The Devices:

  • Controller DWC-1000 X1
  • DWL-3600AP X3
  • Router (cisco C1941)



Wireless LAN controller is a layer 2 device, can run multiple VLANs, so if you want to setup multiple SSID for different network, you need to setup  VLANs. After all, you need a layer 3 device ( router, or purchase a license to enable the Option port, or else, the NAT will not work on option port) to route traffic between different VLANs and WAN traffic. In this project, I used router on stick to provide internet access. The topology is as bellow:



There will be two ssid (network):

  • staff (VLAN1: for staff use, can access printer, file server, extra, client get IP configuration from company DHCP server.
  • guest (VLAN2: for guest use, only have access to internet, client get IP configuration from WLAN controller.

Physical connection:

  • Port 1 in DGS switch will connect to the router port. This port permits VLAN 1 and 2 traffic
  • Port 2 in DGS connect to DHCP server for scope Access port in VLAN1
  • Port 6 in DGS will connect to the Wireless controller LAN port 1. This port permits VLAN 1 and 2 traffic.
  • Port 41-43 in DGS will connect to the wireless access points.This port permits VLAN 1 and 2 traffic.
Steps to setup

First plan your VLAN and  IP address for the controller and access points.

  • In DGS switch, Go to VLAN > 802.1Q VLAN, CLick 1 under VID column, make sure all ports are untagged, click back;
  • Add VID 2, name ” Guest”, then click 2 under VID column, choose untagged under port 01, 06, 41,42,43, all others not member.
  • vlan2
  • The IP address for controller and for five APs, default gateway
Note: Before connecting all the device altogether, you need to know the default IP address of the Controller is, but the IP address of the access point is So if connect them together, the controller will not discover the access point.

There are two ways to solve this

First method:  The access point use DHCP to get IP address by default, basically you connect all APs and WLAN controller to a switch, then you can configure the DHCP server on the controller or dedicated DHCP server, and assign the IP addresses within to the APs, 
then connect them together, the draw back of this method is you don't know which address with which access point, hence lead to hard management.

Manually assign IP address to the Access point:

1. Connect first AP(better to label it with a sticker or marker) to your PC via Ethernet cable and power supply. First configure you PC's IP address to, enter in browser,default username/password(admin/admin),change the password for a securer one,   
configure IP address in the Setup > Network Settings > LAN setup configuration, enter in the IP address, then in the Subnet mask. 
You will lose connection if you save the settings. Then change your PC's IP addrss to, type in browser, then user name and password.

2. Set up your PC's IP address to any one in same network as such as then type in your web browser. You browser will warn that the link is not safe, click advanced, then proceed any way.

3. In the Basic setting or Ethernet setting, setup the IP Address configuration method to manual, then type, subnet mask, default gateway, DNS: according to your Network setup. Repeate this step for rest of the APs and assign,
Note, you need to configure a DHCP exclusion range, which includes the to avoid IP address conflict.
Setup VLANs on the WLAN controller:

Go to the SETUP > VLAN settings > VLAN Configuration, click Add, Name: guest, ID:2, tick Inter VLAN routing Enable, captive Portal type: free.

Then go to SETUP > VLAN settings > PORT VLANS, tick Port 1, click Edit, Mode: General, PVID 1, click first Apply down the VLAN configuration, above VLAN Membership configuratoin, then tick 1 and 2 in VLAN membership. click second Apply .


Configure VLAN info for APs:

Then go to SETUP > VLAN settings >Multi VLAN subnets, tick VLAN 1, click Edit, type after IP address, after subnet mask, DHCP mode: none, cause we will use windows server DHCP service to assign IP info to all client connect to SSID save settings.

Then go to SETUP > VLAN settings >Multi VLAN subnets again, tick VLAN2, click Edit, type IP address ,, DHCP mode: DHCP server. Domain Name: Guest, starting IP address,, ending IP address, default gateway:, Primary DNS server according to your network setting, Lease Time: for guest, I prefer a shorter one, such as 3 or 4 hours.

Click saving settings.

Configure Profiles:

Then go to ADVANCED, AP Profile, tick the 1-default, click configure SSID, click Edit in first line.

  • SSID: staff
  • VLAN:1
  • Security: WPA/WPA2, WPA personal
  • WPA version: WPA2
  • WPA ciphers: TKIP, CCMP
  • WPA Key: enter the password you want to configure

Leave all others default, click Save settings.

Then go to ADVANCED, AP Profile, tick the 1-default, click configure SSID, tick the second line, click Edit.

  • SSID: guest
  • VLAN: 2
  • Security: WPA/WPA2, WPA personal
  • WPA version: WPA2
  • WPA ciphers: TKIP, CCMP
  • WPA Key: enter the password you want to configure
Associate profile to access points

Go to status > access point info > Authentication Failure status. The access points will be discoverd if they are in same network with the WLAN controller. Troubleshooting if they are not here.

Select an AP and click Manage, then the status will change from No Database entry, to authenticated, then to managed.

Repeat for all other APs. The successfully manged APs will show in status > access point info >Manged AP status.

Configuration on router


On the Cisco C1941 router, configure the NAT and default routing:

interface GigabitEthernet0/0

 description PrimaryWAN

 ip address WAN_IP_address subnet_mask

 ip nat outside

interface GigabitEthernet0/1

 description LAN

 no ip address

interface GigabitEthernet0/1.90

 description STAFF-LAN

 encapsulation dot1Q 1 native

 ip address

 ip nat inside

interface GigabitEthernet0/1.20

 description GUEST-LAN

 encapsulation dot1Q 2

 ip address

 ip nat inside

ip nat inside source list 190 interface GigabitEthernet0/0 overload

Access-list 190 Remark ==NAT service==

Access-list 190 permit ip any

Access-list 190 permit ip any

Ip nat inside source list 190 interface g0/0 overload

To restrict access from guest LAN to Staff LAN, we can create a access-control list:

access-list 120 deny ip

interface g0/1.20

ip access-group 120 in




Cisco WLAN, AD RADIUS, and Group Policy

Tutorial: 802.1X Authentication via WiFi – Active Directory + Network Policy Server + Cisco WLAN + Group Policy