Command Groups
VLAN Commands
The access point can employ VLAN tagging support to control access to network resources and increase security. VLANs separate traffic passing between the access point, associated clients, and the wired network. You can assign a VLAN to each of the access points radio interfaces, a management VLAN for the access point, and a VLAN to up to 64 associated clients.
Each wireless client associated to the access point is assigned to the native VLAN ID (a number between 1 and 4095) for the radio interface. If IEEE 802.1x is being used to authenticate wireless clients, specific VLAN IDs can be configured on the RADIUS server to be assigned to each client. Using IEEE 802.1x and a central RADIUS server, up to 64 VLAN IDs can be mapped to specific wireless clients. The access point allows traffic tagged with assigned VLAN IDs or the native VLAN ID to access clients associated on the radio interface.
When VLAN support is enabled, the access point tags traffic passing to the wired network with the appropriate VLAN ID, either an assigned client VLAN ID, native VLAN ID, or the management VLAN ID. Traffic received from the wired network must also be tagged with one of these known VLAN IDs. Received traffic that has an unknown VLAN ID or no VLAN tag is dropped.
When VLAN support is disabled, the access point does not tag traffic passing to the wired network and ignores the VLAN tags on any received frames.
When setting up VLAN IDs for each user on the RADIUS server, be sure to use the RADIUS attributes and values as indicated in Table A‐18.
Table A-18 VLAN ID RADIUS Attributes
Number | RADIUS Attribute | Value |
|
|
|
64 | VLAN (13) | |
|
|
|
65 | 802 | |
|
|
|
81 | VLANID (1 to 4095 in hexadecimal) | |
|
|
|
Note: The specific configuration of RADIUS server software is beyond the scope of this guide. Refer to the documentation provided with the RADIUS server software.
The VLAN commands supported by the access point are listed in Table A‐19.
Note: When VLANs are enabled, the access point’s Ethernet port drops all received traffic that does not include a VLAN tag. To maintain network connectivity to the access point and wireless clients, be sure that the access point is connected to a device port that supports IEEE 802.1Q VLAN tags.
