Chapter 4 Configuring VLANs

VLAN Security Policy

management traffic as well as the RADIUS traffic is routed to the access point through the native VLAN. It is recommended that you restrict user access to the native (default) VLAN of the access points through the use of Layer-3 ACLs and policies on the wired infrastructure side.

You may or may not wish to map the native VLAN of the access point to an SSID (for example, to the wireless ESS). Scenarios where the native VLAN must be mapped to an SSID are as follows:

An associated workgroup bridge to be treated as an infrastructure device

For a root bridge to connect to a nonroot bridge

In these scenarios, Cisco recommends that you configure an infrastructure SSID for each access point. Figure 4-3illustrates combined deployment of infrastructure devices along with non infrastructure devices in an enterprise LAN. As the figure shows, the native VLAN of the access point is mapped to the infrastructure SSID. WEP encryption along with TKIP (at least per packet key hashing) should be turned on for the infrastructure SSID. Cisco also recommends that you configure a secondary SSID as the infrastructure SSID. The concepts of primary and secondary SSIDs are explained in the next section.

Figure 4-3 Deployment of Infrastructure and Non infrastructure Devices

Infrastructure SSID:

VLAN = 10

SSID = Employee

 

Native

SSID = Guest

VLAN = 10

 

Nonroot

Bridge

Root

Bridge

802.1Q Trunk

Branch

office

802.1Q Trunk (native VLAN = 10)

Management

VLAN

(VLAN = 10)

Root

802.1Q Trunk

access

 

point

Workgroup bridge repeater

SSID = Infrastructure

Enterprise RADIUS

networkserver

81665

Primary and Secondary SSIDs

When multiple wireless VLANs are enabled on an access point or bridge, multiple SSIDs are created. Each SSID maps to a default VLAN ID on the wireless side. IEEE 802.11 specifications require that only one SSID be broadcast in the beacons, so you must define a primary SSID to be broadcast in the IEEE

802.11beacon management frames. All other SSIDs are secondary SSIDs and are not broadcast in the beacon management frames.

Cisco Aironet 1200 Series Access Point Software Configuration Guide

4-6

OL-2159-05

 

 

Page 72
Image 72
Cisco Systems DL-2159-05 manual Primary and Secondary SSIDs, Deployment of Infrastructure and Non infrastructure Devices