How to Implement Wireless VLANs

Shaun Hummel
Wireless access points operate as bridges with no routing defined anywhere on the wireless network segment.

All Virtual Local Area Networks, or VLANs, are defined on the wired switches and mapped with specific SSIDs at each access point. The maximum number of VLANs and SSIDs per access point that can be mapped is 16. The wireless client attaches or associates with a specific SSID, which in turn will map a client with membership in a specific VLAN.

There is an option to configure the maximum number of wireless client associations allowed per SSID, improving network performance and availability. The access point is assigned a primary SSID with the 802.11 standard, advertising it with beacons on that segment to all wireless clients. If there is a guest SSID defined, companies should define a VLAN policy for that group or, with access control list security policies, deny access to the corporate network. Guest traffic, for the most, part should be directed across the Internet unless they have specific network rights.

VLAN membership of each wireless client is assigned considering which servers are most accessed, specific company department and security rights. Device types such as a scanner with less security won't be assigned the same VLAN as an engineering group with sensitive information and 802.1x security.

VLAN 1 is the default native VLAN and doesn't tag traffic. The native VLAN number assigned on the wired switches must match the VLAN assigned at all attached access points on that network segment. The native VLAN is sometimes assigned to network management traffic or the RADIUS server. Companies will implement access control lists at each network switch to filter traffic securing the management VLAN traffic. With most designs, the native VLAN isn't mapped to an SSID except with connecting root bridges and non-root bridges. Define an infrastructure SSID for infrastructure devices such as a repeater or workgroup hub and map the native VLAN, allowing those devices to associate with non-root bridge and root bridges.

Wireless clients configured with 802.1x authentication will have a RADIUS server configured with mapped SSIDs per wireless client. This is called RADIUS SSID control. The server sends the list to the access point where the client is allowed to associate with an access point should they be a member of one or several SSIDs. RADIUS VLAN control assigns each client with a specific VLAN and default SSID. The mapping can be overridden with the RADIUS sever configuration.

During authentication, the wireless client is assigned to that specific VLAN. The employee, however, can't be a member of any wired VLAN except that. Policy group filters or class map policies can be defined per VLAN. You should deny all infrastructure devices to be members of any non-infrastructure SSID. Wireless clients will see all broadcasts and multicasts of all mapped VLANs unless 802.1x per VLAN encryption is implemented with TKIP, MIC and broadcast keys.

Trunking is implemented to switch traffic between network segments that have multiple VLANs defined. Each VLAN defines a separate broadcast domain comprised of a group of employees with a company department. The trunk is a physical switch port interface with defined Ethernet subinterfaces configured with 802.1q or ISL encapsulation. Those packets are tagged with a specific VLAN number before being sent between access point and wired network switch. The access point Ethernet interface is configured as a hybrid trunk. Access control lists should be defined at the wired switch Ethernet interface that drops packets from VLANs not defined with any SSID.

VLAN 100 = 192.168.37.x - SSID = Engineers

VLAN 200 = 192.168.38.x - SSID = Guest

VLAN 300 = 192.168.39.x - SSID = Sales

Add Comment      Leave a comment on this blog post
Apr 30, 2010 7:04 PM kaveh samadi javan kaveh samadi javan  says:
it was so useful summery Reply
Apr 30, 2010 7:04 PM kaveh samadi javan kaveh samadi javan  says:
it was so useful summery Reply
Jan 21, 2011 10:01 PM klauss35 klauss35  says:
Nice article, thanks Reply
Jan 27, 2012 4:01 PM Nicole Nicole  says:
Thanks for this! Reply
Feb 14, 2012 1:02 PM Carla Gomez Carla Gomez  says:
The wireless access points operate as bridges with no routing defined anywhere on the wireless network segment. Reply
Mar 28, 2012 11:03 AM Ann Ann  says:
These are very valuable information you posted here on Wireless VLANs implementation. Thanks. Reply
Feb 15, 2015 7:54 AM Wireless Print Wireless Print  says:
TEW-P1U is usually a print server that turns virtually any stand-alone USB printer's in to a propagated community printer's. The TEW-P1U has an IEEE 802. 11g 54Mbps wireless software intended for developing in recent wireless networks.The TEW-P1U is designed for printers furnished with USB 1. 1 compliant printer's port in fact it is the best community treatment for convert standard USB printers in to a propagated reference around the community. For more info: Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.