14-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-11350-01
Chapter14 Configuring VLANs
Understanding VLANs
Understanding VLANs
A VLAN is a switched network that is logically segmented, by functions, project teams, or applications
rather than on a physical or geographical basis. For example, all workstations and servers used by a
particular workgroup team can be connected to the same VLAN, regardless of their physical connections
to the network or the fact that they might be intermingled with other teams. You use VLANs to
reconfigure the network through software rather than physically unplugging and moving devices or
wires.
A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN
consists of a number of end systems, either hosts or network equipment (such as bridges and routers),
connected by a single bridging domain. The bridging domain is supported on various pieces of network
equipment such as LAN switches that operate bridging protocols between them with a separate group
for each VLAN.
VLANs provide the segmentation services traditionally provided by routers in LAN configurations.
VLANs address scalability, security, and network management. You should consider several key issues
when designing and building switched LAN networks:
LAN segmentation
Security
Broadcast control
Performance
Network management
Communication between VLANs
You extend VLANs into a wireless LAN by adding IEEE 802.11Q tag awareness to the access point.
Frames destined for different VLANs are transmitted by the access point wirelessly on different SSIDs
with different WEP keys. Only the clients associated with that VLAN receive those packets. Conversely,
packets coming from a client associated with a certain VLAN are 802.11Q tagged before they are
forwarded onto the wired network.
If 802.1q is configured on the FastEthernet interface of an access point, the access point always sends
keepalives on VLAN1 even if VLAN 1 is not defined on the access point. As a result, the Ethernet switch
connects to the access point and generates a warning message. There is no loss of function on both the
access point and the switch. However, the switch log contains meaningless messages that may cause
more important messages to be wrapped and not be seen.
This behavior creates a problem when all SSIDs on an access point are associated to mobility networks.
If all SSIDs are associated to mobility networks, the Ethernet switch port the access point is connected
to can be configured as an access port. The access port is normally assigned to the native VLAN of the
access point, which is not necessarily VLAN1, which causes the Ethernet switch to generate warning
messages saying that traffic with an 802.1q tag is sent from the access point.
You can eliminate the excessive messages on the switch by disabling the keepalive function.
Figure 14-1 shows the difference between traditional physical LAN segmentation and logical VLAN
segmentation with wireless devices connected.