While I wait for widespread availability of 802.11ac enterprise grade access points, a friend gave me a Cisco 1231 (dual radio) model as an interim solution. These puppies are a bit long in the tooth (A/B/G, no N, no WPA2 afaict) but it was still an acceptable solution since the overriding requirements were: be-a-bridge-not-a-router, POE, no controller needed, and multi-SSID-to-VLAN mapping. Here’s the config I’m using to accomplish that.

ap-guestroom#sho run
Building configuration...
!
Current configuration : 5414 bytes
!
! No configuration change since last restart
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-guestroom
!
no logging console
enable secret 5 $1$[redacted]
!
ip subnet-zero
!
!
no aaa new-model
!
dot11 ssid campitycamp
vlan 1
authentication open 
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 [redacted]
!
dot11 ssid dutnet
vlan 13
authentication open 
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 [redacted]
!
dot11 ssid guestnet
vlan 12
authentication open 
mbssid guest-mode
!
dot11 ssid nplz
vlan 1
authentication open 
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 [redacted]
!         
dot11 ssid v6only
vlan 11
authentication open 
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 [redacted]
!
!
!
username Cisco password 7 [redacted]
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
load-interval 30
!
encryption mode ciphers aes-ccm 
!
encryption vlan 10 mode ciphers aes-ccm tkip 
!        
encryption vlan 1 mode ciphers aes-ccm tkip 
!
encryption vlan 11 mode ciphers aes-ccm tkip 
!
encryption vlan 13 mode ciphers aes-ccm tkip 
!
ssid campitycamp
!
ssid dutnet
!
ssid guestnet
!
ssid v6only
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
!
interface Dot11Radio0.10
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
!
interface Dot11Radio0.12
encapsulation dot1Q 12
no ip route-cache
bridge-group 12
bridge-group 12 subscriber-loop-control
bridge-group 12 block-unknown-source
no bridge-group 12 source-learning
no bridge-group 12 unicast-flooding
bridge-group 12 spanning-disabled
!
interface Dot11Radio0.13
encapsulation dot1Q 13
no ip route-cache
bridge-group 13
bridge-group 13 subscriber-loop-control
bridge-group 13 block-unknown-source
no bridge-group 13 source-learning
no bridge-group 13 unicast-flooding
bridge-group 13 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 10 mode ciphers aes-ccm tkip 
!
encryption mode ciphers aes-ccm 
!
encryption vlan 1 mode ciphers aes-ccm tkip 
!        
encryption vlan 11 mode ciphers aes-ccm tkip 
!
encryption vlan 13 mode ciphers aes-ccm tkip 
!
ssid nplz
!
mbssid
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio1.10
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
!
interface Dot11Radio1.12
encapsulation dot1Q 12
no ip route-cache
bridge-group 12
bridge-group 12 subscriber-loop-control
bridge-group 12 block-unknown-source
no bridge-group 12 source-learning
no bridge-group 12 unicast-flooding
bridge-group 12 spanning-disabled
!
interface Dot11Radio1.13
encapsulation dot1Q 13
no ip route-cache
bridge-group 13
bridge-group 13 subscriber-loop-control
bridge-group 13 block-unknown-source
no bridge-group 13 source-learning
no bridge-group 13 unicast-flooding
bridge-group 13 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.10
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
!         
interface FastEthernet0.12
encapsulation dot1Q 12
no ip route-cache
bridge-group 12
no bridge-group 12 source-learning
bridge-group 12 spanning-disabled
!
interface FastEthernet0.13
encapsulation dot1Q 13
no ip route-cache
bridge-group 13
no bridge-group 13 source-learning
bridge-group 13 spanning-disabled
!
interface BVI1
ip address dhcp client-id FastEthernet0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
!         
control-plane
!
bridge 1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
login local
transport preferred all
transport input all
transport output all
line vty 5 15
login
transport preferred all
transport input all
transport output all
!
sntp server 192.148.252.1
end
!          
ap-guestroom#

This is “Cisco IOS Software, C1200 Software (C1200-K9W7-M), Version 12.3(7)JA, RELEASE SOFTWARE (fc1)” on an AIR-AP1231G-A-K9 (two radios).