Cisco Systems OL-6415-04 VLAN Configuration Example

8-9

Cisco Wireless ISR and HWIC Access Point Configuration Guide

OL-6415-04

Chapter 8 Configuring VLANs

VLAN Configuration Example

VLAN Configuration Example

This example shows how to use VLANs to manage wireless devices on a college campus. In this

example, three levels of access are available through VLANs configured on the wired network:

• Management access—Highest level of access; users can access all internal drives and files,

departmental databases, top-level financial information, and other sensitive information.

Management users are required to authenticate using Cisco LEAP.

• Faculty access—Medium level of access; users can access school’s Intranet and Internet, access

internal files, access student databases, and view internal information such as human resources,

payroll, and other faculty-related material. Faculty users are required to authenticate using Cisco

LEAP.

• Student access—Lowest level of access; users can access school’s Intranet and the Internet, obtain

class schedules, view grades, make appointments, and perform other student-related activities.

Students are allowed to join the network using static WEP.

In this scenario, a minimum of three VLAN connections are required, one for each level of access.

Because the access point can handle up to 16 SSIDs, you can use the basic design shown in Table 8-1.

Tab l e 8-1 Access Level SSID and VLAN Assignment

Level of Access SSID VLAN ID

Management boss 1

Faculty teach 2

Student learn 3

Managers configure their wireless client adapters to use SSID boss, faculty members configure their

clients to use SSID teach, and students configure their wireless client adapters to use SSID learn. When

these clients associate to the access point, they automatically belong to the correct VLAN.

You would complete these steps to support the VLANs in this example:

1. Configure or confirm the configuration of these VLANs on one of the switches on your LAN.

2. On the access point, assign an SSID to each VLAN.

3. Assign authentication types to each SSID.

4. Configure VLAN 1, the Management VLAN, on both the fastEthernet and dot11radio interfaces on

the access point. You should make this VLAN the native VLAN.

5. Configure VLANs 2 and 3 on both the fastEthernet and dot11radio interfaces on the access point.

6. Configure the client devices.

Contents

Main Page CONTENTS Page Page Page Page Page Preface Audience Purpose Organization Conventions Page Related Publications Obtaining Documentation Cisco.com Product Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Obtaining Technical Assistance Cisco Technical Support & Documentation Website Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Page Overview Wireless Device Management Network Configuration Example Root Unit on a Wired LAN Features Page Page Page Configuring Radio Settings Enabling the Radio Interface Roles in Radio Network Configuring Network or Fallback Role 2-4 Bridge Features Not Supported Sample Bridging Configuration The following is a sample of a Root Bridge Configuration: 2-5 The following is a sample of Non-Root Bridge Configuration: 2-6 Universal Client Mode Configuring Universal Client Mode Page 2-9 Configuring Radio Data Rates Page Configuring Radio Transmit Power Limiting the Power Level for Associated Client Devices Configuring Radio Channel Settings Page Page Page Page DFS Automatically Enabled on Some 5-GHz Radio Channels Confirming that DFS is Enabled Blocking Channels from DFS Selection Enabling and Disabling World Mode Enabling and Disabling Short Radio Preambles Configuring Transmit and Receive Antennas Disabling and Enabling Access Point Extensions Configuring the Ethernet Encapsulation Transformation Method Enabling and Disabling Reliable Multicast to Workgroup Bridges Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports Configuring Beacon Period and DTIM Configuring RTS Threshold and Retries Configuring Maximum Data Retries Configuring Fragmentation Threshold Enabling Short Slot Time for 802.11g Radios Performing a Carrier Busy Test Page Configuring Multiple SSIDs Understanding Multiple SSIDs SSID Configuration Methods Supported by Cisco IOS Releases Configuring Multiple SSIDs Creating an SSID Globally Page Viewing SSIDs Configured Globally Using Spaces in SSIDs Using a RADIUS Server to Restrict SSIDs Configuring Multiple Basic SSIDs Requirements for Configuring Multiple BSSIDs Guidelines for Using Multiple BSSIDs CLI Configuration Example Displaying Configured BSSIDs Enabling MBSSID and SSIDL at the same time 3-8 Use the no form of the command to disable SSIDL IEs. Sample Configuration for Enabling MBSSID and SSIDL Below is a sample configuration for enabling MBSSID: Below is a sample configuration for enabling SSIDL: 3-9 Page Configuring an Access Point as a Local Authenticator Understand Local Authentication Configure a Local Authenticator Guidelines for Local Authenticators Configuration Overview Configuring the Local Authenticator Access Point Page Page 4-6 This example shows how to set up EAP-FAST authentication: 4-7 Configuring Other Access Points to Use the Local Authenticator Configuring EAP-FAST Settings Configuring PAC Settings PAC Expiration Times Generating PACs Manually Configuring an Authority ID Configuring Server Keys Possible PAC Failures Caused by Access Point Clock Limiting the Local Authenticator to One Authentication Type Unblocking Locked Usernames Viewing Local Authenticator Statistics Using Debug Messages Configuring Encryption Types Understand Encryption Types Configure Encryption Types Creating WEP Keys WEP Key Restrictions Example WEP Key Setup Creating Cipher Suites Cipher Suites Compatible with WPA Enabling and Disabling Broadcast Key Rotation Security Type in Universal Client Mode Universal client configuration Page 5-11 Page Configuring Authentication Types Understand Authentication Types Open Authentication to Access Point Shared Key Authentication to Access Point EAP Authentication to Network MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using WPA Key Management Page Software and Firmware Requirements for WPA and WPA-TKIP Configure Authentication Types Assigning Authentication Types to an SSID Page Page Configuring WPA Migration Mode Configuring Additional WPA Settings Setting a Pre-Shared Key Configuring Group Key Updates Configuring MAC Authentication Caching Configuring Authentication Holdoffs, Timeouts, and Intervals Matching Access Point and Client Device Authentication Types Page Page Configuring RADIUS Servers Configuring and Enabling RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Selecting the CSID Format Configuring Settings for All RADIUS Servers Configuring the Access Point to Use Vendor-Specific RADIUS Attributes Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication Configuring WISPr RADIUS Attributes Displaying the RADIUS Configuration RADIUS Attributes Sent by the Access Point Page Page Configuring VLANs Understanding VLANs Related Documents Incorporating Wireless Devices into VLANs Configuring VLANs Configuring a VLAN Page Assigning Names to VLANs Guidelines for Using VLAN Names Creating a VLAN Name Using a RADIUS Server to Assign Users to VLANs Viewing VLANs Configured on the Access Point VLAN Configuration Example 8-10 Table 8-2 shows the commands needed to configure the three VLANs in this example. Tab l e 8-2 Configuration Commands for VLAN Example Configuring VLAN 1 Configuring VLAN 2 Configuring VLAN 3 Tab l e 8-3 Results of Example Configuration Commands Page Page Configuring QoS Understanding QoS for Wireless LANs QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN Precedence of QoS Settings Using Wi-Fi Multimedia Mode Configuring QoS Configuration Guidelines Adjusting Radio Access Categories Disabling IGMP Snooping Helper Sample Configuration Using the CLI A Channel Settings IEEE 802.11b (2.4-GHz Band) IEEE 802.11g (2.4-GHz Band) IEEE 802.11a (5-GHz Band) Page Page B Protocol Filters Page Page Page Page Page C Supported MIBs MIB List Using FTP to Access the MIB Files D Error and Event Messages How to Read System Messages Message Traceback Reports Association Management Messages 802.11 Subsystem Messages Page Page Page Page Page Page Page Page Local Authenticator Messages GLOSSARY A B C D E F G I M O P Q S T U W Page INDEX Numerics A B C D E F G I J N O P Q S T V W