Multiple VLANs on same SSID

Similar Messages

• Multiple VLAN's, one SSID

  I'm getting to the point where my campus wireless network is growing past the subnet size that I'm comfortable dealing with.  I have a WiSM and WCS and am running the newest IOS on each.  Is there any way to use multiple VLAN's on one campus-wide SSID?
  Or, can I put the same SSID on the two controllers and map it to two separate VLAN's without causing roaming issues?
  Thanks,
  Eric

  Hi Eric,
  Yes we can do this and this feature is called AP Grouping on WLC... Here is the configuration example to do the same..
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
  Regards
  Surendra

• Binding multiple VLANs to single SSID on WLC

  I have a building with over 4000 users and would like to bind multiple VLANs for user access to a single SSID in WLC. Can this be done? I would rather not have 4000 wireless users on a single VLAN.

  the question is tough. You can not use the SSID in on AP for multiple vlans. Once you assign the AP to the vlan then you will have to make all traffic in the vlan. With that being said. you could assign the AP's to specific vlans, but if you roam from one vlan to another you will have problems at L3. But you can use WDS to make that happen.
  Here are a couple of links tha might help.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00804d4421.shtml
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184ace.html

• WLC 4402 assign multiple VLANs to one SSID

  Is it possible to have one broadcasting SSID but clients seperated by, lets say say 7 different vlans in the WLC?  For example- each floor would be seperated by its own vlan and dchp pool, but they all connect to one SSID in the controller.  From what I just read it seems that each vlan would be assigned its own SSID?

  For anyone needing further info see here:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml

• Multiple Vlans Per SSID

  Hi
  We are just putting in a new Controller - 5500 type
  We are using a WCS .
  Someone has raised the issue of whether we can have multiple vlans
  per SSID - as otherwise we may have very large broadcast domains
  due to the overall design being to have  Maybe 3 SSIDs
  Guest
  Staff
  Engineering
  I think in SWAN we could get away with dynamic vlans.
  We would like to have multiple vlans in each SSID to avoid the above.
  Can we do this in the new setup.
  Kind Regards
  Steve

  Hi Steve,
  yes it works just the same.
  Enable AAA override on the controller and have interfaces configured for each vlan. Then the ACS can simply push the vlan depending on the user authentication. Users are then split in separate vlans.
  Another way of doing is to group APs. You can have a group of APs serving SSID Guest in vlan 1, Employee in vlan 2 and another group of APs serving the same SSIDs but in vlan 3 and 4. It's "per-user" vlan load balancing or "geographic" vlan load balancing.
  However, broadcast domains should not be a major concern in wireless as broadcasts are blocked by default. The WLC will proxy for ARP and DHCP.
  Regards,
  Nicolas

• Flex Connect Across Multiple VLANS same SSID

  I just need to find that if we have flex connect setup for differnet vlans using single controller, will roaming works when client connects to AP in a differnet VLAN but using same SSID.
  Example below:
  1) Client connects to AP on specific SSID mapped to VLAN 100, get an IP address ..all good at this point
  2) Client walks and connects to a differnet AP on same SSID but mapped to VLAN 200...at this point I observe client doesnt get a new IP address in fact it retain IP from step-1 and there is no connectivity
  3) Client walks back to first AP and connectivity is restored
  Why in step-2 client doesnt gets a new IP from VLAN 200 even when it shows connected to AP.

  Just to add to Rasika.... L3 isn't supported....I just ran into this a few days ago.... clients should request another dhcp when roaming to another FlexConnect AP that is mapped to a different VLAN.  The issue is, that some clients don't try to renew their dhcp address and gets stuck with the default 169.x.x.x.  I see this with Apple devices in general and what we are going to do is get rid of the multiple vlan setup (vlan per floor) and create a bigger vlan that the SSID will be mapped to.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Multiple Cisco Aironet 1131AG access points and same SSID?

  We have multiple Cisco Aironet 1131AG devices, all wired on one Cisco L2 switch(2560)  who is connected to L3 switch (3550). We assigned one VLAN for access point in L3 switch who acts as vtp server (L2 switch is vtp client). All ap's will have static ip address and all will have same SSID and no security and they will be using multiple channels (ex. 1,6,11).  They will operate in 3 floor building for roaming wireless client. We won't using any wireless controller.
  So my question is this: How to configure APs-all the same with different ip's, can we use L3 switch to create dhcp server for access points VLAN (pool for clients, and the rest for static ip for ap's)? Can one of the ap's be WDS and in the same time local radius server with users without Cisco Secure ACS or similar controller or I didn't understand this quite well :-). I followed guide http://www.cisco.com/en/US/docs/wireless/access_point/12.3_2_JA/configuration/guide/s32roamg.html for WDS where the part abou Cisco ACS is a problem, so I can use same ap as Local Authenticator as in guide  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_4_JA/configuration/guide/s34local.html#wp1035723.
  Many thanks...

  Well, just so you know, WDS and local RADIUS authentication is only needed if you're using authentication on your wireless connection.  You say you're not planning to use security, so this isn't necessary.  However, I'd highly recommend at least using a simple WPA2-PSK to lock down your connection, otherwise you might end up giving free Internet access at best, and at worst you might be giving access to company PCs and servers.  If you want to further use an 802.1x or WPA authentication method, then yes, you can use an AP as a RADIUS server and WDS to improve authenticated roaming, but this is far more limited than using a Cisco ACS.
  As for your other questions, yes, your APs can all be configured the same except for at least three parameters: IP address, channel, and hostname.  Configure your static IP addresses on the AP's BVI1 interface.  Don't place it on the Radio or Ethernet interfaces, because if either of these interfaces goes down you'll lose the ability to configure the AP, so it's best to use the BVI1 interface.
  And yes, configuring a DHCP scope for your clients on your L3 switch is a good design, or you could also use your DHCP server on a different subnet by using the ip helper-address command on the L3 interface.  I hope this helps!  Let me know if you need help configuring any of this.
  Merry Christmas!
  Jeff

• Mapping Multiple VLANs to Multiple SSIDs as one-one in WLC 5508 via H-REAP?

  Hi All,
  Can anyone please show me how to map a SSID/WLAN ID to a local vlan of a LAP in WLC 5508 using H-REAP local switched? The reason of doing this is to separate Data subnet/traffic from Voice as currently all 7925 handsets using same SSID as PCs. I would like to create two VLANs on APs and map them to two SSIDs. I could not see any option in WLC5508 to do this. Also when I change the AP mode from H-REAP to local and configuring sub interface using dot1q on the interface Gi0 then unable write running-config to startup-config because I get NVRAM Verification Failed as WLC protects any local changes on any registered LAP at NVRAM.
  Your help is much appreciated.

  Mehdi:
  I am talking about HREAP groups, not AP groups.
  You can not achieve what you want if you are using the same SSID on same AP with only a WLC (same AP with same SSID is mapped to different VLANs). You may need a radius server to dynamically assign a VLAN to the clients if you are using same SSID for data and voice.
  If you are using different SSIDs for voice and data, you can map each SSID to its corresponding VLAN on the remote site using the VLAN mapping option under HREAP tab in the AP config page.
  You can not configure the AP from its console. Lightweight APs can only be configured from the controller. (a few exceptions are available that do not apply here) .
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Multiple VLANs per SSID with local switch

  Is it possible to use an 'AP Group' or 'Interface group' to assign multiple VLANs to a WLAN when remote, h-reap APs are in local switch mode? 
  If not, is there a way to overcome 500 maximum host per VLAN when APs are local switching?
  Thanks!

  dont think its possible...
  I donno if the following config will even work but u can have the hreap APs connected at the remote site to map to different vlans...
  Example:
  AP1 -- ssid 1 --- vlan 10
  AP2 -- said 1 --- vlan 11 and so forth..
  Sounds crazy but i ll have to ponder on this a bit more.. Need a pen and paper to draw a quick topology :)...
  Sent from Cisco Technical Support iPhone App

• Same SSID, different vlans

  I currently have a 4402 in place, with my main office building working fine.
  We are looking at bringing in the wireless at 4 other sites, but we want to use the same SSID.
  How would I go about assigning different vlans (networks) to the same SSID.

  You can use the "AAA Override" feature on controller. You need to have different dynamic interfaces for different vlans configured on the controller. After sucessful authentication, radius server could pass the dynamic interface information to the controller and controller can put users to different vlans according to the feedback from radius server:
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40sol.htm#wp1086421
  Zhenning

• Multiple SSID With Multiple VLANs configuration on Cisco Aironet APs: Assotiated clients cannot obtain IP addresses

  Hi Surendra,
  I was just given this task to see how i can configure a second ssid for guest access in our environment.
  this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
  Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
  Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.
  My AP config is attached below.
  Please tell me what am I doing wrong.
  Do i need to redesign the whole network to have a native vlan other nthan the data vlan?
  Does the access point need to be aware of the voice vlan?
  Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
  I will greatly appreciate your urgent response.
  Thanks in advanced.

  Hi,
  As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
  int vlan 20
  ip helper-address 192.168.33.xxx
  int vlan 60
  ip helper-address 130.20.1.xxx
  I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
  Modify the AP config as below since you are using data vlan as the native vlan
  interface Dot11Radio0.20
  encapsulation dot1Q 20 native
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.60
  encapsulation dot1Q 60
  no ip route-cache
  bridge-group 60
  no bridge-group 60 source-learning
  bridge-group 60 spanning-disabled
  Hope this helps.
  Regards
  Najaf

• The same SSID used at 3 sites and the same vlan for client IP assignment?

  we are deploying 5508 controller and LW APs for wireless IP phone 7925G
  Controller is installed at site A and there are APs and wireless phones at site B and C as well.
  1. can I use the same SSID for all three sites for wireless phones? or have to use 3 distinct SSIDs?
  2. If I can use the same SSID, can I associate one subnet e.g 10.10.131.0/24 for wireless IP phones at 3 sites? (our Cisco UCM is fine with this)
  3. if I have use 3 distinct SSIDs, do I have to assign three subnets for IP phones at three sites?
  thanks for the help!
  Eric

  yes.. this is done by HREAP mode.. the below link will help you out!!
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml
  That is, by default the WLAN will get pushed to all APs.. so if you have a single wlan then this will broadcast the SSID and the remotre site clients will connect to it..
  Lemme know if this answered your question!!
  Regards
  Surendra

• Scenario for single WLAN to multiple VLANs

  Hi there,
  I read from this forum some discussion about the WLC VLAN Select feature.
  http://www.cisco.com/image/gif/paws/113465/vlan-select-dg-00.pdf
  I see that you can use this feature to have multiple VLANS (interfaces) to map to the same WLAN (SSID).
  What I try to learn is under what scenarios would people need to have mutliple vlan mapped to single SSID?
  In my environment, I have 50+ AP int he campus on 20+ Cisco 4500 switches.  I have single WLAN and it is mapped to one subnet.  All wireless users would be on that subnets, whereas wired users are on 20+ subnets of their own.
  Can someone help me to see under what scenarior (or requirement) that I would want to have multiple vlans mapped to single SSID?
  Thanks.

  having a large number of users in single subnet is not the best in all designs, since you will have a large single broadcast domain which is a true disaster with dense networks. If you the company policy states that we need only one single ssid
  for the whole employees within the company, it doesn't make sense to have them all on the same subnet.
  A lot of options are available to overcome such issues :
  for example, we might have AP groups feature , dynamic vlan assignment given that we have radius server in place, and vlan pooling.
  It might not be feasible to have RADIUS server all the time, and AP groups might be kind of administrtive overhead as well as it might induce a lot of issues when aps fail over from controller to controller --> Vlan select is a good soultion considering the previously mentioned reasons.
  Please Make sure to rate correct answers

• Same SSID At A Site Without A Controller?

  We have a 4404 controller here, and would like to set up a a small remote office with wireless using our controller. The issue is being able to keep the same SSID at the remote office as we have at the central office without having the latency of multiple hops for the remote office to get to it's local applications.
  Are there any options that would let us use the same SSID but do central authentication and local switching? I've tried H-REAP, but it would not let us use the same SSID at both locations (we have to use the same SSID for policy\logistical reasons).
  Any help would be greatly appreciated!

  John,
  If you want to run H-REAP, the ssid you have running on the central site, just set that to local switching. You don't have to create any interfaces on the wlc. After you do that, go into the configuration of the remote ap you want to set to h-reap. Set the mode to H-REAP and apply, the ap will reboot. Once the ap comes back, you will get a tab (H-REAP). Click on that tab and set your native vlan and make sure the switch port the h-reap ap is connected to is set to trunk and native vlan x (which is your management.. vlan your ap ip address is on). Then hit apply and go to vlan mapping, here... your local switch ssids will show and you can set the local vlan on that ssid. The other ssid's if you have any will appear as centrally switched since you haven't enabled local switching.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml

• Multiple vlan on Access point

  Hi,
  I have three AP but one one is connected with a network cable and the other work on a repeater mode.
  I need to create two vlans which will broadcast two ssid one for office and one for guest. I know you can't create multiple vlan on a repeater but is there any way round then with only one AP which connected to the network and other working in repeater mode?
  Thanks

  You can probably is you configure one radio as a repeater and the other radio for client access, but they will be placed on the same subnet which is your native vlan. I'm not 100% sure that would work anyways, but I know you can't separate the traffic.
  Thanks,
  Scott Fella
  Sent from my iPhone