08 November 2008

Configuring Cisco Aironet in Home Lab - Part 2


Now it's time to configure Cisco Aironet Wireless Access Point for Cisco home lab.

What I'm going to do first is to configure the connectivity between the Cisco Aironet 1240AG wireless access point to the Cisco 2950 switch.

Here's the closer look of the network diagram of the wireless access point and the switch:


The network will be using VLAN 5 (192.168.5.0 network) as the native VLAN and the rest of the VLANs will be used for the SSIDs.

There's an interface called BVI or Bridge-group Virtual Interface, what this interface does is bridge all of the interfaces in the access point - the wired and wireless interfaces - so you can use the interface BVI IP address to manage all of those interfaces.

In Cisco Aironet 1240AG wireless access points, you have 1 interface fast ethernet port, 1 console port, 1 dot11radio 0 for the 802.11G, and 1 dot11radio 1 for 802.11A.

In this configuration I only going to configure the dot11radio 0 for the 802.11G wireless network since I only have the antennas for the 802.11G.
You can configure both 802.11A and 802.11G if you want.

First we configure the interface BVI 1 IP address:

1240AG> enable
1240AG# configure terminal
1240AG (config)# interface bvi 1
1240AG (config-if)# ip address 192.168.5.3 255.255.255.0
1240AG (config-if)# no shutdown

Now set the native VLAN (VLAN 5) to the wireless access point, we have to configure the native VLAN on both of the fastethernet sub interface and the dot11radio 0 sub interface:

1240AG (config)# interface fastethernet 0.5
1240AG (config-if)# encapsulation dot1q 5 native
1240AG (config-if)# interface dot11radio 0.5
1240AG (config-if)# encapsulation dot1q 5 native

Next is to set up the SSID starting from SSID for admin and associate it with VLAN 30.
We need to configure the SSID on the dot11radio 0 interface first then configure the VLAN on the dot11radio 0.30 sub interface and fast ethernet 0.30 sub interface.
Also I set up the SSID for open authentication first.

1240AG (config)# interface dot11radio 0
1240AG (config-if)# ssid ADMIN
1240AG (config-if-ssid)# vlan 30
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# end

1240AG (config)# interface fastethernet 0.30
1240AG (config-subif)# encapsulation dot1q 30
1240AG (config-subif)# bridge-group 30

1240AG (config-subif)# interface dot11radio 0.30
1240AG (config-subif)# encapsulation dot1q 30
1240AG (config-subif)# bridge-group 30

The bridge-group command allows you to group interfaces and bridge nonrouted traffic among the interfaces.
In this example traffic from dot11radio 0.30 sub interface to fastethernet 0.30 sub interface and vice versa.

Note: If you configure the SSID on the global configuration mode, the SSID will be both in the dot11radio 0 and 1.

Do the same with the SSID for guest and associate it with VLAN 40:

1240AG (config)# interface dot11radio 0
1240AG (config-if)# ssid GUEST
1240AG (config-if-ssid)# vlan 40
1240AG (config-if-ssid)# authentication open
1240AG (config-if-ssid)# end

1240AG (config)# interface fastethernet 0.40
1240AG (config-subif)# encapsulation dot1q 40
1240AG (config-subif)# bridge-group 40

1240AG (config-subif)# interface dot11radio 0.40
1240AG (config-subif)# encapsulation dot1q 40
1240AG (config-subif)# bridge-group 40

Next step is to configure the switch port connected to the wireless access point as a trunk port with native VLAN 5.
I already posted about how to do this on the last post.

Also if you are going to use dynamic IP address, make sure you have configured router as DHCP server that serving clients for VLAN 30 and 40.

Right now if you have no problem pinging the switch and router from the wireless access point, your access point is broadcasting SSID and giving IP address from router for any client joining the SSID.

The SSIDs are not secure since they use open authentication, next time I'll configure it with stronger authentication.