside the scope of the note. Including for example creating the VLAN’s in the first place an also configuring connected devices.

Good luck


Cisco V3PN & QoS on ADSL Uk for VoIP

SoHo workers now share their lines with other PC’s in the house. The following is a config snippet from my router to provide some protection for my VoIP and business traffic.

! policy and classes to mark local incoming traffic
! whilst QoS pre-clasify should be used I have found it
! unreliable on certain IOS releases.  Also this allows us
! to be more specific about how we want to handle our traffic.
class-map match-all BIZAPPS1_VLAN1
 match access-group name BIZAPPS1    ! an acl to match biz apps
class-map match-all BIZAPPS2_VLAN1
 match access-group name BIZAPPS2    ! an acl to match biz apps
class-map match-all SCAVENGER_VLAN1
 match access-group name SCAVENGER   ! low priority stuff
policy-map VLAN1
  set dscp af21                      ! low drop probability
  set dscp af22                      ! med drop probability
  set dscp cs1
! Policy and Classes to on outbound connection
class-map match-all BIZAPPS
 match  dscp cs2  af21  af22  af23   ! all business aps
class-map match-any VOICE_SIG
 match  dscp cs3                     ! new dscp values signalling
 match  dscp af31                    ! old dscp value signalling
class-map match-all SCAVENGER
 match  dscp cs1                     ! unwanted traffic
class-map match-any IPCONTROL
 match  dscp cs6                     ! routing protocols etc
class-map match-all VOICE_RTP
 match  dscp ef                      ! voice packets
! Based on using no more than 30% for voice traffic this policy
! is enough for two voice calls (52k). DSL has a fixed uplink speed
! so I have used percentages to make carving up easier. Where a pipe
! which is likely to have speed changes it might be easier to use
! absolute 'bandwidth' statements to simplify calculations.
! NB: You cannot mix absolute and percentages in the same
! policy-map so decide up front what you are going to use.
policy-map V3PNWAN
 class VOICE_RTP
  priority 52 5348            ! 52k for 2 voice calls
 class VOICE_SIG
  bandwidth percent 5         ! 5% for call control traffic
  bandwidth percent 5         ! 5% for routing protocols etc
 class BIZAPPS
  bandwidth percent 30        ! 30% for business apps
  bandwidth percent 1         ! limit scavenger to 1%
  class class-default
! The device snippets are just enough info to show how the
! policys are applied and any other relevant settings.
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
 bandwidth 384                   ! your upstream speed
 pvc 0/38
 vbr-nrt 384 384                 ! your upstream speed
 tx-ring-limit 3                 ! tx-ring set to 3
 encapsulation aal5mux ppp dialer
 dialer pool-member 1
 service-policy out V3PNWAN      ! associate to phys interface
interface Dialer0
 ip tcp adjust-mss 542           ! make tcp packets much smaller
interface Tunnel0
 qos pre-classify                ! allow acls based on pre-encrypted data

Good luck


CCIE R&S Lab Passed #20394

Just a quick note to say I passed my CCIE R&S lab on 31st March 2008. I am now #20394.ccie

After spending time with a number of other suppliers I eventually started using the study materials from Internetwork Expert. The ethos with this company is that you need to first know your subject. The you need to practice till you could almost write the configs in your sleep. I completed their three work books and then redid workbook two over and over again. Whilst I know that once you’ve already done workbook lab you know the answers. Well the answers given are deliberately vague which means you have the option to solve the problems in different ways each time. Which means that you get to learn more each time you complete the tasks. Firthermore you get faster at it.

When I first started out doing my CCIE R&S I rented rack space from remote vendors. Well if the budget is there I would strongly recommend building your own. Two reasons for this. Firstly the experience building up the lab from scratch which helps to understand more as you built the backbones. And Secondly you can leave a task unfinished get the badly needed sleep and get back on the horse. When using remote kit quite often unless you were to save your configs when you finished. Which might not necessarily be that easy to do due to time constraints. You have to start from the begining each time.

Another tip is to get into the habit of writing config in a text editor; notepad for example. This also gets you out of the habit of using the question mark key.

I have attached photos of my lab kit.