公司经常会有客户来拜访,需要上internet,我们有个无线的AP直接连的外网ADSL,这样与公司内网不会有任何连接,但有的时候客户并不都在这个无线AP信号覆盖的区域,他们可能在别的办公区,这样就需要在别的地方也要做外网的无线信号覆盖。由于公司所有的地方都已经有了内网的无线信号覆盖,而且我们使用的无线AP是Cisco 12系列的,那能不能在其上面新建另外的ssid,并加入到一个新的vlan当中去,接外网adsl的自动拨号路由器接入这个vlan,这样就能实现这个需求,并且还不增加额外的支出。答案是肯定的。下面就大概讲讲实现的过程。

首先贴出解决方案草图,如下:

 

 

下面是配置的过程

一、交换机上的配置

1、交换机上新建一个vlan 80,接ADSL的端口加入这个vlan。

2、接Cisco 1231AP的端口设置为trunk端口。

配置内容如下:

pgisuzs10#sh run
Building configuration...

Current configuration : 1471 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname pgisuzs10
!
enable secret 5 $1$5w9D$OpZe8y8TqhWYLYCz7ZeXn.
!
ip subnet-zero
!
no ip domain-lookup
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
 switchport access vlan 80
!
interface FastEthernet0/3
 switchport mode trunk
!
interface FastEthernet0/4
!
........

!
interface Vlan1
 ip address 192.168.1.2 255.255.255.0
 no ip route-cache
!
interface Vlan80
 no ip route-cache
!
ip http server
!
line con 0
 password 7 1210091B100E0E052920
 logging synchronous
 login
line vty 0 4
 password 7 1210091B100E0E052920
 login
line vty 5 15
 login
!
!
end

二、无线AP上的设置。

1、创建两个ssid,一个为internal,默认加入vlan1,用于公司内网,另一个为external,加入vlan 80,用于公司外网。

2、设置加密方式,启用多ssid (mbssid)。

3、Dot11radio0上启用internal和external,启用多ssid功能,创建子接口,封装vlan标签,并且分别加入两个group,分别为group1和group80。

4、Fastethernet0上创建子接口,同样封装vlan标签,再分别加入group1和group80。

5、BVI1上设置管理IP,最好与内网相同。

AP的配置如下:

pgisuzwap20#sh run
Building configuration...

Current configuration : 2636 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname pgisuzwap20
!
enable secret 5 $1$MCBf$PKRbOOHFKn5bRsCo3Cz1o1
!
ip subnet-zero
!
!
no aaa new-model
!
dot11 ssid external
   vlan 80
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 12485744465E5A53727274
!
dot11 ssid internal
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 040A59555B741A19514055
!
!
!
username Cisco password 7 032752180500
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers tkip
 !
 encryption vlan 80 mode ciphers tkip
 !
 ssid external
 !
 ssid internal
 !
 mbssid
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.80
 encapsulation dot1Q 80
 no ip route-cache
 bridge-group 80
 bridge-group 80 subscriber-loop-control
 bridge-group 80 port-protected
 bridge-group 80 block-unknown-source
 no bridge-group 80 source-learning
 no bridge-group 80 unicast-flooding
 bridge-group 80 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface FastEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.80
 encapsulation dot1Q 80
 no ip route-cache
 bridge-group 80
 no bridge-group 80 source-learning
 no bridge-group 80 unicast-flooding
 bridge-group 80 spanning-disabled
!
interface BVI1
 ip address 192.168.1.10 255.255.255.0
 no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

!
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
 password 7 000D1F0A065E09070C2A
 logging synchronous
 login
 transport preferred all
 transport output all
line vty 0 4
 password 7 104705150712100A0F0F
 login
 transport preferred all
 transport input all
 transport output all
line vty 5 15
 login
 transport preferred all
 transport input all
 transport output all
!
end

最后测试成功,分别连上internet和external,获取不同的ip网络,并且互不影响。