Cisco Aironet 1131ag - single SSID w/ multiple APs

I posted the following post below in another WiFi forum and didn't get any responses. I got in contact with S0lo who gave me some insight on the issue and also insisted we share this on the forums. I actually came up with the answer on my own after some more testing and research along with S0lo's direction

Original post:
I've configured 9 Cisco 1131ag Aironets and spread them across three floors(3 per floor). Each Aironet has a designated drop in the ceiling to provide wired access. My question is how do you create an ESS with only one SSID broadcasting? I currently have 9 'ssid name' broadcasting throughout the building.

All AP's are configured with non-overlapping channels. When I perform a site survey I can see each AP broadcasting on a different channel, as they should be.

As S0lo indicated in a PM to me, the SSIDs of the Aironets will all need to be in the same VLAN. I had done this, but for whatever reason I still saw more than one SSID broadcasting. Well it turns out, they weren't really all showing except one SSID. I was using my Dell laptop to test and used the Dell Wireless WLAN Card Utility utilizing the Site Monitor. The Site Monitor shows all the Network Names, security type, channel, speed and signal strength. When I hooked up another laptop, using just the wireless option within Windows, it only saw one SSID broadcasting.


Cheers,

ZiPPy

So with that solved I'd like to extend this issue to another matter in using the SSID's

I want to create another SSID off those Aironets to have a GUEST SSID. The GUEST SSID will only be able to access the Internet and not the internal network.

I've created a second VLAN and was successful in attaching that to a separate SSID labeled GUEST. But I can still access the production network from that VLAN.

I've tried limiting access from the firewall, but I was unsuccessful.

Any thoughts?


ZiPPy

I want to create another SSID off those Aironets to have a GUEST SSID. The GUEST SSID will only be able to access the Internet and not the internal network.

You can try to create an access list that prevents packets that has it's source IP coming from GUEST VLAN and has it's destination IP going to the internal network (i.e not the internet). Try to apply this access list on the nearest router/switch/firewall interface to the access points, this will reduce unwanted traffic. (Note: If you apply it on a device that is not in the packets path way, it won't work).

Some thing like this:

[code:1]access-list 101 deny ip 192.168.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip any any
interface fa0/0
ip access-group 101 in
[/code:1]

Replace 192.168.2.0 0.0.0.255 with your GUEST VLAN range. And replace 10.1.1.0 0.0.0.255 with the other internal networks range. You can add multiple deny lines for all your internal ranges.

You could also apply such access list on each of the access points (instead of a router/switch/firewall), since this can be even more efficient. BUT it would be really an administrative headache to maintain all these ACLs. with 9 APs, I wouldn't do it.

Well it turns out, they weren't really all showing except one SSID. I was using my Dell laptop to test and used the Dell Wireless WLAN Card Utility utilizing the Site Monitor. The Site Monitor shows all the Network Names, security type, channel, speed and signal strength. When I hooked up another laptop, using just the wireless option within Windows, it only saw one SSID broadcasting.

Isnt that what I told you it was ?

Yes it was r0nni3, you were correct about simply putting each of the AP's in the same VLAN and no other configuration was needed to show a single SSID broadcast.

That freakin Dell wireless tool really threw me off! Irritating!!


ZiPPy