dslreports logo

Switch: Catalyst 3550
AP: 1130

Objective:
You need to dedicate subnet for specific wireless users. Each user has its own SSID to specify which wireless network to join.

Assumptions

Authentication used: open
Authentication key: WPA
SSID: not broadcasted --> this means that you have to manually enter SSID and key on your wireless laptop (or any wireless machines) to be on specific wireless network
SSID encryption: AES 128-bit key

Wired Native VLAN 2

Wireless Native VLAN 10

AP Management: 10.10.10.0/29 VLAN 1
Gateway: 10.10.10.4

Wired Internal: 10.10.10.8/29 VLAN 2
Gateway: 10.10.10.9

Wireless Guest: 192.168.100.0/24 VLAN 202
SSID: 230Guest
Gateway: 192.168.100.1

Wireless Internal: 192.168.10.0/24 VLAN 203
SSID: internal
Gateway: 192.168.10.4

Background

There is a need to setup two different wireless network where one is for internal use and another is for guest. The internal wireless network has the same access privilege as the internal office wired network while the guest network only has Internet access and has no access to internal network whatsoever.

With this requirement, you need to have multiple SSID where one SSID is for the internal wireless network and another SSID is for guest network. All of the SSID exist on each AP, meaning there must be multiple VLAN to support the multiple SSID. Dedicate one VLAN for each SSID and run Layer-2 trunk between the AP and the switch the AP connects to. The trunk encapsulation protocol should be the .1Q which may be the only encapsulation protocol supported on AP.

In this FAQ, the switch used is a Layer-3 switch for configuration simplification. However you could use Layer-2 switch for trunking purposes between the AP and the switch. Should you use Layer-2 switch for such purpose, then you will need a Layer-3 device to do the routing which could be a Layer-3 switch, a router, or a firewall.

When we assume we use Layer-3 switch to connect to the AP and use the Layer-3 switch to terminate all AP VLAN, then we need the Layer-3 switch to have some kind of rules permitting which traffic are allowed from wireless Guest network to flow through the network. In this FAQ, such rules are set by ACL 202. If the AP connects to Layer-2 switch instead, then such ACL 202 rule should be at the terminating Layer-3 device you use (Layer-3 switch, router, or firewall).

In addition, you need to create DHCP environment to support the Guest network so that any guest wireless laptop will receive IP address, default gateway, and DNS IP addresses automatically. You can set the Layer-3 switch as DHCP server, as this FAQ shows. You can also have dedicated DHCP server somewhere on your wired network at different VLAN, which requires DHCP ip helper-address command on the Layer-3 switch and to active the DHCP UDP broadcast to go beyond the Guest VLAN 202.

Typically for security and reliability purposes, you may want to use different Native VLAN for different network. In this FAQ, it is assumed that you use VLAN 10 for wireless Native VLAN and use different VLAN for wired Native VLAN.

You should create sub interfaces on both radio and wired port for wireless VLAN on the AP as you see in this FAQ, however there should be no need to create SSID for all of those VLAN. SSID is only needed for the actual wireless network which in this FAQ, only for VLANs 202 (Guest network) and 203 (wireless Internal network).

Also for security purposes, any SSID should not be broadcasted. This way, you can avoid a situation that any wireless machine simply connects to the wireless network without your knowing or without approval at all. When SSID is not broadcasted, the SSID name will not show on wireless machine SSID scan, hence require manual entry of the SSID name and key. In case you are unaware, the SSID name is the one stated in dot11 ssid command and the associated SSID key is the one stated in wpa-psk command.

Note that for the wireless internal network connectivity, you may want to set your wireless laptop (or any wireless machine) to automatically connect to the internal SSID even though the SSID name is not broadcasted. This way, you don't have to manually enter the SSID name and key every time you need to connect to internal network wirelessly.

In some AP, you can only use VLAN 1 for AP management. You cannot remove VLAN 1 or the BVI1 interface of such AP. Therefore you have no choice but to use Layer-3 SVI VLAN 1 on the Layer-3 switch for the AP management. This requirement may seem a downside where your network policy may not prefer to use VLAN 1 for anything. Should this requirement raise a concern, you then need to use different AP that support non-VLAN 1 for management, upgrade the AP code to support non-VLAN 1 as management VLAN, or implement dedicated Layer-3 switch that is only for AP while the rest of your network resources connect to different switch.

Configurations

Switch Configuration

ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool 230Guest
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 4.4.4.4 8.8.8.8
!
interface FastEthernet0/1
description Trunk to Layer-2 switch
switchport access vlan 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 2
switchport mode trunk
!
interface FastEthernet0/8
description Trunk to AP
switchport access vlan 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 1,10,202-203
switchport mode trunk
!
interface Vlan1
description AP Management
ip address 10.10.10.4 255.255.255.248
!
interface Vlan2
description Wired Management
ip address 10.10.10.9 255.255.255.248
!
interface Vlan202
description Guest Internet VLAN
ip address 192.168.100.1 255.255.255.0
ip access-group 202 in
!
interface Vlan203
description Private VLAN
ip address 192.168.10.4 255.255.255.0
!
access-list 202 remark Permitted traffic for Guest network
access-list 202 deny ip any 10.0.0.0 0.255.255.255
access-list 202 deny ip any 172.16.0.0 0.15.255.255
access-list 202 deny ip any 192.168.0.0 0.0.255.255
access-list 202 permit ip 192.168.100.0 0.0.0.255 any
!

AP Configuration

dot11 vlan-name Management_VLAN vlan 1
dot11 vlan-name Native_VLAN vlan 10
dot11 vlan-name Guest_VLAN vlan 202
dot11 vlan-name Private_WIFI_VLAN vlan 203
!
dot11 ssid 230Guest
vlan 202
authentication open
authentication key-management wpa
wpa-psk ascii 0 230Guest202
!
dot11 ssid internal
vlan 203
authentication open
authentication key-management wpa
wpa-psk ascii 0 internal203
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 202 mode ciphers aes-ccm
!
encryption vlan 203 mode ciphers aes-ccm
!
ssid 230Guest
!
ssid internal
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface Dot11Radio0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
interface Dot11Radio0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
bridge-group 203 subscriber-loop-control
bridge-group 203 block-unknown-source
no bridge-group 203 source-learning
no bridge-group 203 unicast-flooding
bridge-group 203 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10 native
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
no bridge-group 202 source-learning
bridge-group 202 spanning-disabled
!
interface FastEthernet0.203
encapsulation dot1Q 203
no ip route-cache
bridge-group 203
no bridge-group 203 source-learning
bridge-group 203 spanning-disabled
!
interface BVI1
ip address 10.10.10.3 255.255.255.248
no ip route-cache
!
ip default-gateway 10.10.10.4
!
bridge 1 route ip


Expand got feedback?

by aryoba See Profile
last modified: 2011-08-11 12:27:26