14-4
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter14 Configuring VLANs
Configuring VLANs
You can assign more than one SSID to a given VLAN. However, a given SSID can be mapped to only
one VLAN. Also, the SSID to VLAN mapping must be unique per interface.
For example, you configure SSID1 and SSID2. If you assign SSID1 to VLANA on radio 0, then you
cannot assign SSID2 to VLANA on the same radio 0. You can assign SSID2 to VLANA on radio 1.
Alternatively, you can assign SSID2 to VLANB on radio 0 or on radio 1 or on both. If you assign SSID2
to VLANB on radio 0, you can assign SSID2 to radio 1, but it must also be assigned to VLANB. You
cannot assign SSID2 (or SSID1) to VLANA on radio 0, and to VLANB on radio 1.
You can use the VLAN feature to deploy wireless devices with greater efficiency and flexibility. For
example, one access point can now handle the specific requirements of multiple users having widely
varied network access and permissions. Without VLAN capability, multiple access points would have to
be employed to serve classes of users based on the access and permissions they were assigned.
These are two common strategies for deploying wireless VLANs:
Segmentation by user groups: You can segment your wireless LAN user community and enforce a
different security policy for each user group. For example, you can create three wired and wireless
VLANs in an enterprise environment for full-time and part-time employees and also provide guest
access.
Segmentation by device types: You can segment your wireless LAN to allow different devices with
different security capabilities to join the network. For example, some wireless users might have
handheld devices that support only support only pre-shared key (PSK) security mechanisms, and
some wireless users might have more sophisticated devices using 802.1x/EAP. You can group and
isolate these devices into separate VLANs.
Repeaters cannot repeat SSIDs mapped to a VLAN. When configuring a root access point and a repeater,
make sure that the SSID on the root AP and the same SSID on the repeater use the native VLAN. You
can configure other SSIDs on the root AP and the repeater AP that would be mapped to a VLAN, but
these tagged SSIDs cannot be repeated.
When configuring a bridge to non-root bridge link, the SSID used on the bridge must be untagged (use
the native VLAN). You can also configure other SSIDs on both the root bridge AP and the non-root
bridge AP that would be mapped to a VLAN. These SSIDs will be forwarded between the root bridge
and the non-root bridge through the SSID associated to the native VLAN.
Configuring VLANs
These sections describe how to configure VLANs on your access point:
Configuring a VLAN, page14-5
Assigning Names to VLANs, page 14-7
Using a RADIUS Server to Assign Users to VLANs, page14-8
Viewing VLANs Configured on the Access Point, page14-8