Wireless Network VLANS - How to Implement Wireless VLANS

The wireless access points operate as bridges with no routing defined anywhere on the wireless network segment. All VLANs are defined on the wired switches and mapped with specific SSIDs at each access point. The maximum number of VLANs and SSIDs per access point that can be mapped is 16. The wireless client attaches or associates with a specific SSID which in turn will map client with membership in a specific VLAN.

There is an option to configure the maximum number of wireless client associations allowed per SSID improving network performance and availability. The access point is assigned a primary SSID with the 802.11 standard, advertising it with beacons on that segment to all wireless clients. There is a guest SSID defined that companies should define a VLAN policy for that group or with access control list security policies denying access to the corporate network. Guest traffic for the most part should be directed across the internet unless they have specific network rights.

VLAN membership of each wireless client is assigned considering what servers are most accessed, specific company department and security rights. Device types such as a scanner with less security won't be assigned the same VLAN as an engineering group with sensitive information and 802.1x security.

VLAN 1 is the default native VLAN and doesn't tag traffic. The native VLAN number assigned on the wired switches must match the VLAN assigned at all attached access points on that network segment. The native VLAN is sometimes assigned to network management traffic or the RADIUS server. Companies will implement access control lists at each network switch to filter traffic securing the management VLAN traffic. With most designs the native VLAN isn't mapped to a SSID except with connecting root bridges and non root bridges. Define an infrastructure SSID for infrastructure devices such as a repeater or workgroup hub and map the native VLAN allowing those devices to associate with non root bridge and root bridges.

Wireless clients configured with 802.1x authentication will have a RADIUS server configured with mapped SSIDs per wireless client. This is called RADIUS SSID control. The server sends the list to the access point where the client is allowed to associate with an access point should they be a member of one or several SSIDs. RADIUS VLAN control assigns each client with a specific VLAN and default SSID. The mapping can be overridden with the RADIUS sever configuration. During authentication the wireless client is assigned to that specific VLAN. The employee however can't be a member of any wired VLAN except that. Policy group filters or class map policies can be defined per VLAN. You should deny all infrastructure devices to be members of any non-infrastructure SSID. Wireless clients will see all broadcasts and multicasts of all mapped VLANs unless 802.1x per VLAN encryption is implemented with TKIP, MIC and broadcast keys.

Trunking is implemented to switch traffic between network segments that have multiple VLANs defined. Each VLAN defines a separate broadcast domain comprised of a group of employees with a company department. The trunk is a physical switch port interface with defined Ethernet subinterfaces configured with 802.1q or ISL encapsulation. Those packets are tagged with specific VLAN number before it is sent between access point and wired network switch. The access point Ethernet interface is configured as a hybrid trunk. Access control lists should be defined at the wired switch Ethernet interface that drops packets from VLANs not defined with any SSID.

VLAN 100 = 192.168.37.x - SSID = Engineers

VLAN 200 = 192.168.38.x - SSID = Guest

VLAN 300 = 192.168.39.x - SSID = Sales

Shaun Hummel is author of Cisco Wireless Network Design Guide available at amazon.com and CiscoDesignBooks.com featuring Networking Books, eBooks, Certifications, Articles and Design Tools.