Professional Documents
Culture Documents
The request from the client was to have a WiFi network for the company employees
and a separate WiFi network for company guests.
The Network
I have a network similar to the one in the diagram bellow.
The MikroTik CCR acts as a router for Internet connectivity and VPN for
interconnecting with the main office.
The Hardware
The company central router was already a MikroTik CCR so I decided to use it for
managing the access points via Controlled Access Point system Manager (CAPsMAN). I
choose 6 MikroTik cAP 2n as access points which will be distributed across 3 floors
because they had the possibility to be installed on the ceiling. Also there were
Cisco SG 300-52 switches installed in the location.
/interface vlan
add interface=ether12 name=WLAN vlan-id=600
add interface=ether12 name=WiFiGuest vlan-id=700
Now let's add some IP addresses on the interfaces. they will serve for gateway for
the clients.
/ip address
add address=10.0.0.1/24 interface=WLAN network=10.0.0.0
add address=172.30.90.1/24 interface=WiFiGuest network=172.30.90.0
/caps-man datapath
add local-forwarding=yes name=inet_vlan_600 vlan-id=600 \ vlan-
mode=use-tag
add local-forwarding=yes name=guest_vlan_700 vlan-id=700 \ vlan-
mode=use-tag
As you see we use local-forwarding=yes in this mode the wireless interface on CAP
behaves as a normal interface and takes part in normal data forwarding. Wireless
interface will accept/pass data to networking stack on CAP. CAPsMAN will not
participate in data forwarding and will not process any of data frames, it will
only control interface configuration and client association process.
Now let's create the wireless security profiles for the networks
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm \ name=Intranet
passphrase=somecoolintranet password
add authentication-types=wpa2-psk encryption=aes-ccm name=Guests \
passphrase=guestpassword
Now we will configure the WiFi channel and frequencies for the networks
/caps-man channel
add band=2ghz-onlyn extension-channel=Ce frequency=2412 name=Intranet \ width=20
add band=2ghz-onlyn extension-channel=Ce frequency=2462 name=Guests \ width=20
Now let's set-up the configurations we will provide to the remote access points and
enable CAPsMAN
/caps-man configuration
add channel=Intranet country=russia datapath=inet_vlan_600 mode=ap \ name=intranet
security=Intranet ssid=WiFi-Intranet
add channel=Guests country=russia datapath=guest_vlan_700 mode=ap \ name=guests
security=Guests ssid=WiFi-Guests
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=intranet \
slave-configurations=guests
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
Because we have separate Vlan's for the 2 networks the switch ports going to the
MikroTik CCR router and to the cAP 2n access points have to be trunk ports.
Assuming we have port Gi52 going to the CCR and ports Gi43-49 going to the cAP 2n
access points let's do the configuration
SW2#conf t
SW2(config)#interface gigabitethernet52
SW2(config-if)#switchport mode trunk
SW2(config-if)switchport trunk allowed vlan add 600,700
That's all now we have all our access points managed by central CAPsMAN