Mapping Multiple VLANs to Multiple SSIDs as one-one in WLC 5508 via H-REAP?
Hi All,
Can anyone please show me how to map a SSID/WLAN ID to a local vlan of a LAP in WLC 5508 using H-REAP local switched? The reason of doing this is to separate Data subnet/traffic from Voice as currently all 7925 handsets using same SSID as PCs. I would like to create two VLANs on APs and map them to two SSIDs. I could not see any option in WLC5508 to do this. Also when I change the AP mode from H-REAP to local and configuring sub interface using dot1q on the interface Gi0 then unable write running-config to startup-config because I get NVRAM Verification Failed as WLC protects any local changes on any registered LAP at NVRAM.
Your help is much appreciated.
Mehdi:
I am talking about HREAP groups, not AP groups.
You can not achieve what you want if you are using the same SSID on same AP with only a WLC (same AP with same SSID is mapped to different VLANs). You may need a radius server to dynamically assign a VLAN to the clients if you are using same SSID for data and voice.
If you are using different SSIDs for voice and data, you can map each SSID to its corresponding VLAN on the remote site using the VLAN mapping option under HREAP tab in the AP config page.
You can not configure the AP from its console. Lightweight APs can only be configured from the controller. (a few exceptions are available that do not apply here) .
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
Similar Messages
-
Creating multiple vlans across multiple switches
Hi All,
How should I create multiple vlans across multiple switches?
For instance, I have two (primary/redudant) layer 3 (core) switches and four layer 2 access switches (Cisco 2960) for the hosts, and given these are the vlans/subnets to be created. Should I do it in the core switches only and it would just propagate through the access via VTP? Just trying to practice and learn.. Any help will be greatly appreciated:)
VLAN 100: [DHCP-workstations]
172.26.4.0/24
172.26.5.0/24
VLAN 200: [Servers]
172.16.1.0/24
172.16.2.0/24
VLAN 300: [Printers]
192.168.129.0/24
192.168.130.0/24
VLAN 800: [Management for switches/routers]
10.160.1.0/24Hi
You will have the SVI on the core. Set a VTP domain, make one of the cores as VTP server and rest of the switches as VTP clients. Once you do this, you won't have to login into each switch and create a vlan locally. The vlans will be automatically advertised from the VTP server to all the VTP clients.
Thanks
Ankur
"Please rate the post if found useful" -
Hello community! I'd like some experts to take a look at my solution here and see if I'm taking the correct approach.
I have the following scnerio:
WLC 5508 7.0.116.0
Physical ports configured for LAG
AIR-LAP1142N-A-K9
Multiple Buildings
Each Building has it's own WiFi VLAN/Subnet
All buildings share SSID
WiFi Clients should be assigned the correct subnet/vlan based on the building they are in
I've done the following on my 5508:
Setup an interface for each VLAN/Subnet
Setup an Interface group and added interfaces from step 1
Created WLAN (SSID) and assigned it to the interface group from step 2
Created AP Groups for each Building
Assigned approperiate interface from step 1 to each AP Group
Assigned APs from each building to AP Groups
Does this look like the correct configuration for my goal? I set this up using information from this article though it appears to be old and they aren't using LAG in their setup.Depends... is your building connected via layer 2 or layer 3. If layer 3, you need to setup the access point in your other building in h-reap mode and setup you ssid to h-reap local switching. This will allow you to map the ssid to the correct vlan at that location.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Binding multiple VLANs to single SSID on WLC
I have a building with over 4000 users and would like to bind multiple VLANs for user access to a single SSID in WLC. Can this be done? I would rather not have 4000 wireless users on a single VLAN.
the question is tough. You can not use the SSID in on AP for multiple vlans. Once you assign the AP to the vlan then you will have to make all traffic in the vlan. With that being said. you could assign the AP's to specific vlans, but if you roam from one vlan to another you will have problems at L3. But you can use WDS to make that happen.
Here are a couple of links tha might help.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00804d4421.shtml
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184ace.html -
Multiple vlan with multiple SSID
I have a 1130 AP connected to a 500 series express catalyst switch. I want to have two vlans one for guest internet access only and the other that can have both internet and internal access. I want to have two SSID one for guest and the other for internal employee which should match the vlan. Can anyone guide me to a good doc. that can help me implement this solution. And is the 500 series switch is capable of doing this.
Thanks.To anwser your first question Yes your 500 series switch is capable of doing vlans (See Link: "http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6545/product_data_sheet0900aecd80322aeb.html") (first time pasting a link sorry if it doesnt work) here is another link that you can utilize on config examples. and as for you access point you can do the same as well (http://cisco.com/en/US/products/ps6087/tsd_products_support_configure.html)
-
Multiple vLans with Multiple Gateways
HI.
Got a SF500 in layer3 mode, operating 5 vlans all with their own subnet.
Vlan 10 = 192.168.10.0/24
Vlan 100 = 192.168.100.0/24
Vlan 200 = 192.168.200.0/24
Vlan 201 = 192.168.201.0/24
Vlan 202 = 192.168.202.0/24
We have a gateway on Vlan 10 (192.168.10.1), which all vlans can see & access (because of intervlan routing), and this at present allows vlan 10 to access the internet.
I want vlan 100 to be able to access the internet through this gateway as well, although the other vlans (200,201,202), will use a different gateway located on vlan 200 subnet.
Of course, the gateway has to exist in the subnet. I cannot assign the default gateway of a machine on vlan 100, an ip address of the gateway on vlan 10.
If I point the default gateway to the virtual interface in its subnet (e.g. 192.168.100.254), it equally does not know how to get out to the internet, even though it can see the gateway (I can access a web page it hosts).
So the question is this:
Can vlan 100 traffic be routed on the SF500 to use the gateway on vlan 10? (outside of the default gateway of the switch).
If this is not possible with the SF500, what would I need to make it work?
Many thanks.Hi Andrew,
I don't have more information about your network so I will try to much your configuration from your post
let's say we have this configuration :
1. Create Vlan 10 and assign on SVI IP address 192.168.10.254 /24
2. Create Vlan 100 and assign on SVI ip address 192.168.100.254/24
3. Create Vlan 200 and assign on SVI ip address 192.168.200.254/24
4. Create Vlan 201 and assign on SVI IP address 192.168.201.254/24
5. Create Vlan 202 and assign on SVI IP address 192.168.202.254/24
and the gateway (Router) is on Vlan 10 with IP address 192.168.10.1
6. we assign at least one port to each vlan and the switch port from where is connected to the router should be trunk (10U,100T,200T,201T,202T) it means All the traffic from Vlan 100,200,201,202 is Tagged and transmitting through Untagged Vlan 10
7. Under IP Cofiguration --> IPv4 Management and Interface --> IPv4 Route
8. add the deafult static route to the gateway :
Destination : 0.0.0.0
SubnetMask : 0.0.0.0
Remote IP GW :192.168.10.1
Now from the router expectation : router need to NAT all the source IP address (200.0/24 , 100.0/24 ...)
I don't know what the router you have but there is a router where NAT all the source coming to him to go to Internet, but there is other router which need to configure NAT for the unknown address for the router side --> Here is up to the Router
after that connect PC to port on Vlan 100 setup static IP for example 192.168.100.100/24 with Gw 192.168.100.254 should access to the internet via the trunk port on the switch and router should NAT this subnet to go outside
Hope I was clear
Please rate this post or marked as answered to help other Cisco Routers
Greetings
Mehdi -
Multiple Vlans with multiple Internet connections using PBR
Hello all,
I'm trying to wrap my head around this configuration and not having a lot of success. I have several Vlans 3,6,71,72,160, and 180. I have two internet connections, Internet1 is connected to an ASA5510 and Internet2 is connected to a Meraki MX80. I'm using two 4506 switches on my backbone trunked to 3750 switches that my clients connect to. None of these switches have IP Services and my 4506 supervisor does not have an Enterprise license. However I do have one 3750 100Mbit switch with IP Services so I'm using that to do my PBR. All my routing is currently being done on the 4506 switches and all Internet traffic is going to the ASA. What I would like to do is force vlan160 and vlan180 through the Meraki as their Internet connection and the rest of the Vlans go through the ASA. I'm thinking about trunking my vlans from the 4506 to the 3750 (the one with IP Services) and use policy based routing from there to force vlan160 and vlan180 to the Meraki. But in order to do this I think I would have to move my routing onto the 3750 switch but since that is only 100Mbits I'm thinking this is going to choke my network down and defeat the purpose of the 4506 backbones. Any suggestions or alternate ways to achieve my goal?
Appreciate any help you guys can send my way.
MattMatthew
What is the speed of the connection from the 4500 to the ASA and what is the combined speeds of the internet connections ?
You definitely don't want to do all the inter vlan routing on the 3750. You could connect it up as shown in your diagram but leave all the routing between vlans on the 4500s. Then you -
1) connect the 3750 to the 4500 using a L3 point to point link
2) connect the 3750 to the ASA using a L3 point to point link
3) do PBR on the 3750 interface connected to the 4500 for traffic coming from the 4500.
If the 4500 supervisor/IOS version doesn't support routed links on that end just use an access port in a dedicated vlan ie. no other ports in the vlan and create a new SVI for it.
You would need to update your routing to reflect the next hop on the ASA, Meraki, 3750 and the 4500.
Disadvantages are -
1) you only have fast ethernet ports on the 3750 so if the combined internet speed is greater than that then it will be a bottleneck.
2) it is a single point of failure ie. if it is lost all internet via both connections is lost.
The alternative would be to not have the 3750 in the path but connected to the 4500 via a trunk link and then route just vlan 160 and 180 on the 3750 ie. move their SVI(s) onto the 3750. Then the 3750 could have a direct connection to the Meraki device and point the default route that way (no PBR needed). The trunk would only allow those specific vlans on it. This would mean a failure of the 3750 would not mean ASA internet lost but it would mean loss of connectivity for the two vlans routed on the 3750.
You would need to add routes to the Meraki for return traffic plus routes on the 3750 and 4500 for inter vlan routing.
The main disadvantages here are -
1) inter vlan routing between the vlans routed on the 4500s and the vlans on the 3750 will be limited by the 100Mbps connection. However you could use an etherchannel trunk so you could get greater overall throughput and some redundancy
2) more importantly though i suspect you are running HSRP between the 4500s for the client vlans and moving the SVIs onto the 3750 means a single point of failure for those vlans.
Personally i would tend towwards option 1) because of the SVI HSRP issue and perhaps because there may be a lot of inter vlan traffic and even with an etherchannel it would be too much.
But, single point of failure issues aside, a lot does depend on internet bandwidth in option 1) vs inter vlan traffic in option 2).
So it's a tradeoff and personally i don't think either are ideal so i'll have another think on this in the morning to see if there is anything more obvious that i have missed or maybe someone else will add to the post.
Jon -
Hi Surendra,
I was just given this task to see how i can configure a second ssid for guest access in our environment.
this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.
My AP config is attached below.
Please tell me what am I doing wrong.
Do i need to redesign the whole network to have a native vlan other nthan the data vlan?
Does the access point need to be aware of the voice vlan?
Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
I will greatly appreciate your urgent response.
Thanks in advanced.Hi,
As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
int vlan 20
ip helper-address 192.168.33.xxx
int vlan 60
ip helper-address 130.20.1.xxx
I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
Modify the AP config as below since you are using data vlan as the native vlan
interface Dot11Radio0.20
encapsulation dot1Q 20 native
interface FastEthernet0.20
encapsulation dot1Q 20 native
Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
interface FastEthernet0.20
encapsulation dot1Q 20 native
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface FastEthernet0.60
encapsulation dot1Q 60
no ip route-cache
bridge-group 60
no bridge-group 60 source-learning
bridge-group 60 spanning-disabled
Hope this helps.
Regards
Najaf -
Hi
We are just putting in a new Controller - 5500 type
We are using a WCS .
Someone has raised the issue of whether we can have multiple vlans
per SSID - as otherwise we may have very large broadcast domains
due to the overall design being to have Maybe 3 SSIDs
Guest
Staff
Engineering
I think in SWAN we could get away with dynamic vlans.
We would like to have multiple vlans in each SSID to avoid the above.
Can we do this in the new setup.
Kind Regards
SteveHi Steve,
yes it works just the same.
Enable AAA override on the controller and have interfaces configured for each vlan. Then the ACS can simply push the vlan depending on the user authentication. Users are then split in separate vlans.
Another way of doing is to group APs. You can have a group of APs serving SSID Guest in vlan 1, Employee in vlan 2 and another group of APs serving the same SSIDs but in vlan 3 and 4. It's "per-user" vlan load balancing or "geographic" vlan load balancing.
However, broadcast domains should not be a major concern in wireless as broadcasts are blocked by default. The WLC will proxy for ARP and DHCP.
Regards,
Nicolas -
Hi Cisco experts,
My name is Kumagai and I need your expert opinions below.
I am trying to configure one VLAN1 support multiple network segments as below.
(this should be a very straight forward configuration and should be OK, I think ? )
interface Vlan1
ip address 172.30.0.0 255.255.128.0
ip address 172.30.31.253 255.255.254.0 secondary
ip address 172.30.61.253 255.255.254.0 secondary
ip address 172.30.71.253 255.255.254.0 secondary
ip address 172.30.4.253 255.255.255.0 secondary
The only issue that is eating me is the above network segments are using HSRP too
and I am not sure is this possible with a combination of VLAN1 supporting multiples which are
further supported with HSRP settings in Cisco environment.
!example of HSRP:
interface Vlan4
ip address 172.30.4.253 255.255.255.0
no ip redirects
standby 4 ip 172.30.4.254
standby 4 priority 105
standby 4 preempt
<<< what will happen if I add the HSRP configuration as below into the above VLAN1 with multiple Network segment ??)
I would like to summarize my "Combined" configurations as below but I need your expert opinions on
whether the configuration below is workable without any problem ??
Or it is a total flop because Cisco does not support the configuration below !!!
interface Vlan1
ip address 172.30.0.0 255.255.128.0
ip address 172.30.31.253 255.255.254.0 secondary
ip address 172.30.61.253 255.255.254.0 secondary
ip address 172.30.71.253 255.255.254.0 secondary
ip address 172.30.4.253 255.255.255.0 secondary
standby 30 ip 172.30.31.254
standby 30 priority 105
standby 30 preempt
standby 60 ip 172.30.61.254
standby 60 priority 105
standby 60 preempt
standby 70 ip 172.30.71.254
standby 70 priority 105
standby 70 preempt
standby 4 ip 172.30.4.254
standby 4 priority 105
standby 4 preempt
Thanking you in advance !!!!!Hi,
As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
int vlan 20
ip helper-address 192.168.33.xxx
int vlan 60
ip helper-address 130.20.1.xxx
I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
Modify the AP config as below since you are using data vlan as the native vlan
interface Dot11Radio0.20
encapsulation dot1Q 20 native
interface FastEthernet0.20
encapsulation dot1Q 20 native
Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
interface FastEthernet0.20
encapsulation dot1Q 20 native
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface FastEthernet0.60
encapsulation dot1Q 60
no ip route-cache
bridge-group 60
no bridge-group 60 source-learning
bridge-group 60 spanning-disabled
Hope this helps.
Regards
Najaf -
I'm getting to the point where my campus wireless network is growing past the subnet size that I'm comfortable dealing with. I have a WiSM and WCS and am running the newest IOS on each. Is there any way to use multiple VLAN's on one campus-wide SSID?
Or, can I put the same SSID on the two controllers and map it to two separate VLAN's without causing roaming issues?
Thanks,
EricHi Eric,
Yes we can do this and this feature is called AP Grouping on WLC... Here is the configuration example to do the same..
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
Regards
Surendra -
Is it possible to configure 2 SSIDs without using multiple VLANs?
I am trying to set up a 1231G to allow normal users to connect using WEP and visitors to connect with no encryption in guest mode. Using one SSID, I can get one or the other to work using the guest-mode command on the SSID, but have the problem that WEP mandatory or optional on the radio interface disables either the normal user or the guest. If I set up 2 separate SSIDs for each of these user groups is it necessary to assign a separate VLAN for each to make this work? The AP is on a network that is not trunked.
Thanks for any help or direction you can give me.
--SaraHi Sara,
Hopefully the attached docs will answer your question:
Cisco Aironet 1200 Series
Using VLANs with Cisco Aironet Wireless Equipment
Deprecated versions of Cisco Aironet software permit binding multiple SSIDs to one VLAN. Current versions do not.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.2(15)JA
Configuring Multiple SSIDs
vlan vlan-id
(Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. You can assign only one SSID to a VLAN.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802085c4.html
Also this answer from Cisco Aironet 1200 Series FAQ;
Q. How many service set identifiers (SSIDs) can you have per VLAN?
A. You can have only one SSID per VLAN. The use of multiple SSIDs over a single VLAN is not supported with Aironet APs.
Hope this helps! (sorry to be the bearer of bad news)
Rob
Please remember to rate helpful posts....... -
Multiple VLANs per SSID with local switch
Is it possible to use an 'AP Group' or 'Interface group' to assign multiple VLANs to a WLAN when remote, h-reap APs are in local switch mode?
If not, is there a way to overcome 500 maximum host per VLAN when APs are local switching?
Thanks!dont think its possible...
I donno if the following config will even work but u can have the hreap APs connected at the remote site to map to different vlans...
Example:
AP1 -- ssid 1 --- vlan 10
AP2 -- said 1 --- vlan 11 and so forth..
Sounds crazy but i ll have to ponder on this a bit more.. Need a pen and paper to draw a quick topology :)...
Sent from Cisco Technical Support iPhone App -
Flex Connect Across Multiple VLANS same SSID
I just need to find that if we have flex connect setup for differnet vlans using single controller, will roaming works when client connects to AP in a differnet VLAN but using same SSID.
Example below:
1) Client connects to AP on specific SSID mapped to VLAN 100, get an IP address ..all good at this point
2) Client walks and connects to a differnet AP on same SSID but mapped to VLAN 200...at this point I observe client doesnt get a new IP address in fact it retain IP from step-1 and there is no connectivity
3) Client walks back to first AP and connectivity is restored
Why in step-2 client doesnt gets a new IP from VLAN 200 even when it shows connected to AP.Just to add to Rasika.... L3 isn't supported....I just ran into this a few days ago.... clients should request another dhcp when roaming to another FlexConnect AP that is mapped to a different VLAN. The issue is, that some clients don't try to renew their dhcp address and gets stuck with the default 169.x.x.x. I see this with Apple devices in general and what we are going to do is get rid of the multiple vlan setup (vlan per floor) and create a bigger vlan that the SSID will be mapped to.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
Multiple VLAN traffic on one switchport
Good Morning all,
I would like some help with a switchport config on one of my VMware clusters.
Currently the live vDS sits with the below config on a Cisco 4500
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport mode trunk
spanning-tree portfast trunk
spanning-tree bpduguard enable
I require the hots to be able to communicate on multiple VLANs, it sits on VLAN 8 but needs to communicate on 200 and 201 and 8.
Any help would be greatly appreciated.
Thanks,
Hassan.Hassan
The switch port that you show us is correctly configured as a trunk. You have not shown us whether these three vlans are correctly configured on the switch and active on the interface. The output of show interface trunk would be helpful in determining this. If the switch appears to be correctly configured then the other part of the question is whether your VMware cluster is correctly configured to use the three vlans on that interface.
HTH
Rick
Maybe you are looking for
-
Error During Confirmation Reversal of production Order
Dear experts In production client during confirmation reversal for ,we are getting below error message Enter only true account assignment. Regards sandeep Patil
-
How do I restore from an external disk to my new computer?
I changed my PC, and took a copy of all photos to an external drive. Now, when I want to save them to my new PC, it does not succeed - next time I open my Elements, there is a ?-mark, and the program can't find the photo unless I connect the external
-
HI, I have a question. I bought my macbook pro along with applecare + which expires in 2013. I bought it in Melboune Australia, however I am currently on a business trip in Pakistan. My Magsafe recharger went bust (not charging at all and leaking oil
-
Driver for 40Y8686 CD-RW/DVD-ROM Combo II Drive
For the life of me, I cannot find this driver for download from the web site. Any pointers would be GREATLY appreciated!
-
Simplepass export to other program
First I have to say that I absolutely love(d) having a fingerprint scanner on my laptop. However, the SimplePass software just really isn't up to snuff. That being said, I just got a new work laptop and would like to store my SimplePass passwords on