08-12-2013 02:55 AM
I want to create a tunnel-mode SSID which will be be on a different network. Currently, I have a bridge-mode SSID on my remote access points. The tunnel-mode SSID will be used by my energy meters to connect to the LAN. I want authorised users on my LAN and bridge mode SSID to be able to login to the energy meters.
The purpose of creating a separate SSID is because energy meters dont support 802.1x authentication and I dont want my users to connect to tunnel mode SSID which uses WPA2-PSK authentication.
How can I create this tunnel-mode SSID on a different VLAN.
08-12-2013 04:59 AM - edited 08-12-2013 05:00 AM
I am not 100% sure I understand your requirement, but it sounds like you have a network setup already, so some of these commands may be unnecessary for your, but I included them anyways.
Each AP (whether Campus or Remote) can support multiple SSIDs in varying tunnel modes. In your case, you are interested in putting them on a different VLAN. Assuming this VLAN exists on the controller and that it is properly uplinkned to your network (typically by setting the port in trunk mode); you simply assign the desired VLAN (or VLANs) to the virtual-AP profile that will be applied to the AP Group in question.
Create a new vlan: vlan <number>
If you want an IP on the vlan (not always necessary if the network will handle DHCP and routing)
interface vlan <number>
ip address x.x.x.x y.y.y.y.y
Ensure this VLAN is assigned to a network port or trunk port if you need it on the LAN. If it is only on the controller, ensure routing to this VLAN from the LAN or NAT all traffic from the controller.
create your virtual AP like you normally would: wlan virtual-ap name-vap
set other commands as nessary; for example drop broadcast/multicast, band-steering, etc.
ensure tunnel mode: forward-mode tunnel
add the right vlan: vlan <number>
add your SSID: ssid-profile name-ssid-profile
add your AAA Profile: aaa-profile name-aaa-profile
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX