Multiple VLAN's, one SSID

Similar Messages

• WLC 4402 assign multiple VLANs to one SSID

  Is it possible to have one broadcasting SSID but clients seperated by, lets say say 7 different vlans in the WLC?  For example- each floor would be seperated by its own vlan and dchp pool, but they all connect to one SSID in the controller.  From what I just read it seems that each vlan would be assigned its own SSID?

  For anyone needing further info see here:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml

• Binding multiple VLANs to single SSID on WLC

  I have a building with over 4000 users and would like to bind multiple VLANs for user access to a single SSID in WLC. Can this be done? I would rather not have 4000 wireless users on a single VLAN.

  the question is tough. You can not use the SSID in on AP for multiple vlans. Once you assign the AP to the vlan then you will have to make all traffic in the vlan. With that being said. you could assign the AP's to specific vlans, but if you roam from one vlan to another you will have problems at L3. But you can use WDS to make that happen.
  Here are a couple of links tha might help.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00804d4421.shtml
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184ace.html

• Multiple VLANs on same SSID

  Hello community!  I'd like some experts to take a look at my solution here and see if I'm taking the correct approach.
  I have the following scnerio:
  WLC 5508 7.0.116.0
  Physical ports configured for LAG
  AIR-LAP1142N-A-K9
  Multiple Buildings
  Each Building has it's own WiFi VLAN/Subnet
  All buildings share SSID
  WiFi Clients should be assigned the correct subnet/vlan based on the building they are in
  I've done the following on my 5508:
  Setup an interface for each VLAN/Subnet
  Setup an Interface group and added interfaces from step 1
  Created WLAN (SSID) and assigned it to the interface group from step 2
  Created AP Groups for each Building
  Assigned approperiate interface from step 1 to each AP Group
  Assigned APs from each building to AP Groups
  Does this look like the correct configuration for my goal?  I set this up using information from this article though it appears to be old and they aren't using LAG in their setup.

  Depends... is your building connected via layer 2 or layer 3.  If layer 3, you need to setup the access point in your other building in h-reap mode and setup you ssid to h-reap local switching.  This will allow you to map the ssid to the correct vlan at that location.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• 1141n multiple AP's one SSID with Radius

  I have two 1141n APs.
  I have the first one configured as a root AP using the built in Radius feature (LEAP)
  I also have this thing configured using AES CCM.
  My clients are connecting to it with WPA2-Enterprise, getting 144Mbps. Perfect.
  The question is this second AP.
  How do I set it up so my users can wander semlessly between the two AP's?
  Do I need to config it with the Radius feature as well?  That would be a pain
  Any help would be great!
  Jeff

  Hi,
  All you need to do is configure the second AP to point to the first one IP address as its Radius serveur but bear in mind that if you do so and the primary AP fails, the second cannot authenticate users because the Radius seveur will be unvailable!
  Configuring the two AP's to backup each will of course be tedious but a more resilient approach.

• Multiple Vlans Per SSID

  Hi
  We are just putting in a new Controller - 5500 type
  We are using a WCS .
  Someone has raised the issue of whether we can have multiple vlans
  per SSID - as otherwise we may have very large broadcast domains
  due to the overall design being to have  Maybe 3 SSIDs
  Guest
  Staff
  Engineering
  I think in SWAN we could get away with dynamic vlans.
  We would like to have multiple vlans in each SSID to avoid the above.
  Can we do this in the new setup.
  Kind Regards
  Steve

  Hi Steve,
  yes it works just the same.
  Enable AAA override on the controller and have interfaces configured for each vlan. Then the ACS can simply push the vlan depending on the user authentication. Users are then split in separate vlans.
  Another way of doing is to group APs. You can have a group of APs serving SSID Guest in vlan 1, Employee in vlan 2 and another group of APs serving the same SSIDs but in vlan 3 and 4. It's "per-user" vlan load balancing or "geographic" vlan load balancing.
  However, broadcast domains should not be a major concern in wireless as broadcasts are blocked by default. The WLC will proxy for ARP and DHCP.
  Regards,
  Nicolas

• Is it possible to configure 2 SSIDs without using multiple VLANs?

  I am trying to set up a 1231G to allow normal users to connect using WEP and visitors to connect with no encryption in guest mode. Using one SSID, I can get one or the other to work using the guest-mode command on the SSID, but have the problem that WEP mandatory or optional on the radio interface disables either the normal user or the guest. If I set up 2 separate SSIDs for each of these user groups is it necessary to assign a separate VLAN for each to make this work? The AP is on a network that is not trunked.
  Thanks for any help or direction you can give me.
  --Sara

  Hi Sara,
  Hopefully the attached docs will answer your question:
  Cisco Aironet 1200 Series
  Using VLANs with Cisco Aironet Wireless Equipment
  Deprecated versions of Cisco Aironet software permit binding multiple SSIDs to one VLAN. Current versions do not.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#
  Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.2(15)JA
  Configuring Multiple SSIDs
  vlan vlan-id
  (Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. You can assign only one SSID to a VLAN.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802085c4.html
  Also this answer from Cisco Aironet 1200 Series FAQ;
  Q. How many service set identifiers (SSIDs) can you have per VLAN?
  A. You can have only one SSID per VLAN. The use of multiple SSIDs over a single VLAN is not supported with Aironet APs.
  Hope this helps! (sorry to be the bearer of bad news)
  Rob
  Please remember to rate helpful posts.......

• Multiple SSID With Multiple VLANs configuration on Cisco Aironet APs: Assotiated clients cannot obtain IP addresses

  Hi Surendra,
  I was just given this task to see how i can configure a second ssid for guest access in our environment.
  this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
  Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
  Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.
  My AP config is attached below.
  Please tell me what am I doing wrong.
  Do i need to redesign the whole network to have a native vlan other nthan the data vlan?
  Does the access point need to be aware of the voice vlan?
  Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
  I will greatly appreciate your urgent response.
  Thanks in advanced.

  Hi,
  As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
  int vlan 20
  ip helper-address 192.168.33.xxx
  int vlan 60
  ip helper-address 130.20.1.xxx
  I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
  Modify the AP config as below since you are using data vlan as the native vlan
  interface Dot11Radio0.20
  encapsulation dot1Q 20 native
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.60
  encapsulation dot1Q 60
  no ip route-cache
  bridge-group 60
  no bridge-group 60 source-learning
  bridge-group 60 spanning-disabled
  Hope this helps.
  Regards
  Najaf

• WLC and AAA - one SSID and more VLANs

  hi,
  i have an ACS 4.1, AP1242, WLC4404 and Catalyst 3750, and an Win2003 DHCP Server
  Switch Interface Config:
  interface Vlan10
  ip address 10.70.170.1 255.255.255.0
  ip helper-address 192.168.12.10
  interface Vlan20
  ip address 10.70.171.1 255.255.255.0
  ip helper-address 192.168.12.10
  at the WLC i have configured one SSID with
  - Allow AAA Override
  - Layer2 Sec: [WPA1,TKIP+WPA2,AES]
  - ACS 4.1 AAA
  - Key Management: 802.1x
  one SSID mapped to the management interface. and 2 VLANS with different interfaces:
  VLAN-ID1: 10
  Interface-1:
  IP Address 10.70.170.2
  Netmask 255.255.255.0
  Gateway 10.70.170.1
  DHCP: 192.168.12.10
  VLAN-ID2: 20
  Interface-2:
  IP Address 10.70.171.2
  Netmask 255.255.255.0
  Gateway 10.70.171.1
  DHCP: 192.168.12.10
  at the acs i have 2 users and two groups. Group1-User1 and Group2-User2 with the aaa attributes to change the vlan on login.
  [006] Service-Type: Authenticate only
  [064] Tunnel-Type: VLAN
  [065] Tunnel-Medium-Type: 802
  [081] Tunnel-Private-Group-ID: <VLAN-ID-1> or <VLAN-ID-2>
  my problem is, that the user will authenticate successfully, and also the Vlan and Interface assignment is correct,
  but the ip-address that the user will get is always the IP-Range from Interface2 (VLAN20). So when the USER2 authenticates, he get the VLAN2,
  and the right interface and the right IP Adress and the communication is right.
  but the USER1 gets the interface1 and VLAN10, but the IP from Interface2 (VLAN20).
  what can it be?
  thx

  FYI - If you're using ACS v4.1, you can also achieve this using the Airespace Attributes, by specifying the WLC interface name in the appropriate section.

• VLAN assignment depending on AP for one SSID

  Hi,
  I read the AP Group VLANs with WLC configuration examples but did not find exactly what I look for. I'm on a WLC 5500.
  I try to create AP groups which broadcast a set of SSID, but inside AP groups, depending on the AP on which the connection is made, i want to assign a specific VLAN for the clients.
  If connection is made on SSID1 and AP1 -> one VLAN, for example VLAN_SSID1_AP1
  same for SSID1 and AP2 -> another VLAN, for example VLAN_SSID1_AP2
  I want to assign some VLANs to one of my networks to get local IPs depending on the AP.
  The VLAN are all defined as dynamic interfaces, currently the SSID matches one VLAN, but i did not find how to do this assignment. I cannot define a VLAN for a network(SSID) and an AP.
  Thanks for your ideas,
  Christophe

  You need to create two AP Groups.  Both will have the SSID, but AP Group #1 will have SSID mapped to vlan 1 and AP Group #2 will have SSID mapped to vlan 2.  Then you add the appropriate ap's to which group you want.

• Multiple VLANs per SSID with local switch

  Is it possible to use an 'AP Group' or 'Interface group' to assign multiple VLANs to a WLAN when remote, h-reap APs are in local switch mode? 
  If not, is there a way to overcome 500 maximum host per VLAN when APs are local switching?
  Thanks!

  dont think its possible...
  I donno if the following config will even work but u can have the hreap APs connected at the remote site to map to different vlans...
  Example:
  AP1 -- ssid 1 --- vlan 10
  AP2 -- said 1 --- vlan 11 and so forth..
  Sounds crazy but i ll have to ponder on this a bit more.. Need a pen and paper to draw a quick topology :)...
  Sent from Cisco Technical Support iPhone App

• Flex Connect Across Multiple VLANS same SSID

  I just need to find that if we have flex connect setup for differnet vlans using single controller, will roaming works when client connects to AP in a differnet VLAN but using same SSID.
  Example below:
  1) Client connects to AP on specific SSID mapped to VLAN 100, get an IP address ..all good at this point
  2) Client walks and connects to a differnet AP on same SSID but mapped to VLAN 200...at this point I observe client doesnt get a new IP address in fact it retain IP from step-1 and there is no connectivity
  3) Client walks back to first AP and connectivity is restored
  Why in step-2 client doesnt gets a new IP from VLAN 200 even when it shows connected to AP.

  Just to add to Rasika.... L3 isn't supported....I just ran into this a few days ago.... clients should request another dhcp when roaming to another FlexConnect AP that is mapped to a different VLAN.  The issue is, that some clients don't try to renew their dhcp address and gets stuck with the default 169.x.x.x.  I see this with Apple devices in general and what we are going to do is get rid of the multiple vlan setup (vlan per floor) and create a bigger vlan that the SSID will be mapped to.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Multiple VLAN traffic on one switchport

  Good Morning all,
  I would like some help with a switchport config on one of my VMware clusters.
  Currently the live vDS sits with the below config on a Cisco 4500
  switchport trunk encapsulation dot1q
   switchport trunk native vlan 8
   switchport mode trunk
   spanning-tree portfast trunk
   spanning-tree bpduguard enable
  I require the hots to be able to communicate on multiple VLANs, it sits on VLAN 8 but needs to communicate on 200 and 201 and 8.
  Any help would be greatly appreciated.
  Thanks,
  Hassan.

  Hassan
  The switch port that you show us is correctly configured as a trunk. You have not shown us whether these three vlans are correctly configured on the switch and active on the interface. The output of show interface trunk would be helpful in determining this. If the switch appears to be correctly configured then the other part of the question is whether your VMware cluster is correctly configured to use the three vlans on that interface.
  HTH
  Rick

• Multiple subnets under one vlan

  Hi everyone,
  Is there any way to create multiple subnets under one VLAN ? Right now, I am using VLAN 110 and it's IP is 172.16.0.1/16.
  We have three types of devices on this VLAN.I want to create 3 or 4 subnets for those devices under this VLAN for reducing the traffic or broadcast ?
  Please advise me.....
  Thanks in advance

  Mohammed,
  As long as you have a single VLAN only, you will not reduce the amount of broadcasts in this VLAN by using several IP networks. Even if the stations are in different IP networks within a single VLAN, every broadcast will be sent across the entire VLAN to all stations, regardless of their configured IP address. Broadcasting is a matter of Data Link Layer, or Layer2, and if you keep a single Layer2 domain (the VLAN), you will keep a single, merged, large broadcast domain.
  Just to answer your question, you could assign multiple addresses to an interface in a single network/VLAN by using secondary IP addresses, for example:
  interface Vlan110
  ip address 172.16.0.1 255.255.0.0
  ip address 192.168.1.1 255.255.255.0 secondary
  ip address 10.20.30.1 255.255.255.0 secondary
  However, as I explained, this will only allow you to "stretch" multiple IP networks over a single broadcast domain so there is no saving in terms of broadcasts or traffic reduction. For that, you must resort to multiple VLANs.
  Best regards,
  Peter

• Encrypting Aironet 1410 bridge link using multiple VLANs

  I've looked at the documentation available for Aironet 1400 series, and still would like to see a single document showing an example of
  the best encryption/authentication available for bridge links using multiple VLANs.
  As I understand it, 1400 series can support WPA-PSK using AES, which would work for me.  I just can't picture how to integrate chapters 9 and 10 for the 'WEP and WEP Features' + 'Configuring Authentication Types' instructions.
  I'm looking either for an example config, or a step-by-step that did all steps consecutively.
  Thanks

  What doc are you refering to?  If you want to encrypt the link from root bridge to non-root bridge, then WPA/TKIP-PSK is what you should use.  Here is a link to how to setup your link ssid to WPA: http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.2_15_JA/configuration/guide/p15auth.html#wp1044935
  Don't worry about the example they show on the WEP, just use the configuration from the above link for your encryption.
  Configuring a VLAN
  Configuring your bridge to support VLANs is a five-step process:
  1. Create subinterfaces on the radio and Ethernet interfaces.
  2. Enable 802.1q encapsulation on the subinterfaces and assign one subinterface as the native VLAN.
  3. Assign a bridge group to each VLAN.
  4. (Optional) Enable WEP on the native VLAN. <-- Use WPA-PSK
  5. Assign the bridge's SSID to the native VLAN.
  http://www.cisco.com/en/US/docs/wireless/bridge/1400/12.2_15_JA/configuration/guide/p15vlan.html
  Here is an example of vlan 1 (native) will be your management and your wireless link.  vlan 10 & 20 will pass through the link.
  BR# configure terminal
  BR(config)# interface dot11radio0.1
  BR(config-subif)# encapsulation dot1q 1 native
  BR(config-subif)# bridge group 1
  BR(config-subif)# exit
  BR(config)# interface fastEthernet0.1
  BR(config-subif)# encapsulation dot1q 1 native
  BR(config-subif)# bridge group 1
  BR(config)# interface fastEthernet0.10
  BR(config-subif)# encapsulation dot1q 10
  BR(config-subif)# bridge group 10
  BR(config)# interface fastEthernet0.20
  BR(config-subif)# encapsulation dot1q 20
  BR(config-subif)# bridge group 20
  BR(config-subif)# exit
  BR(config)# interface dot11radio0
  BR(config-if)# ssid batman
  BR(config-ssid)# vlan 1
  BR(config-ssid)# infrastructure-ssid
  BR(config-ssid)# end