14-10
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter14 Configuring VLANs
VLAN Configuration Example
VLAN Configuration Example
This example shows how to use VLANs to manage wireless devices on a college campus. In this
example, three levels of access are available through VLANs configured on the wired network:
Management access—Highest level of access; users can access all internal drives and files,
departmental databases, top-level financial information, and other sensitive information.
Management users are required to authenticate using Cisco EAP-FAST.
Faculty access—Medium level of access; users can access school’s Intranet and Internet, access
internal files, access student databases, and view internal information such as human resources,
payroll, and other faculty-related material. Faculty users are required to authenticate using Cisco
PEAP.
Student access—Lowest level of access; users can access school’s Intranet and the Internet, obtain
class schedules, view grades, make appointments, and perform other student-related activities.
Students are allowed to join the network using static WPA2 personal (Pre-shared key).
In this scenario, a minimum of three VLAN connections are required, one for each level of access.
Because the access point can handle up to 16 SSIDs, you can use the basic design shown in Table14-1.
Managers configure their wireless client adapters to use SSID manage, faculty members configure their
clients to use SSID teach, and students configure their wireless client adapters to use SSID learn. When
these clients associate to the access point, they automatically belong to the correct VLAN.
You would complete these steps to support the VLANs in this example:
1. Configure or confirm the configuration of these VLANs on one of the switches on your LAN.
2. On the access point, assign an SSID to each VLAN.
3. Assign authentication types to each SSID.
4. Configure VLAN 1, the Management VLAN, on both the Ethernet and dot11radio interfaces on the
access point. You should make this VLAN the native VLAN.
5. Configure VLANs 2 and 3 on both the Ethernet and dot11radio interfaces on the access point.
6. Configure the client devices.
Table14-1 Access Level SSID and VLAN Assignment
Level of Access SSID VLAN ID
Management manage (not boss) 01
Faculty teach 02
Student learn 03