[Type the company name]



Download 32.57 Kb.
Date29.01.2017
Size32.57 Kb.
#12089

[Type the company name]

Multiple SSID Configurations

C887VA-W-A-K9




Hannah Lee

7/17/2012



Abstract: To setup Guest and Office SSID on separate VLAN, allowing access both VLANs to access Internet but deny Guest to access to Office VLAN. ADSL is setup on the router for Internet access.


Table of Contents


Network Diagram 3

3

Configuring the Cisco Router End 3



Configuring VLAN Interfaces 3

Troubleshooting: 3

Configuring DHCP 4

Configuring Interfaces 4

Configuring Wireless Interfaces 4

Configuring ADSL interface 4

IP NAT 5

Default Route 5

Access List 5

Dialer Overload 5

VTY Access 5

Restrict Wireless Guest Access 5

VTY line access 5

Configuring Access Point 5

Configuring the SSID 5

bridge irb 6

Configuring the Dot11Radio0 interface 6

Configuring the Dot11Radio0 sub-interfaces 6

Configuring AP GigabitEthernet0, Sub-interfaces 7

Configuring BVI Interface 7

Reset Router 887 Access Point 7

Import configuration files 7

References 8



Network Diagram





Configuring the Cisco Router End

Configuring VLAN Interfaces


interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 10.199.199.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1412

!

interface Vlan2



description $FW_INSIDE$

ip address 192.168.89.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1412

!

interface Vlan3



description Wireless Guest-SB

ip address 10.127.0.1 255.255.255.0

ip access-group 113 in

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1412

!

I change the default IP for VLAN1 from 10.10.10.1 to 10.199.199.1 for security purpose.


Troubleshooting:


To ensure VLAN 2 is created, we suggest you configure one of the router's FastEthernet interfaces so that it is assigned to VLAN 2. This will force the router to create VLAN 2 in its VLAN database:


R1-887W(config)# interface FastEthernet3

R1-887W(config-if)# switchport access VLAN 2


Once the switchport access VLAN 2 command is given, the router will automatically create VLAN 2 if it does not exist. Below is the output to expect when this happens:
% Access VLAN does not exist. Creating VLAN 2

Perform Show ip int brief, this should fix the status of VLAN interface to Protocol UP.



Configuring DHCP


ip dhcp excluded-address 192.168.89.1 192.168.89.64

ip dhcp excluded-address 192.168.89.251 192.168.89.254

ip dhcp excluded-address 10.127.0.1 10.127.0.10

!

ip dhcp pool Office



import all

network 192.168.89.0 255.255.255.0

default-router 192.168.89.1

!

ip dhcp pool Guest



network 172.16.18.0 255.255.255.0

default-router 172.16.18.1

!

Configuring Interfaces


interface Ethernet0

no ip address

shutdown

!

interface FastEthernet0



no ip address

!

interface FastEthernet1



switchport access vlan 2

no ip address

!

interface FastEthernet2



switchport access vlan 2

no ip address

!

interface FastEthernet3



no ip address

!

Configuring Wireless Interfaces


interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface wlan-ap0



description Embedded Service module interface to manage the embedded AP

ip address 10.127.1.1 255.255.255.255

!

Configuring ADSL interface


interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point



pvc 8/35

pppoe-client dial-pool-number 1

!

interface Dialer0



description $FW_OUTSIDE$

ip address 199.99.99.99 255.255.255.0

ip mtu 1452

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname abc0@xx.xxx.net

ppp chap password 0 9999

ppp pap sent-username abc0@xx.xxx.net password 0 9999

no cdp enable

IP NAT


ip nat inside source list 1 interface Dialer0 overload

Default Route


ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

Access List

Dialer Overload


access-list 1 remark Permit Interface Dialor overload

access-list 1 permit 172.16.18.0 0.0.0.255

access-list 1 permit 192.168.89.0 0.0.0.255

dialer-list 1 protocol ip permit


VTY Access


access-list 101 remark vty access

access-list 101 permit ip host 202.61.141.6 any

access-list 101 permit ip 10.199.199.0 0.0.0.7 any

Restrict Wireless Guest Access


access-list 113 deny ip 172.16.18.0 0.0.0.255 192.168.89.0 0.0.0.255

access-list 113 permit ip any any

access-list 113 remark Wireless Guest deny acess to COTD

VTY line access


line vty 0 4

access-class 101 in

privilege level 15

login local

transport input ssh

Configuring Access Point


To access to the access Point, there must be an IP assigned to interface wlan-ap0.

To access to AP configuration:

R1# service-module wlan-ap 0 session

To toggle back from AP configuration to Router, press Shift-Ctrl-6, follow by x.

It takes several attempts to toggle ;)

Configuring the SSID


dot11 ssid Office

vlan 2


authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii 7 065657761A1F2B4E5346435955540B780179106404

!

dot11 ssid Guest



vlan 3

authentication open

authentication key-management wpa version 2

mbssid guest-mode

wpa-psk ascii 7 11584C5C40475858517C73717A6304153635223A347F7668

!

bridge irb


we must ensure the integrated routing and bridging (IRB) feature is enabled to allow the routing of our protocols (IP) between routed interfaces and bridge groups

Configuring the Dot11Radio0 interface


interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 2 mode ciphers aes-ccm



!

encryption vlan 3 mode ciphers aes-ccm

!

broadcast-key vlan 2 change 30



!

broadcast-key vlan 3 change 30

!

!

ssid COTD



!

ssid Guest-SB

!

antenna gain 0



mbssid

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

station-role root

!

Configuring the Dot11Radio0 sub-interfaces


interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.2



encapsulation dot1Q 2

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

!

interface Dot11Radio0.3



encapsulation dot1Q 3

no ip route-cache

bridge-group 3

bridge-group 3 subscriber-loop-control

bridge-group 3 block-unknown-source

no bridge-group 3 source-learning

no bridge-group 3 unicast-flooding

bridge-group 3 spanning-disabled

!

Configuring AP GigabitEthernet0, Sub-interfaces

The GigabitEthernet interface and sub-interface configuration follows the same logic as the Dot11Radio0 interface. Notice that each GigabitEthernet sub-interface is mapped to the same VLAN and bridge-group as the Dot11Radio0 sub-interfaces.


interface GigabitEthernet0

description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router

no ip address

no ip route-cache

!

interface GigabitEthernet0.1



encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0.2



encapsulation dot1Q 2

no ip route-cache

bridge-group 2

no bridge-group 2 source-learning

bridge-group 2 spanning-disabled

!

interface GigabitEthernet0.3



encapsulation dot1Q 3

no ip route-cache

bridge-group 3

no bridge-group 3 source-learning

bridge-group 3 spanning-disabled

!

Configuring BVI Interface


interface BVI1

ip address 10.1.1.4 255.255.255.248

no ip route-cache
we create the one and only BVI1 interface and assign it an IP Address. This is basically the IP Address of our access point and is reachable from our LAN network, so it's best to assign it an IP Address from your LAN network.
It is important to note that only one bridge-interface (BVI Interface) is configured with an IP Address. The rest of the bridge groups are not required to have a BVI interface as all traffic is trunked through the BVI1 Interface. This is per Cisco design.

Finally, we must enable ip routing for bridge 1:


bridge 1 route ip

Reset Router 887 Access Point



Router#service-module wlan-ap 0 reset default-config

Import configuration files



Remove paragraph containing: crypto pki trustpoint TP-self-signed-


References


Cisco 880W (881W, 886W, 887W, 888W) Multiple - Dual SSID Integrated Access Point Configuration

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/825-cisco880w-multiple-ssid.html


Download 32.57 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page