Wireless Vlan

Unanswered Question
Feb 6th, 2007

Hello -

I apologize if I am asking a question that has already been asked here, but I was hoping someone could provide me with some further clarification to help with my confusion on the subject.

My company is looking to deploy a company -wide WLAN solution with dynamic vlan assignment done by 802.1x (PEAP) using Radius as the authenticator. We already have a strong dot1x wired infrastructure, but being new to wireless deployment, I am getting hung up wireless dotq encapsulation.

Currently, there are about 30 different VLANs that users are placed in depending on their security-group membership in AD. When they want to use wireless as opposed to the wired network, can I associate all 30 something vlans to one 802.11 SSID? I find examples of tagging one SSID with one vlan, but not one SSID with multiple vlans using 802.1q tagging. Is this even possible.

Also, any clue why Aironets can't do VTP? From what it looks like, I have to go in and create all the vlans and bvi ints on each individual AP? We are deploying close to 75 APs to cover the entire company. Thanks for any help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
john.preves Tue, 02/06/2007 - 20:40

1 vlan = 1 SSID.

You may even tag the ssids with whatever 802.1q stuff you want as far as who goes first, but keep in mind that none of this will occur at the AP. The AP's do not do QoS only class of service, and there is no mechanism to sort out the frames in the space between the clients and the AP.

Also Cisco says 16 Vlans per AP - and that is susceptible to traffic on each Vlan. I think I have 6 or 7 going and it frightens me.

I know absolutely nothing about AD but for a wireless situation I would be looking at a new plan of attack.

Something like 1 data vlan - 1 voice vlan (depending on density, preference etc.) and have a list of users authenticate that way.

hope this helps a little

ryan.bachman Wed, 02/07/2007 - 10:32

Thanks for the clarification. With that info, let me ask another question. How does dynamic valn assignment work with wireless, if at all. The need for all the vlans is mostly for security purposes. There is one central MIS department, supporting 6 different companies, and those 6 companies, have departments within them that also need to be isolated, hence the high number of vlans in this design.

I wouldn't want to turn on the beacon for all SSIDs, and maybe I would combine some of the Vlans for purposes of wireless, but could I have a Guest SSID associated with my guest vlan (10 in this case), and have the radius server return (again based on AD group association) another vlan. Would this redirect the wireless client to the proper SSID associated with the VLAN that they should be in, or do I have to mannually configure the particular user to connect to appropriate SSID?

I am basically trying to avoid having to image machines with the correct SSID preconfigured in the actual machine. We are using a 3rd party 802.1x supplicant and that would be a huge pain haing to preconfigure a dozen different images for each type of machine we give out.

Thanks again for all your help!

a.voiles Wed, 02/07/2007 - 09:58

Each SSID can only support one VLAN. I allowed the individual VLANs on the trunk ports for each AP, but the APs cannot participate in VTP - I assume they don't have a vlan.dat file?

Dmitry Halavin Wed, 02/07/2007 - 10:10

With CUWN, you can do AAA-override, which allows you to place users on the VLAN defined by the AAA server when they connect to the network, instead of the default VLAN configured on the particular SSID.

I am not sure if this is possible with the autonomous APs.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode