Creating WLANs
Lab Objectives
- Create VLANs that represent WLAN SSIDs and map them to switch interfaces.
- Configure trunking so an access point (simulated) can carry multiple SSIDs (VLANs).
- Create Layer‑3 SVIs for WLAN subnets and verify client-to-gateway connectivity.
Tip: In this lab we're simulating WLAN behavior by mapping SSIDs to VLANs on the switch and trunking them to where an AP would connect. This mirrors production practice where APs carry multiple SSIDs tagged with 802.1Q VLAN IDs.
ASCII Topology (BASE LAB TOPOLOGY — exact IPs)
[Internet]
203.0.113.1
|
R1 (Gateway)
Gi0/0: 10.10.10.1
Gi0/1: 10.10.20.1
Gi0/2: 10.10.30.1
/ | \
R2 R3 R4
Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2
Gi0/1: 10.10.40.1 |
/ \ |
S1 S2 S3
/ \ | / \
PC1 PC2 PC3 PC4 PC5
IP ADDRESSING (WLAN subnets / VLANs used in this lab)
| VLAN | Name | Subnet | SVI IP on S1 |
|---|---|---|---|
| 10 | Sales | 192.168.1.0/24 | 192.168.1.11/24 |
| 20 | Engineering | 192.168.2.0/24 | 192.168.2.11/24 |
| 30 | Management | 192.168.3.0/24 | 192.168.3.11/24 |
Lab Tasks (Try It Yourself First!)
Complete these tasks WITHOUT looking at the solution below. Use
?andshowcommands to figure it out.
Task 1: Create VLANs and SVIs on S1
Create VLANs 10, 20, and 30 on S1. Enable IP routing on S1 and create SVIs with the IP addresses in the IP ADDRESSING table above. Bring the SVIs up.
Task 2: Configure trunk between S1 and S2 for the AP
Configure the link between S1 and S2 as an 802.1Q trunk so an access point (simulated) connected to S2 can carry multiple SSIDs/VLANs. Use dot1q encapsulation and set the port mode to trunk.
Task 3: Assign switch ports to VLANs for clients
Assign PC ports to the appropriate VLANs as access ports:
- PC1 & PC2 to VLAN 10 on S1
- PC3 to VLAN 20 on S2
- PC4 & PC5 to VLAN 30 on S3
Think About It: Why do we trunk VLANs to the AP instead of making each SSID an untagged VLAN on the AP interface? What problems does trunking avoid in multi-SSID deployments?
Lab Solution
Task 1 Solution: Create VLANs and SVIs on S1
What we are doing: We create VLAN objects (10/20/30) on S1 to represent WLAN SSIDs, enable IP routing on the switch so it routes between VLANs, and create one SVI per VLAN to act as the default gateway for wireless clients.
Commands:
S1(config)# vlan 10
S1(config)# vlan 20
S1(config)# vlan 30
S1(config)# ip routing
S1(config)# interface vlan 10
S1(config-if)# ip address 192.168.1.11 255.255.255.0
S1(config-if)# no shutdown
S1(config)# interface vlan 20
S1(config-if)# ip address 192.168.2.11 255.255.255.0
S1(config-if)# no shutdown
S1(config)# interface vlan 30
S1(config-if)# ip address 192.168.3.11 255.255.255.0
S1(config-if)# no shutdown
What each command does and why it matters:
vlan X— Creates the VLAN in the switch VLAN database. VLANs are the L2 containers that map to SSIDs.ip routing— Turns the switch into a Layer‑3 device so it can route between VLANs (important when multiple SSIDs need inter‑VLAN traffic).interface vlan X+ip address ...— Creates a Switched Virtual Interface (SVI) that serves as the default gateway for hosts in that VLAN. Clients use this IP as their gateway to reach other subnets.
Verify:
S1# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi1/0/1, Gi1/0/2
10 VLAN0010 active Gi1/0/3, Gi1/0/4
20 VLAN0020 active Gi1/0/5
30 VLAN0030 active Gi1/0/6, Gi1/0/7
S1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan10 192.168.1.11 YES manual up up
Vlan20 192.168.2.11 YES manual up up
Vlan30 192.168.3.11 YES manual up up
Task 2 Solution: Configure trunk between S1 and S2 for the AP
What we are doing: We configure the physical link between S1 and S2 as an 802.1Q trunk so multiple VLANs (SSIDs) traverse the single physical link to the AP (or to the switch that connects to the AP). Dot1Q tagging allows frames from different SSIDs to be carried separately.
Commands (on S1 and S2 interfaces that connect them; example interfaces used):
S1(config)# interface e1/0
S1(config-if)# switchport trunk encapsulation dot1q
S1(config-if)# switchport mode trunk
S2(config)# interface e0/2
S2(config-if)# switchport trunk encapsulation dot1q
S2(config-if)# switchport mode trunk
What each command does and why it matters:
switchport trunk encapsulation dot1q— Selects 802.1Q as the VLAN tagging protocol (required before enabling trunk mode on some platforms).switchport mode trunk— Puts the port into trunking mode so it will carry multiple VLANs rather than being a single access VLAN.
Verify:
S1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
e1/0 on 802.1q trunking 1
Port Vlans allowed on trunk
e1/0 1-4094
S2# show interfaces trunk
Port Mode Encapsulation Status Native vlan
e0/2 on 802.1q trunking 1
Task 3 Solution: Assign switch ports to VLANs for clients
What we are doing: We set individual switch ports to be access ports in the correct VLANs so PCs (or wireless controller/bridge ports) receive untagged frames in the right VLAN/SSID.
Commands:
! On S1 for PC1 & PC2 (VLAN 10)
S1(config)# interface range e1/0 -1
S1(config-if-range)# switchport mode access
S1(config-if-range)# switchport access vlan 10
! On S2 for PC3 (VLAN 20)
S2(config)# interface e1/1
S2(config-if)# switchport mode access
S2(config-if)# switchport access vlan 20
! On S3 for PC4 & PC5 (VLAN 30)
S3(config)# interface range e0/3 -4
S3(config-if-range)# switchport mode access
S3(config-if-range)# switchport access vlan 30
What each command does and why it matters:
interface ... switchport mode access— Configures the port as an access port (single VLAN).switchport access vlan X— Places the port into the specified VLAN so connected client traffic is untagged and placed into that VLAN.
Verify:
S1# show vlan brief | include VLAN0010
10 VLAN0010 active Gi1/0/3, Gi1/0/4
S2# show vlan brief | include VLAN0020
20 VLAN0020 active Gi1/0/1
S3# show vlan brief | include VLAN0030
30 VLAN0030 active Gi0/3, Gi0/4
Real-world context: In production, APs are almost always connected to switches via 802.1Q trunks so each SSID maps to a VLAN and can be kept logically separate (e.g., guest, corporate). SVI gateways live on distribution switches or virtual router instances to provide scalable routing and policy enforcement.
Troubleshooting Scenario
Scenario: Trunk between S1 and S2 not working; clients on different SSIDs cannot reach their gateways
Symptom: PC3 (on VLAN 20) cannot ping 192.168.2.11 (S1 SVI).
Your task: Find and fix the issue.
Hint: If the trunk is misconfigured, VLAN 20 will not be carried to S2 and PCs on S2 will be isolated.
Solution:
- Check trunk status on S1 and S2:
S1# show interfaces trunk
S2# show interfaces trunk
- If the output shows
not-trunkingor no dot1q encapsulation, enable dot1q and setswitchport mode trunkon both ends (see Task 2). The trunk must be configured consistently on both sides.
Explanation: If one side is trunking and the other is an access port, only the native VLAN may pass untagged frames and other VLANs will be dropped — causing loss of connectivity for VLAN 20.
Verification Checklist
- VLANs 10, 20, 30 created on S1.
- SVIs for VLANs 10/20/30 present and in up/up state on S1.
- Trunk between S1 and S2 configured with 802.1Q.
- Client ports assigned to correct VLANs as access ports.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| PC cannot reach SVI gateway | Port on switch is in wrong VLAN | Verify show vlan brief and set switchport access vlan X on the port |
| VLANs not present across link | Trunk not configured or mismatched encapsulation | Configure switchport trunk encapsulation dot1q and switchport mode trunk on both ends |
| SVI shows down/down | No active VLAN or routed switch has ip routing disabled | Ensure VLAN exists and enable ip routing on the switch, no shutdown on SVI |
Challenge Task
Add a new SSID "Guest" mapped to VLAN 40 using subnet 192.168.4.0/24. Configure the VLAN, create SVI 192.168.4.11/24 on S1, trunk VLAN 40 to S2, and assign one port on S3 as an access port in VLAN 40. Verify connectivity.
Final note: Treat each SSID as a VLAN at the switching layer and the AP as a tag/untag edge device. This separation allows you to apply security, QoS, and routing policies per SSID in production networks.