14-4
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-11350-01
Chapter14 Configuring VLANs
Configuring VLANs

Incorporating Wireless Devices into VLANs

The basic wireless components of a VLAN consist of an access point and a client associated to it using
wireless technology. The access point is physically connected through a trunk port to the network VLAN
switch on which the VLAN is configured. The physical connection to the VLAN switch is through the
access point’s Ethernet port.
In fundamental terms, the key to configuring an access point to connect to a specific VLAN is to
configure its SSID to recognize that VLAN. Because VLANs are identified by a VLAN ID or name, it
follows that if the SSID on an access point is configured to recognize a specific VLAN ID or name, a
connection to the VLAN is established. When this connection is made, associated wireless client devices
having the same SSID can access the VLAN through the access point. The VLAN processes data to and
from the clients the same way that it processes data to and from wired connections. You can configure
up to 16 SSIDs on your access point, so you can support up to 16 VLANs. You can assign only one SSID
to a VLAN.
You can use the VLAN feature to deploy wireless devices with greater efficiency and flexibility. For
example, one access point can now handle the specific requirements of multiple users having widely
varied network access and permissions. Without VLAN capability, multiple access points would have to
be employed to serve classes of users based on the access and permissions they were assigned.
These are two common strategies for deploying wireless VLANs:
Segmentation by user groups: You can segment your wireless LAN user community and enforce a
different security policy for each user group. For example, you can create three wired and wireless
VLANs in an enterprise environment for full-time and part-time employees and also provide guest
access.
Segmentation by device types: You can segment your wireless LAN to allow different devices with
different security capabilities to join the network. For example, some wireless users might have
handheld devices that support only static WEP, and some wireless users might have more
sophisticated devices using dynamic WEP. You can group and isolate these devices into separate
VLANs.
Note You cannot configure multiple VLANs on repeater access points. Repeater access points support only
the native VLAN.
Configuring VLANs
These sections describe how to configure VLANs on your access point:
Configuring a VLAN, page14-5
Assigning Names to VLANs, page 14-7
Using a RADIUS Server to Assign Users to VLANs, page14-8
Viewing VLANs Configured on the Access Point, page14-9