Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VLAN Best Practices

We've just upgraded our wireless infrastructure and streamlined our SSIDs from five (5) to three (3) - Corporate, Guest and Voice. In regards to VLANs, should all Coporate devices (Notebooks, Tablets, Smartphones) be included in one (1) VLAN or should we create three (3) separate VLANs one per device type. What are the best practices? My concern with having one VLAN with all Corporate devices is the amount of devices in the same VLAN and the impact of having Tablets (iPads, Androids) and Smartphones on the same VLAN in terms of network traffic (broadcast, bonjour, etc...) Any comments or suggestion would be greatly appreciated.


Re: VLAN Best Practices

the answer depends.

Some of it, is how many devices you are expecting to have.  Some of it is what resource access will each device type have.

IMHO, I would do 802.1x with VLAN assignment.  I'd have 'corporate' devices in one VLAN, or base it off of AD OU the user is in*, and BYOD in another.  that way I coudl ACL off access if I needed to.

*So for example, one SSID for corporate, but if you are Finance you get pushed VLAN 14, IT you get pushed VLAN 16 etc.


Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Community Member

Re: VLAN Best Practices

Thanks for the quick reply Stephen! This is somewhat how we have our environment setup. We have an 802.1x SSID and depending on your AD credentials and device type you're dynamically pushed to a VLAN. What I'm questioning are how many VLANS I should have. We are a Community College and have corporate or college own notebooks, tablets and smartphone and we also have student own notebooks, tablets and smartphones. Not sure if I should create 6 VLANs and then apply ACL base on the VLAN or is this overkill. Or have 3 VLANs one per device type, therefore corporate and student notebooks would be in the same VLAN and the corporate and student tablets would be in the same VLAN and finally corporate and student smartphones would be in the same VLAN and then use dACL to differentiate access. Or finally, create two VLANS, one for corporate devices and one for students devices and again use dACL to differentiate access. Not sure what are the pros and cons are for these different scenarios.

Sent from Cisco Technical Support iPhone App

VIP Purple

VLAN Best Practices

From user point of view it will be difficult to use different SSID depend on device type. I would stick with the minimum SSID required (3 in your case). How do you plan to give different vlan/SSID based on device type ?

If you are concern about broadcast domain size, you can pool multiple vlan on to a interface group (concept called vlan select WLC 7.x onwards) & that can map to a single SSID. In this way your broadcast domain will be limited, but users can be assoicate to same SSID, but goes into different vlans.

In our environment /21 is the max subnet size using & we have added 4 of these subnet to same interface group.



CreatePlease to create content