Nortel Networks 2300 manual Understanding VLANs in Nortel WSS Software, Users and VLANs

Configuring and Managing Ports and VLANs 89

Understanding VLANs in Nortel WSS Software

A virtual LAN (VLAN) is a Layer 2 broadcast domain that can span multiple wired or wireless LAN segments. Each VLAN is a separate logical network and, if you configure IP interfaces on the VLANs, WSS Software treats each VLAN as a separate IP subnet.

Only network ports can be preconfigured to be members of one or more VLANs. You configure VLANs on a WSS’s network ports by configuring them on the switch itself. You configure a VLAN by assigning a name and network ports to the VLAN. Optionally, you can assign VLAN tag values on individual network ports. You can configure multiple VLANs on a WSS’s network ports. Optionally, each VLAN can have an IP address.

VLANs are not configured on AP access ports or wired authentication ports, because the VLAN membership of these types of ports is determined dynamically through the authentication and authorization process. Users who require authentication connect through WSS switch ports that are configured for AP access ports or wired authentication access. Users are assigned to VLANs automatically through authentication and authorization mechanisms such as 802.1X.

By default, none of an WSS switch’s ports are in VLANs. A switch cannot forward traffic on the network until you configure VLANs and add network ports to those VLANs.

Note. A wireless client cannot join a VLAN if the physical network ports on the WSS switch in the VLAN are down. However, a wireless client that is already in a VLAN whose physical network ports go down remains in the VLAN even though the VLAN is down.

VLANs, IP Subnets, and IP Addressing

Generally, VLANs are equivalent to IP subnets. If a WSS is connected to the network by only one IP subnet, the switch must have at least one VLAN configured. Optionally, each VLAN can have its own IP address. However, no two IP addresses on the switch can belong to the same IP subnet.

You must assign the system IP address to one of the VLANs, for communications between WSSs and for unsolicited communications such as SNMP traps and RADIUS accounting messages. Any IP address configured on a WSS can be used for management access unless explicitly restricted. (For more information about the system IP address, see “Configuring and Managing IP Interfaces and Services,” on page 107.)

Users and VLANs

When a user successfully authenticates to the network, the user is assigned to a specific VLAN. A user remains associ- ated with the same VLAN throughout the user’s session on the network, even when roaming from one WSS to another within the Mobility Domain.

You assign a user to a VLAN by setting one of the following attributes on the RADIUS servers or in the local user database:

•Tunnel-Private-Group-ID—This attribute is described in RFC 2868, RADIUS Attributes for Tunnel Protocol Support.

Nortel WLAN Security Switch 2300 Series Configuration Guide