I’d love to see your config when you get a chance to post it. I suppose I am having trouble getting my head around the need for VLANS. I understand that VLANs separate the broadcast traffic into sub-domains and therefore isolate traffic as routers do not forward broadcast frames.
My understanding so far is:
-
The bridge-groups in the radio sub-interfaces tie these interfaces to the BVIs that are created.
-
So then the “encapsulation dot1Q xx native” command in the sub-interface then ties the SSIDs (which have the vlan command) to the respective sub-interface and BVI. Is this correct?
-
So technically a bridge-group = VLAN in this context with the BVI getting the IP address instead of the VLAN. Am I correct in assuming this?
It just seems like a very complicated way to do something that should be quite simple.
I’ve included my config for the wireless side that seems to work. I can access the internet and ping the other subnets on the router. One last question, where is it best practice to put the “ip nat inside” command, on the BVIs or on the radio sub-interfaces?
Have a great holiday.
Matt.
!
dot11 ssid admin
vlan 10
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid guest
vlan 20
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
dot11 ssid user
vlan 30
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
bridge irb
!
!
interface Loopback0
ip address 2.8.5.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed 1000
!
!
interface Dot11Radio0/3/0
no ip address
!
encryption vlan 10 mode ciphers aes-ccm tkip
!
encryption vlan 20 mode ciphers aes-ccm tkip
!
encryption vlan 30 mode ciphers aes-ccm tkip
!
ssid admin
!
ssid guest
!
ssid user
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
!
interface Dot11Radio0/3/0.10
description admin.subint
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0/3/0.20
description guest.subint
encapsulation dot1Q 20
ip nat inside
ip virtual-reassembly in
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
!
interface Dot11Radio0/3/0.30
description user.subint
encapsulation dot1Q 30 native
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
!
!
interface BVI10
description admin.bvi
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI20
description guest.bvi
ip address 20.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface BVI30
description user.bvi
ip address 30.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
bridge 30 protocol ieee
bridge 30 route ip
!
!
!