Cisco Systems DL-2159-05 manual Wireless Vlan Deployment Example

Chapter 4 Configuring VLANs

A Wireless VLAN Deployment Example

•Common devices used to access the WLAN, such as the following:

–Security mechanisms (static WEP, MAC authentication and EAP authentication supported by each device type)

–Wired network resources, such as servers, commonly accessed by WLAN device groups

–QoS level needed by each device group

•Revisions to the existing wired VLAN deployment:

–Existing policies for VLAN access

–Localized wired VLANs or flat Layer 2 switched network policies

–Other affected policies

You should consider the following implementation criteria before deploying wireless VLANs:

•Use policy groups (a set of filters) to map wired polices to the wireless side.

•Use IEEE 802.1x to control user access to VLANs by using either RADIUS-based VLAN assignment or RADIUS-based SSID access control.

•Use separate VLANs to implement different classes of service.

•Adhere to any other criteria specific to your organization’s network infrastructure.

Based on these criteria, you could choose to deploy wireless VLANs using the following strategies:

•Segmentation by user groups—you can segment your WLAN user community and enforce a different security policy for each user group. For example, you could create three wired and wireless VLANs in an enterprise environment for full- and part-time employees, as well as providing guest access.

•Segmentation by device types—You can segment your WLAN to enable different devices with different security levels to access the network. For example, you have hand-held devices that support only 40- or 128-bit static WEP coexisting with other devices using IEEE 802.1x with dynamic WEP in the same ESS. Each of these devices would be isolated into separate VLANs.

A Wireless VLAN Deployment Example

This section outlines a typical use of wireless VLANs. For the example, assume your company, XYZ, determines the need for wireless LANs in its network. Following the guidelines in the previous sections, your findings are as follows:

•Five different groups are present at Company XYZ: full-time employees, part-time employees, contract employees, guests, and maintenance workers.

•Full-time and contract employees use company-supplied PCs to access the wireless network. The PCs are capable of supporting IEEE 802.1x authentication methods to access the wireless LAN.

•Full-time employees need full access to the wired network resources. The IT department has implemented application level privileges for each user (using Microsoft NT or 2000 AD mechanisms).

•Part-time and contract employees are not allowed access to certain wired resources (such as HR or data storage servers). The IT department has implemented application level privileges for part time employees (using Microsoft NT or 2000 AD mechanisms).

•Guest users want access to the Internet and are likely to launch a VPN tunnel back to their own company headquarters.

Cisco Aironet 1200 Series Access Point Software Configuration Guide