This article aims to explain the configuration required for a Cisco 880W series router (e.g Cisco 887W, Cisco 886W, Cisco 881W, Cisco 888W, etc), in order to setup the integrated Cisco access point with multiple encrypted SSIDs, each SSID belonging to a different VLAN with specific access to the local network and Internet.

The most common setup of this type is one SSID that connects to the local network and another SSID serving guests that require Internet access only. The commands shown in this article are applicable on all Cisco 880W series models.

Configuring VLANs on the Cisco 880W (881W, 886W, 887W, 888W) Series Router

First step is to examine the VLANs required. In our example we assume two VLANs - one for the local network and one for guest Internet access. By default VLAN 1 is already created as it is the first VLAN on the router, so we will need to create the second VLAN that will serve the guest wireless network, or second SSID:

Once VLAN2 is created (cover later in this article), we can connect to the integrated access point and begin its configuration. If the integrated access point has no IP address assigned to it yet in order to telnet directly to it, you can connect from within the existing session of your Cisco 880 series router using the service-module wlan-ap 0 session command.  

Cisco Access Point Multiple - Dual SSID Configuration 

Configuring multiple SSIDs on a Cisco access point is a straightforward process, however, it does contain a few details we will analyse as we progress.

We need to now create the two SSIDs by defining their names which will be broadcast so users can find them, the encryption method to be used, wireless secret keys and lastly the VLAN assignment for each SSID:

The above configuration is quite different from setups with one SSID. The reason being the multiple SSID and VLAN configuration required to ensure each SSID is assigned to the correct VLAN. The 'Private' wireless network is assigned to VLAN 1 and the 'Guest' wireless network to VLAN 2.

Notice that when using multiple SSIDs on a Cisco access point it is imperative to use the mbssid guest-mode command otherwise the SSID name of the wireless network will not be broadcast correctly.

The dot11 vlan-name  command ensures the correct mapping of VLANs and their respective VLAN names. In our example, the VLAN names follow the actual VLAN numbers. So, VLAN 1 has been named 'VLAN 1'. This helps easily to keep track of them.

Next, we must ensure the integrated routing and bridging (IRB) feature is enabled to allow the routing of our protocols (IP) between routed interfaces and bridge groups. This command is most likely already present in the configuration, but let's play safe and enter it:

Configuring the Dot11Radio0 interface

Configuring the Dot11Radio0 interface is our next step. Dot11Radio0 is the actual radio interface of the integrated Cisco access point.  We will need to assign the SSIDs configured previously, to this interface, along with the encryption methods and a few more parameters.

Most commands are self-explanatory. We will however explain the basic and important ones:

The Encryption VLAN commands set the encryption mode for each VLAN and, therefore, each SSID.  

The SSID command assigns the SSIDs to this interface.

The mbssid command ensures both SSIDs are broadcast and are viewable to our wireless clients.

The station-role root is a default command and makes the access point act as a root station, in other words as an autonomous access point.

Note the speed basic command. This is a default command that sets the supported speeds. The first portion, 1.0 to 54.0, refers to the 802.11 b/g protocol, while the m0 to m15 refers to the 802.11n protocol.

Configuring the Dot11Radio0 sub-interfaces

At this point we are required to configure sub-interfaces on Dot11Radio0, assigning each sub-interface to a VLAN.

When creating the subinterfaces we always use easy-to-identify methods of mapping. Thus, interface Dot11Radio0.1 means this interface will be mapped to VLAN 1, while interface Dot11Radio0.2 will map to VLAN 2.

The encapsulation dot1Q 1 native command surves two purposes. It maps VLAN 1 to sub-interface Dot11Radio0.1 and tells the access point that this VLAN (1) is the native VLAN. This means that untagged VLAN traffic belongs to VLAN 1.  More information on VLANs is available in our VLAN Section - be sure to visit it.

Similarly, under interface Dot11Radio0.2, the encapsulation dotQ 2 command maps VLAN 2 traffic to this sub-interface.

The bridge-group command assigns each sub-interface to a bridge group. Each sub-interface is assigned to its own bridge-group. The bridge group essentially connects the wireless sub-interfaces with the internal Gigabit Ethernet interface this access point has. This is analysed next.

Configuring Cisco Access Point GigabitEthernet0, Sub-Interfaces and BVI interface

As mentioned earlier, the integrated access point connects with the Cisco 887W router via an internal GigabitEthernet link. On the access point side this is the GigabitEthernet0 interface.

Following is the configuration required to create the necessary GigabitEthernet sub-interfaces and map the Dot11Radio0.X interfaces previously created with them:

The GigabitEthernet interface and sub-interface configuration follows the same logic as the Dot11Radio0 interface. Notice that each GigabitEthernet sub-interface is mapped to the same VLAN and bridge-group as the Dot11Radio0 sub-interfaces.  

Next, we create the one and only BVI1 interface and assign it an IP Address. This is basically the IP Address of our access point and is reachable from our LAN network, so it's best to assign it an IP Address from your LAN network.

It is important to note that only one bridge-interface (BVI Interface) is configured with an IP Address. The rest of the bridge groups are not required to have a BVI interface as all traffic is trunked through the BVI1 Interface. This is per Cisco design.

Finally, we must enable ip routing for bridge 1:

This completes the setup of our Cisco 887W integrated access point. We can now move to our Cisco  887W router side, complete the configuration and get everything up and running.

Configuring the Cisco Router End - DHCP Services & VLAN Interfaces

The first step is to define the DHCP service and ip address pools for our two VLANs and, therefore, SSIDs.

Detailed instructions on setting up a DHCP Server can be found at our Cisco DHCP Server Configuration article.

To make it easy, we are providing the necessary commands for our example:

Next, we must  ensure the internal Wlan-GigabitEthernet0 interface, connecting the router with the integrated access point, is configured as a trunk port. Essentially, the router's internal Wlan-GigabitEthernet0 connects with integrated access point GigabitEthernet0 we previously configured.

By simply using the switchport mode trunk command, the router will allow all VLAN traffic, configured on both sides, to communicate between the two devices (Router - Access Point):

Lastly, we need to configure our router's VLANs. VLAN 1 is the native VLAN that connects to our local network, while VLAN 2 is used for the wireless Guest Internet access service. Note the ip addresses assigned match the networks configured in our DHCP service.  

To ensure VLAN 2 is created, we suggest you configure one of the router's FastEthernet interfaces so that it is assigned to VLAN 2. This will force the router to create VLAN 2 in its VLAN database: 

Once the switchport access VLAN 2 command is given, the router will automatically create VLAN 2 if it does not exist.  Below is the output to expect when this happens:

You can reassign the interface to VLAN 1 if you wish by using the no switchport access VLAN 2 command.

Remember  that NAT Overload is required to be configured, otherwise no one will have any Internet access.  This is covered extensively in our Cisco Router NAT Overload article.

Article Summary

This article provided an in-depth coverage on how to configure a Cisco 880W series router with integrated Access Point to support multiple SSID wireless networks.  The information provided not only covers the basic commands, but also analyses the background theory and logic used for these types of configurations to ensure the reader fully understands why this method is used.

If you have found the article useful we would really appreciate you sharing it with others by using the services provided  in the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people.