Cisco WAP config for dual VLAN/SSID example

[reflection]

sam988 asked me for help with this so posting for general benefit.

These instructions are for a Cisco WAP in autonomous mode. This applies to a dual VLAN design. One SSID will be for the home network, the other SSID will be for cameras (like a doorbell cam).

The benefit is that you don't need a separate WAP for cameras and you can still have VLAN separation.


Assumptions:
Home subnet is 192.168.29.0/24. This is VLAN 2. The SSID is homeSSID.
Camera subnet is 192.168.1.0/24. This is VLAN 4. The SSID is camSSID.
Router is connected to VLAN 2 with IP address 192.168.29.1
Managed switch IP address for VLAN 2 is 192.168.29.2.
The management IP for the WAP will be 192.168.29.3.
This is for a Cisco 3702i which can be found used on Ebay for under $40. Cisco Aironet 3700 Series Access Points Data Sheet. Similar configs for other models.
You know how to configure VLANs on your POE switch. The Cisco WAP is powered using POE.
Your cameras are only on the 2.4GHz spectrum so only the 2.4GHz radio is configured for camSSID. The home network is configured for both 2.4GHz and 5GHz.
The SSID for your home network is broadcast but the SSID for camera is hidden. You will have to explicit configure the SSID on your devices because they will not find them.
Security is using WPA2 personal (pre-shared keys). If you want to do WPA2 enterprise, ping me. You will need an external authentication server.
There is a web GUI for the WAP but it is limited. We are doing a special config for the VLAN separation so we are using CLI.

1. Make sure your AP is in autonomous mode. You can google for instructions.
2. Set the switch port connecting to the WAP to be a trunk. Set the native vlan for that port to be VLAN 2.
3. You can enter this config through the console or via remote terminal if you have that configured already. You will have to do the "crypto key generate..." to setup SSH.
4. Your configuration will look something like this. Note that some configuration left out because they were defaults.
5. You can access the web GUI and check out the config afterwards.

ip routing
ip domain name mydomain.com
!
dot11 ssid homeSSID
vlan 2
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk <this is your SSID password>
!
dot11 ssid camSSID
vlan 4
authentication open
authentication key-management wpa version 2
wpa-psk <this is your SSID password for cams>
!
!
username ADMIN privilege 15 secret <this is your admin password>
!
bridge irb
!
interface Dot11Radio0
no ip address
!
encryption vlan 2 mode ciphers aes-ccm
!
encryption vlan 4 mode ciphers aes-ccm
!
ssid homeSSID
!
ssid camSSID
!
antenna gain 0
stbc
mbssid
station-role root
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
bridge-group 2
!
interface Dot11Radio0.4
encapsulation dot1Q 4
bridge-group 4
!
!
interface Dot11Radio1
no ip address
!
encryption vlan 2 mode ciphers aes-ccm
!
ssid homeSSID
!
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
channel width 80
channel dfs
station-role root
!
interface Dot11Radio1.2
encapsulation dot1Q 2 native
bridge-group 2
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface BVI2
ip address 192.168.29.3 255.255.255.0
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.29.1

!
bridge 2 route ip
!
line con 0
line vty 0 4
login local
transport input ssh
!
end

 

[reflection]

See this post for background on the BlueIris Dual IP design with one NIC and VLANs. Help Configuring Cisco switch

 

[reflection]

That's great thank you! I just ordered 2 of those WAPs on ebay. How are you finding the range of them? How many would you think I need for 2 story 3500sqft house?

Since the WAP is used - anything I need to do to reset it?

Would it be safe to put the cam vlan on wifi - I know they are still on vlan and can't dial out to internet and vice-versa, but could someone with laptop hack into the wifi and see the cam directly? On the same note, If I connect a laptop to the camSSID, I can then connect directly to each cam to change settings/etc right?

For the instructions you posted, I plug each WAP into any ports on switch, configure them as trunk in the switch adding the command

switchport trunk native vlan 2

Then the remainder of the instructions you posted are run on the WAP by plugging the console cable into there right?

And a Few Q about the commands:
1. ip domain name mydomain.com
what's the point of this for a home network?

2. wpa-psk <this is your SSID password>
Is this as regular text or as hex key?

3. mbssid guest-mode
this is the code that makes it broadcast the ssid right?

4. username ADMIN privilege 15 secret <this is your admin password>
silly question - this will change the password for console/ssh/web gui right? and is the same command true for my switch to change the default password (currently user: [blank], pass: cisco)

5.
line con 0
line vty 0 4
login local
transport input ssh

this installs SSH on the WAP? So in the future if I need to change anything I can ssh the WAP ip or access web interface from any pc on vlan2?

And if I install second WAP, same exact steps? (keep ssid same and assign same vlans?)

Two WAPs should be fine for your house. One on either side. I had three of these but eventually turned off the 3rd because it wasn't needed.

There is a reset button. If this is already in autonomous mode and you have accees to the console, don't do a factory reset because it might put it back in controller mode. Just erase the config manually (try "write erase").

If they can hack your WPA2 wifi, they can certainly get to your cameras or home network. This is as secure as your home wifi from your consumer router using WPA2 personal.

Yes, the code is for entering through the WAP cli, not on the switch. This can be entered via console or SSH terminal.

1. you will need this to setup SSH. This step is before you do the "crypto key generate...."

2. regular text

3. yes

4. this creates a username ADMIN.

5. this configures the terminal settings and allows SSH to be used to connect remotely. Setting up SSH is in step 1 with the "crypto key generate..." Yes, you won't need the console cable after this is set up.

Yes, a second WAP would have the same configuration except that the IP address would be 192.168.29.4 instead.

If you want additional SSIDs and VLANs, you can add more too. I have an IOT wifi SSID also mapped to an IOT VLAN.

 

[sam988]

Thank you again to @reflection for all of your guidance

1. Make sure your AP is in autonomous mode - this is so your WAP can run off the switch without a cisco controller.

First step is to find the correct autonomous image for your WAP - it has k9w7 in it (k9w8 is the lightweight firmware which requires a separate controller)
rename firmware to be .default according to your specific firmware file
install TFTPD on the computer, connect WAP and computer to same VLAN on POE switch
set computer ip to 10.0.0.2, set same ip and correct directory where .default file is on TFTPD
connect console cable
when plugging in the ethernet from POE, hold the mode button down, then connect POE and only release after 20s, the light on WAP will be red at this point.
It should auto load the file from TFTPD and auto install it

This tutorial was excellent: AP Conversion using MODE Button



2. Set the switch port connecting to the WAP to be a trunk. Set the native vlan for that port to be VLAN 2 (or whatever you home network vlan is).

interface GigabitEthernet1/0/xx
switchport mode trunk
switchport trunk native vlan 2
switchport trunk allowed vlan 2,4
end

This is very important.. ensure that your switch setup looks like this (when running show config for whatever port your wap is on)

interface GigabitEthernet1/0/xx
switchport trunk native vlan 2
switchport trunk allowed vlan 2,4
switchport mode trunk

I had to default my port as it was previously set to vlan 4 only, by doing default interface gigabitEthernet1/0/xx and then afterwards putting the settings above

3. You can enter this config through the console or via remote terminal if you have that configured already. You will have to do the

"crypto key generate..." to setup SSH.
4. Your configuration will look something like this. Note that some configuration left out because they were defaults.
5. You can access the web GUI and check out the config afterwards at

https://192.168.1.3

(dont forget https because we turned off http access)

Note that for wifi cams on camSSID we are only using 2.4ghz radio and not 5ghz
Also to access camSSID, the SSID is not being broadcast, so you need to manually enter SSID and PASS + set a static ip for the device with 192.168.1.xx

hostname (give this wap whatever name you want)
ip routing
ip domain name home.local
!
interface BVI1
ip address 192.168.29.3 255.255.255.0
/ REMEMBER TO CHANGE IF INSTALLING MULTIPLE WAP^^
!
dot11 ssid homeSSID
vlan 2
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 0 YOURPASSHERE
!
dot11 ssid camSSID
vlan 4
authentication open
authentication key-management wpa version 2
wpa-psk ascii 0 YOURPASSHERE
!
!
username ADMIN privilege 15 secret YOURPASSHERE
!
bridge irb
!
interface Dot11Radio0
no ip address
encryption vlan 2 mode ciphers aes-ccm
encryption vlan 4 mode ciphers aes-ccm
ssid homeSSID
ssid camSSID
antenna gain 0
stbc
mbssid
station-role root
!
no shut
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
bridge-group 2
!
no shut
!
interface Dot11Radio0.4
encapsulation dot1Q 4
bridge-group 4
!
no shut
!
interface Dot11Radio1
no ip address
!
encryption vlan 2 mode ciphers aes-ccm
!
ssid homeSSID
!
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
channel width 80
channel dfs
station-role root
!
no shut
!
interface Dot11Radio1.2
encapsulation dot1Q 2 native
bridge-group 2
!
no shut
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0.2
encapsulation dot1Q 2 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.4
encapsulation dot1Q 4
bridge-group 4
bridge-group 4 spanning-disabled
no bridge-group 4 source-learning 
!
interface BVI1
ip address 192.168.29.3 255.255.255.0
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.29.1

!
bridge 2 route ip
!
line con 0
line vty 0 4
login local
transport input ssh
!
end

A couple of useful commands
To check what SSIDs are setup and what is being broadcast:

show dot11 bssid

To check what devices are connected:

show dot11 associations

To show your full configuration

show running-config

To turn off the bright led

led display off

and back on

no led display off

And don't forget to save the running config to startup to have it save

copy running-config startup-config