multiple SSIDs on 521 and VLANs on an ASA

I usually recommend a higher end wireless access point but got talked into using the AP521. It's being used as a stand alone AP and the idea was to have two broadcast SSIDs on separate VLANs, one for internal use and one for external.

BUT, unless I've really lost it, this can't be done. It doesn't matter if I use the Cisco Configuration Assistant, the Web interface, or the CLI. It just won't let me do it. Am I missing something? Or is this a limitation on the 521? I'm just looking for conformation that I'm not crazy.

Problem 2, its never just one, I think I know the issue but before I go and reconfigure my ASA5520 I thought I'd ask. The switch ports for the AP and ASA are set as trunks, and the two SSIDs are VLAN 1 native and VLAN 2. Originally there were no VLANs so the port on the ASA was just the hardware port with the native VLAN on the ASA as VLAN 1. I added a sub-interface with VLAN 2 and configured the ASA's DHCP server for the VLAN 2 sub-interface only. I connect a client to the AP using the VLAN 2 SSID which should attempt to get an IP address from the ASA, but no such luck. The sub interface on the ASA shows no traffic at all, nothing.

I'm thinking that I have to have 2 sub-interfaces, one for each VLAN, and that with my using the hard interface and one sub-interface all the traffic ends up inbound on the hard interface, regardless that it should be VLAN 1. Is this the case? I've got a fairly complex ASA config with 2 internet connections, 2 LANs, and a DMZ, so I'd like to make sure I'm headed in the right direction before I go changing everything.

Thanks in advance for any and all comments, RC

** Posted from
formatting link
**
Reply to
rocko
Loading thread data ...

Uzytkownik "rocko" napisal w wiadomosci news:6859a$4940484d$ snipped-for-privacy@news.teranews.com...

[..]

I do not know asa, but it should not be any difference compared to regular switchport.

switch (ASA) and AP must be connected using trunk. Moreover native VLAN number on both must/should be the same.

From AP point of view You must configure always: One SSID mapped to one VLAN (which has certain settings e.g. WEP or WPA) mapped to one subinterface (or rather bridge group) of physical ethernet port.

It applies to all SSIDs configured on AP. One of them must be marked as native (usually VLAN1)

If You use WEP - You must make sure keys are identical at both sides because wireless client can show You "I am connected" even if keys mismatch occurs. Then You wont be able to send or receiove any traffic - it will be blocked by AP.

From other side - You can set IP addres to your client as static - to see if it is only DHCP issue.

best regards Przemek Dmochowski

Reply to
PrzemekD

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.