Chapter 4 Configuring VLANs

VLAN Security Policy

Default Policy Group—Ability to apply a policy group (set of Layer 2, 3, and 4 filters) for each VLAN. Each filter within a policy group can be configured to allow or deny a certain type of traffic

Temporal Key Integrity Protocol (TKIP)—Ability to enable per packet key hashing for each VLAN

Enhanced MIC verification for WEP—Ability to enable MIC per VLAN

WEP key rotation interval—Ability to enable WEP key rotation for each VLAN but supported only for wireless VLANs with IEEE 802.1x protocols enabled (such as LEAP, EAP-TLS, PEAP, etc.)

Encryption key—The key used for broadcast or multicast segmentation per VLAN. This key is also used for static WEP clients for both unicast and multicast traffic

Note With an encryption key configured, the VLAN supports standardized WEP. However, TKIP, MIC, and broadcast key rotation features can optionally be configured as noted above.

Table 4-1lists the SSID and VLAN ID configuration parameters

Table 4-1 SSID and VLAN ID Configuration Parameters

Parameter

SSID

VLAN ID

 

Parameter

Parameter

 

 

 

Authentication types

x

 

 

 

 

Maximum number of associations

x

 

 

 

 

Encryption key (broadcast key)

 

x

 

 

 

TKIP/MIC

 

x

 

 

 

WEP rotation interval

 

x

 

 

 

Policy group

 

x

 

 

 

Default Priority (CoS mapping)

 

 

 

 

 

Broadcast Domain Segmentation

All Layer 2 broadcast and multicast messages are propagated over the air so that each WLAN client receives broadcast and multicast traffic belonging to different VLANs. A wired client receives Layer 2 broadcast and multicast traffic only for its own VLAN. Therefore, a unique broadcast/multicast encryption key is used to segment the Layer 2 broadcast domains on the wireless LAN. The unique encryption key must be configured during initial VLAN setup. If broadcast key rotation is enabled, this encryption key is generated dynamically and delivered to WLAN clients in IEEE 802.1x messages.

The requirement to segment broadcast domains on the wireless side restricts the use of unencrypted VLAN per ESS. A maximum of one VLAN can be unencrypted per WLAN ESS. The behavior of a WLAN client on an encrypted VLAN should be to discard unencrypted Layer 2 broadcast or multicast traffic.

Native VLAN Configuration

The native VLAN setting on the access point must match the native VLAN of the wired trunk. Also, the access point receives and communicates using the Inter-Access Point Protocol (IAPP) with other access points in the same wireless LAN ESS using the native VLAN. Therefore, it is a requirement that all access points in an ESS must use the same native VLAN ID. Furthermore, all Telnet and http

Cisco Aironet 1200 Series Access Point Software Configuration Guide

 

OL-2159-05

4-5

 

 

 

Page 71
Image 71
Cisco Systems DL-2159-05 manual Broadcast Domain Segmentation, Native Vlan Configuration, Parameter, Tkip/Mic