Tuesday, September 24, 2013

Cisco AP1141N (Aironet 1140 series) Access Point With 3 SSIDs and VLANs

N.B. The Cisco AP1141 access point will be end of life very soon

I had a scenario recently where I had to set up one of these access points to service three different SSIDs with one VLAN per SSID - with two SSIDs using WPA personal and the third un-encrypted.
Each SSID/VLAN was on a subnet with a DHCP server, so I did not need to use DHCP pools or DHCP relay on the access point.

Here's the config I came up with (I'm skipping the non-relevant configuration) - note that the single gigabit interface on this access point was plugged into a Dell PowerConnect 3448P PoE switch in a trunk port with 501 set to the native vlan (switchport trunk native vlan 501)

SSID1 = myssid1 running on VLAN 501 (bridge group 1)
SSID2 = myssid2 running on VLAN 601 (bridge group 60)
SSID3 = myssid3 running on VLAN 701  (bridge group 70)

! Build the first SSID on VLAN 501
dot11 ssid myssid1
   vlan 501
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 0 myReallyComplexKeyHere
!
! SSID 2 - this SSID has no encryption
dot11 ssid myssid2
   vlan 601
   authentication open
   mbssid guest-mode
!
dot11 ssid myssid3
   vlan 701
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 0 myReallyReallyComplexKey
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 501 mode ciphers aes-ccm

 !
 encryption vlan 701 mode ciphers aes-ccm
 !
 ssid myssid1
 !
 ssid myssid2
 !
 ssid myssid3
 !
 antenna gain 0

 


! We need to broadcast multiple SSIDs
mbssid
 station-role root


! now the interfaces, remember that VLAN 501 is the native VLAN on the trunk port on
! the switch

interface Dot11Radio0.501
 encapsulation dot1Q 501 native
 no ip route-cache
 bridge-group 1
!
interface Dot11Radio0.601
 encapsulation dot1Q 601
 no ip route-cache
 bridge-group 60
!
interface Dot11Radio0.701
 encapsulation dot1Q 701
 no ip route-cache
 bridge-group 70

! remember, no IP for the actual ethernet interface. Save the IP for the BVI interface
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive

 ! here's our native VLAN 501, untagged - myssid1
interface GigabitEthernet0.501
 encapsulation dot1Q 501 native
 no ip route-cache
 bridge-group 1
! and here is myssid2
interface GigabitEthernet0.601
 encapsulation dot1Q 601
 no ip route-cache
 bridge-group 60
! and now, myssid3
interface GigabitEthernet0.701
 encapsulation dot1Q 701
 no ip route-cache
 bridge-group 70

! Now, we set the management address:

interface BVI1
 ip address 10.1.1.240 255.255.255.0
no shut


That's basically it. I highly recommend testing by isolating this on a stand alone switch. Plug a DHCP server into another port, access mode, and switch VLANs on that port and see if your wireless devices get a DHCP address. Of course, you may want to enable more complex authentication methods.


No comments: