To remember the steps required to define multiple SSID in Autonomous AP, I have used following comparison between logical segmentation (VLANs) in wired environment & SSID config in Autonomous AP.
| Step |
Layer 2 Switch |
Autonomous Access Points |
| 1 |
Define Vlans (3 vlans defined. Vlan 110 for Management, 12 & 13 for user data) |
Define SSID with associated vlan numbers. |
| vlan 12 name HQData1 ! vlan 13 HQData2 ! vlan 110 Management ! int x/x <—- where x/x is the Trunk to Uplink switch. switchport trunk encapsulation dot1q switchport trunk native vlan 999 switchport mode trunk |
dot11 ssid HQData1 <- Vlan name use as SSID for the simplicity. vlan 12 authentication open mbssid guest-mode <– Only required multiple SSID to be broadcast. If it is only single SSID this needs to be “ ssid guest-mode”! dot11 ssid HQData2 vlan 13 authentication open authentication key-management wpa version 2 mbssid guest-mode wpa-psk ascii Cisco123 |
|
| 2 | Configure the SW Mgt Interface | Configure the BVI Interface |
| int vlan 100 ip add 10.10.110.100 255.255.255.0 |
interface BVI1 ip address 10.10.110.100 255.255.255.0 ! interface GigabitEthernet0.110 encapsulation dot1Q 110 bridge-group 1 <—– BVI does not support Bridge-group. So it should be bridge-group 1 here. |
|
| 3 | Define Default Gateway | Define Default Gateway |
| ip default-gateway 10.10.110.1 | ip default-gateway 10.10.110.1 | |
| 4 | Create Ethernet & Radio sub-interface | |
| interface GigabitEthernet0.12 encapsulation dot1Q 12 bridge-group 12 <—— Bridge Group number is value between [1-255] ! interface GigabitEthernet0.13 encapsulation dot1Q 13 bridge-group 13interface Dot11Radio1.12 <— Dot11Radio1 for 5GHz & Dot11Radio0 for 2.4GHz band. In this example only configure 5GHz. encapsulation dot1Q 12 bridge-group 12 ! interface Dot11Radio1.13 encapsulation dot1Q 13 bridge-group 13 |
||
| 5 | Assigning SSID to Radio Interfaces | |
| interface Dot11Radio1 <- Only 5GHz band use for this example encryption vlan 13 mode ciphers aes-ccm ssid HQData1 ssid HQData2 mbssid |
Following links may be useful as discuss the same topic.
mrn-cciew 
Good post Rasika! On a side note I would like to mention from my experience, that you do not need to actually match the bridge-group #[1-255] to your VLAN #. It certainly helps make things make more sense to do so. But in a previous case where the vlan was 310 and I got to configuring the bridge-group which maxes at 255, I was like … oh oh ! But its all good ! I would say though that I was unsuccessful at trying to change the bridge-group 1 (default) to something else. Here is a good post on it for you or anyone else. [[[[[http://packetlife.net/blog/2012/feb/20/aironet-aps-bridge-groups-and-bvi/]]]]]]
Hi Nolan,
Thanks for your comments & sharing the link to packetlife blog post.It was very good.
Yes, even though those 2 numbers no need to match, as a best practice I configure same number provided that vlan number is below 255.
Opps! I forgot I was still using my pseudonym still.
Hi Nay,
I have a question, if native vlan on switch is 10 and BVi1 is given ip-address from vlan 10, however i configure 2 SSID’s and map them to vlan 20 anad 30 respectively.
Now while defining bridge group if i run command encapsulation dot1q native for SSID 1 then what will be ip address given to clients. VLAn 10(native on switchport) or VLAN 20 (Native under bridgegroup 1 for SSID 1)
Hi Rasika,
Very nice post. Was stuck for hours trying to get Management reachability.
Ranjith
Thanks Ranjith for the feedback…
Hi Rasika,
Can two SSIDs use the same VLAN in an autonomous AP? This is a client requirement that two separate SSID use the same VLAN. The authentication will be same though.
Thanks,
Jay
No, you cannot do this unless you use native vlan (ie without defining vlan/subinterfaces)
HTH
Rasika
Thanks a lot. Cant use native vlan. Anyways, I had already told the client this cant be done. Thank you for reaffirming my concept :).
Jau
Hello Rasika, okay?
Loved this post on multiple SSID on Autonomous AP.
I wonder if you ever see any restrictions or bug to work with the iPhone 6 Aironet 2602i.
Thank attention.
No I haven’t. If you got any pls start a thread here
https://supportforums.cisco.com/community/5956/getting-started-wireless
Rasika
I’m not sure if this thread remains active, but I do have a question that is related. Have you had any experience with connecting a dual radio WGB (AP1242) to an autonomous root AP (also 1242) on one radio and using the second WGB radio to support wireless clients? I have a customer for which I have implemented this succesfully, however, the customer is asking if it is possible to apply multiple SSID’s assigned to different VLAN’s on the aforementioned second radio. My inclination is that this will not work. FYI…I know this design is not a supported or documented scenario for Cisco WGB’s, but it does work. I have wired clients connected over an unmanaged switch to the WGB ethernet port, while supplying wireless coverage on the second radio on one SSID. Any thoughts would be greatly appreciated. Thanks.
Hi
Is it mandatory to have a dot1q trunk configured on the switch port and as well in the AP even if a single SSID is being propagated? In this case, will it work if the switch port is configured as an access port?
Hi Ashish,
If it is a single SSID, then you do not want a trunk port configuration.
If you configure AP like below & connect it to DHCP capable port, you should be good.
conf t
hostname
!
dot11 ssid
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii
!
interface Dot11Radio0
encryption mode ciphers aes-ccm
ssid
no shutdown
!
interface Dot11Radio1
channel width 40-above
encryption mode ciphers aes-ccm
ssid
no shutdown
!
interface BVI1
ip address dhcp
!
end
write memory
HTH
Rasika
Many thanks for your reply. Can I configure static instead of DHCP on the BVI interface? One more scenario in an autonomous AP can I have two SSIDs mapped to the same VLAN with different authentication methods like one SSID on PSK and the other one on an external RADIUS, please.
Hi Ashish,
Yes, you can configure a static IP address for BVI.
No, If you want to have multiple SSIDs advertise on same radio, then need to have multiple vlan.
However you can create two SSID with different security. Then one SSID advertise on one radio (eg 5GHz) & other SSID advertise on 2nd radio (2.4GHz)
HTH
Rasika
Many thanks for your reply.