N.B. The Cisco AP1141 access point will be end of life very soon
I had a scenario recently where I had to set up one of these access points to service three different SSIDs with one VLAN per SSID - with two SSIDs using WPA personal and the third un-encrypted.
Each SSID/VLAN was on a subnet with a DHCP server, so I did not need to use DHCP pools or DHCP relay on the access point.
Here's the config I came up with (I'm skipping the non-relevant configuration) - note that the single gigabit interface on this access point was plugged into a Dell PowerConnect 3448P PoE switch in a trunk port with 501 set to the native vlan (switchport trunk native vlan 501)
SSID1 = myssid1 running on VLAN 501 (bridge group 1)
SSID2 = myssid2 running on VLAN 601 (bridge group 60)
SSID3 = myssid3 running on VLAN 701 (bridge group 70)
! Build the first SSID on VLAN 501
dot11 ssid myssid1
vlan 501
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 0 myReallyComplexKeyHere
!
! SSID 2 - this SSID has no encryption
dot11 ssid myssid2
vlan 601
authentication open
mbssid guest-mode
!
dot11 ssid myssid3
vlan 701
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 0 myReallyReallyComplexKey
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 501 mode ciphers aes-ccm
!
encryption vlan 701 mode ciphers aes-ccm
!
ssid myssid1
!
ssid myssid2
!
ssid myssid3
!
antenna gain 0
! We need to broadcast multiple SSIDs
mbssid
station-role root
! now the interfaces, remember that VLAN 501 is the native VLAN on the trunk port on
! the switch
interface Dot11Radio0.501
encapsulation dot1Q 501 native
no ip route-cache
bridge-group 1
!
interface Dot11Radio0.601
encapsulation dot1Q 601
no ip route-cache
bridge-group 60
!
interface Dot11Radio0.701
encapsulation dot1Q 701
no ip route-cache
bridge-group 70
! remember, no IP for the actual ethernet interface. Save the IP for the BVI interface
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
! here's our native VLAN 501, untagged - myssid1
interface GigabitEthernet0.501
encapsulation dot1Q 501 native
no ip route-cache
bridge-group 1
! and here is myssid2
interface GigabitEthernet0.601
encapsulation dot1Q 601
no ip route-cache
bridge-group 60
! and now, myssid3
interface GigabitEthernet0.701
encapsulation dot1Q 701
no ip route-cache
bridge-group 70
! Now, we set the management address:
interface BVI1
ip address 10.1.1.240 255.255.255.0
no shut
That's basically it. I highly recommend testing by isolating this on a stand alone switch. Plug a DHCP server into another port, access mode, and switch VLANs on that port and see if your wireless devices get a DHCP address. Of course, you may want to enable more complex authentication methods.
No comments:
Post a Comment