Downloads |
Deployment Guide
Wireless Virtual LAN Deployment Guide
This deployment guide describes the implementation of wireless virtual LANs (VLANs) over the 802.11 interfaces for Cisco Aironet® 1200, 1100, 350, and 340 Series Access Points and the Cisco Aironet 350 Series Wireless Bridge. Within this document, the concept of wired and wireless VLANs is introduced, detailed feature descriptions of wireless VLANs are presented, and guidelines for deploying wireless VLANs are reviewed.
1 Wired VLAN Introduction
According to the IEEE, VLANs define broadcast domains in a Layer 2 network. Traditional networks use routers to define broadcast domain boundaries. Layer 2 switches create broadcast domains based on the configuration of the switch. Switches are multi-port bridges that allow the creation of multiple broadcast domains. Each broadcast domain is a distinct virtual bridge within a switch.
VLANs have the same attributes as physical LANs with the additional capability to group end stations physically to the same LAN segment regardless of the end stations' geographical location. Figure 1 shows an example of three wired VLANs in logically defined networks.
Figure 1 Example Deployment of Wired VLANs
Single or multiple virtual bridges can be defined within a switch. Each virtual bridge created in the switch defines a new broadcast domain (VLAN). Switch interfaces assigned to VLANs manually are referred to as interface-based or static membership-based VLANs. This type of VLAN is often associated with IP sub-networks. For example, when all of the end stations in a particular IP subnet belong to the same VLAN, traffic cannot pass directly to another VLAN (between broadcast domains) within the switch or between two switches. Traffic between VLANs must be routed.
To interconnect two different VLANs, routers or Layer 3 switches are used. These routers or Layer 3 switches execute inter-VLAN routing or routing of traffic between VLANs. Broadcast traffic is then terminated and isolated by these Layer 3 devices (for example, a router or Layer 3 switch will not route broadcast traffic from one VLAN to another).
The two most common VLAN trunking protocols used on Cisco switches and routers are Inter-Switch Link (ISL) and IEEE 802.1Q. ISL, a proprietary Cisco protocol, and 802.1Q are encapsulation standards used to interconnect multiple switches and routers via trunking. For more information on these VLAN trunking protocols, please refer to the following URL: http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:Trunking
2 Wireless VLAN Introduction
2.1 Wireless VLAN Overview
The concept of Layer 2 wired VLANs is extended to the wireless LAN (WLAN) with wireless VLANs. As with wired LANS, wireless VLANs define broadcast domains and segregate broadcast and multicast traffic between VLANs. When VLANs are not used, an IT administrator must install additional wireless LAN infrastructure to segment traffic between user groups or device groups. For example, to segment traffic between employee and guest VLANs, an IT administrator must install two access points at each location throughout an enterprise WLAN network (as shown in Figure 2). However, with the use of wireless VLANs, one access point at each location can be used to provide access to both groups.
Figure 2 User Segmentation Without Wireless VLANs
With VxWorks Firmware Release 12.00T or later and Cisco IOS® Software Release 12.2.4-JA or later, an 802.1Q trunk can be terminated on an access point (Cisco Aironet 1200, 1100, 350, or 340 Series) or on a bridge (Cisco Aironet 350 Series), allowing access up to 16 wired VLANs. A unique Service Set Identifier (SSID) defines a wireless VLAN on the access point and the bridge. Each SSID is mapped to a VLAN-ID on the wired side with a default SSID to VLAN-ID mapping. Additionally, with wireless LANs, a per-VLAN network security policy is defined on the access point and on the bridge by the IT administrator. Sections 3 and 4 discuss this in detail.
2.2 Wireless VLAN Deployment
Wireless VLAN deployment is different for indoor and outdoor environments. For indoor deployments, the access point is generally configured to map several wired VLANs to the wireless LAN. For outdoor environments, 802.1Q trunks are deployed between bridges with each bridge terminating and extending as an 802.1Q trunk, participating in the 802.1d-based Spanning-Tree Protocol process.
Figure 3 shows an indoor wireless VLAN deployment scenario. Four wireless VLANs are provisioned across the campus to provide WLAN access to full-time employees (segmented into engineering, marketing, and human resources user groups) and guests.
Figure 3 Indoor Wireless VL
ANs Deployment
As shown in Table 1, each wireless VLAN is configured with an appropriate network security policy and mapped to a wired VLAN. An IT administrator enforces the appropriate network security policies within the wired network for each different user group.
Table 1 Configuration for Wireless VLANs in Figure 3
| SSID | VLAN-ID | Security Policy |
|---|---|---|
| Engineering | ||
| Marketing | ||
| Human Resources | ||
| Guest |
WEP = Wired Equivalent Privacy, TKIP = Temporal Key Integrity Protocol
An outdoor wireless VLAN deployment scenario is shown in Figure 4. In this example, wireless trunking is used to connect the root bridge to the non-root bridges. The root and non-root bridges terminate the 802.1Q trunk and participate in the Spanning-Tree Protocol process of bridging networks together.
Figure 4 Outdoor Wireless VLANs Deployment
3 Wireless VLANs: Detailed Feature Description
This section discusses the wireless VLAN features available with VxWorks Firmware Release 12.00T or later and Cisco IOS Software Release 12.2.4-JA or later. With these releases, an 802.1Q trunk can be enabled between the access point or bridge and the wired infrastructure, allowing up to 16 wired VLANs to be extended to the WLAN.
3.1 Configuration Parameters Per VLAN
As discussed in Section 2.0, a per-VLAN network security policy can be defined on the access point to allow the IT administrator to define appropriate restrictions per VLAN. The following parameters are configurable on the SSID wireless VLAN:
- SSID name: Configures a unique name per wireless VLAN
- Default VLAN ID: Default VLAN-ID mapping on the wired side
- Authentication types: Open, shared, and network-Extensible Authentication Protocol (EAP) types
- Media Access Control (MAC) authentication: Under open, shared, and network-EAP
- EAP authentication: Under open and shared authentication types
- Maximum number of associations: Ability to limit maximum number of WLAN clients per SSID
The following parameters are configurable on the wired VLAN side:
Note: The IT administrator must define a unique encryption key per VLAN. This is discussed more in detail in Section 3.2.
- Enhanced Message Integrity Check (MIC) verification for WEP: Enables MIC per VLAN. This is a component of the Cisco Wireless Security Suite.
- Temporal Key Integrity Protocol (TKIP): Enables per-packet key hashing per VLAN. This is a component of the Cisco Wireless Security Suite.
- WEP (broadcast) key rotation interval: Enables broadcast WEP key rotation per VLAN. This is only supported for wireless VLANs with IEEE 802.1X EAP protocols enabled (such as EAP Cisco Wireless [LEAP], EAP-Transport Layer Security [EAP-TLS], Protected Extensible Authentication Protocol [PEAP], and EAP-Subscriber Identity Module [EAP-SIM]). This is a component of the Cisco Wireless Security Suite.
- Default policy group: Applies policy group (set of Layer 2, 3, and 4 filters) per VLAN. Each filter (within a policy group) is configurable to allow or deny certain types of traffic.
- Default priority: Applies default class of service (CoS) priority per VLAN.
With an encryption key configured, the VLAN supports standardized WEP. However, Cisco TKIP, MIC, and broadcast key rotation features are optionally configurable as noted above. Table 2 lists the SSID and VLAN-ID configuration parameters.
Table 2 SSID and VLAN-ID Configuration Parameters
| SSID Parameter | VLAN-ID Parameter | |
|---|---|---|
| Authentication types | ||
| Maximum number of associations | ||
| Encryption key (broadcast key) | ||
| TKIP/MIC | ||
| WEP (broadcast) key rotation interval | ||
| Policy group | ||
| Default priority (CoS mapping) |
3.2 Broadcast Domain Segmentation
All Layer 2 broadcast and multicast wireless LAN messages are propagated over the air. Thus, each WLAN client receives broadcast and multicast traffic belonging to different VLANs. This is different from wired VLAN broadcast and multicast traffic.
With wired LANs, a wired client receives Layer 2 broadcast or multicast traffic for its own VLAN only. Thus, a unique encryption (broadcast or multicast) key per VLAN is used to segment the Layer 2 broadcast domains on the wireless LAN. This unique encryption key must be configured during initial VLAN setup. If broadcast key rotation is enabled, this encryption key is generated dynamically and delivered to WLAN clients in 802.1X messages.
The requirement to segment broadcast domains on the wireless side restricts the use of unencrypted VLAN per WLAN Extended Sub System (ESS). A maximum of one VLAN can be unencrypted per WLAN ESS. Also, the behavior of a WLAN client on an encrypted VLAN should lead to the discarding of unencrypted Layer 2 broadcast or multicast traffic.
3.3 Native (Default) VLAN Configuration
The access point or the bridge native VLAN (the default VLAN) must be set to the native VLAN of the wired trunk. This allows the access point or bridge to receive and communicate using the Inter-Access Point Protocol (IAPP) with other access points or bridges in the same wireless LAN ESS.
It is a requirement that all access points and bridges in an ESS must use the same native VLAN-ID. All Telnet and http management traffic as well as the Remote Authentication Dial-In User Service (RADIUS) server traffic is routed to the access point via the native VLAN. Cisco recommends that IT managers restrict user access to the default VLAN of the access points and bridges by using Layer 3 access control lists (ACLs) and policies on the wired infrastructure side.
The IT administrator may or may not wish to map the native VLAN of the access point or bridge to an SSID (the WLAN ESS). Scenarios where the native VLAN should be mapped to an SSID include:
1. An associated workgroup bridge is treated as an infrastructure device
2. Connection of a root bridge to a non-root bridge
In the above scenarios, Cisco Systems recommends configuring an "Infrastructure" SSID per access point or bridge.
Figure 5 illustrates the combined deployment of infrastructure devices (such as workgroup bridges, non-root bridges, and repeaters) along with non-infrastructure devices (such as WLAN clients) in an enterprise WLAN. Native VLAN of the access point is mapped to the "Infrastructure" SSID. WEP encryption along with TKIP (at least per-packet key hashing) should be turned on for the "Infrastructure" SSID. Configuration of a secondary SSID as the "Infrastructure" SSID is also recommended. The concepts of primary and secondary SSIDs are explained in the next section.
Figure 5 Combined Deployment of Infrastructure and Non-Infrastructure Devices
3.4 Primary (Guest) and Secondary SSIDs
When enabling multiple wireless VLANs on the access point or bridge, multiple SSIDs are created with each SSID mapping to a default VLAN-ID on the wired side. However, as per 802.11 specifications, only one SSID can be broadcast in the beacons. The IT administrator defines a primary (Guest) SSID that is broadcast in the 802.11 beacon management frames. All other SSIDs are secondary SSIDs and are not broadcast in the 802.11 beacon management frames.
If a client or infrastructure device (such as a workgroup bridge) sends a probe request with a secondary SSID, the access point or bridge will respond with a probe response with that secondary SSID.
An IT administrator can also map the primary SSID to the VLAN-ID on the wired infrastructure in different ways. For example, in an enterprise rollout scenario, the primary SSID could be mapped to the unencrypted VLAN on the wired side to provide "Guest" VLAN access.
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
Figure 6 illustrates both RADIUS-based VLAN access control methods: VLAN assignment and SSID access control.
VLAN assignment: Both "Engineering" and "Marketing" VLANs are configured to only allow 802.1X authentication (LEAP, EAP-TLS, PEAP, and so on). As shown in Figure 6, when John uses the "Engineering" SSID to gain access to the wireless LAN, the RADIUS server maps John to VLAN-ID 24. This may or may not be the default VLAN-ID mapping for the "Engineering" SSID. Using this method, a user is mapped to a fixed wired VLAN throughout an enterprise network.
RADIUS-based SSID access control: David uses the "Marketing" SSID to gain access to the wireless LAN. However, the permitted SSID list sent back by the RADIUS server indicates that David is only allowed access to the "Engineering" SSID. Upon receipt of this information, the access point disassociates David from the wireless LAN network. Using this method, a user is given access to only one SSID or to predetermined SSIDs throughout an enterprise network.
Figure 6 RADIUS-Based VLAN Access Control
RADIUS user attributes used for VLAN-ID assignment are:
RADIUS user attribute used for SSID access control is:
4 Guidelines for Deploying Wireless VLANs
In order to properly deploy wireless VLANs, an IT administrator should evaluate the need for deploying wireless VLANs within their environment. Existing wired VLAN deployment rules and policies should be reviewed. Existing wired VLAN policies can be used as the basis for wireless VLAN deployment policies.
This section details selection criteria for wireless VLAN deployment, provides a deployment example, summarizes the of rules for wireless VLAN deployment, and provides best practices to use on the wired infrastructure when deploying wireless VLANs.
4.1 Criteria for Wireless VLAN Deployment
While the full criteria for each wireless VLAN deployment is likely to be unique, some standard criteria exist for most rollouts. These include:
1. Common applications used by all wireless LAN users. The IT administrator should define:
2. Common devices used to access the wireless LAN. The IT administrator should define:
- Security mechanisms (Static WEP, MAC authentication, EAP authentication [LEAP, EAP-TLS or PEAP], virtual private network [VPN], and so on) supported by each device type
- Wired network resources (such as servers) commonly accessed by WLAN device groups
- QoS level needed by each device group (default CoS, voice CoS, and so on)
3. Revise the existing wired VLAN deployment design guidelines:
After the wireless VLAN deployment criteria have been defined, the deployment strategy needs to be determined. Two standard deployment strategies are:
1. Segmentation by user groups: Segmentation of the WLAN user community and enforcement of specific access-security policies per user group. For example, three wired and wireless VLANs in an enterprise environment could be created for full-time employee, part-time employee and guest access.
2. Segmentation by device types: Segmentation of the WLAN to allow different devices with different access-security "levels" to access the WLAN. For example, it is not recommended to allow handheld computers that support only 40/128-bit static-WEP to co-exist with other WLAN client devices using 802.1X with dynamic WEP in the same VLAN. In this scenario, devices are grouped and isolated with different "levels" of access security into separate VLANs.
Implementation criteria such as those listed below are then defined:
1. Use of policy group (set of filters) to map wired policies to the wireless side
2. Use of 802.1X to control user access to VLANs using either RADIUS-based VLAN assignment or RADIUS-based SSID access control
3. Use of separate VLANs to implement different CoS
4.2 Wireless VLAN Deployment Example
A wireless VLAN deployment example is outlined below. The IT administrator of company XYZ determines the need for wireless LANs in his network. Using the guidelines described in Section 4.1, his findings are as follows:
1. Three different user groups are commonly present across Company XYZ: full-time employees, contract employees, and guests.
2. Full-time and contract employees use company-supplied PCs to access the wireless network. These PCs are capable of supporting 802.1X authentication methods for accessing the WLAN.
3. Full-time employees need full access to the wired network resources. The IT department has implemented application-level privileges for each user (using Microsoft Windows NT or Active Directory (AD) mechanisms).
4. Part-time employees are not allowed access to certain wired resources (such as human resource servers, data storage servers, and so on). Furthermore, the IT department has implemented application-level privileges for part-time employees (using Microsoft Windows NT or AD mechanisms).
5. Guest users need access to the Internet to launch a VPN tunnel back to their company headquarters.
6. Maintenance personal (electrical, facilities, and others) use specialized handheld computers that support static 40- or 128-bit encryption to access trouble ticket information via an application server VLAN.
7. Existing wired VLANs deployment:
In the above case, the IT administrator can deploy four wireless VLANs as follows:
1. Create "Full-Time" and "Part-Time" VLANs—Implement 802.1X with dynamic WEP along with TKIP capability for WLAN access. Tie user login on the RADIUS server with Microsoft back-end user database to enable "single sign-on" for WLAN users.
Implement RADIUS-based SSID access control for both "Full-Time" and "Part-Time" employees to access WLAN. This is recommended to prevent part-time employees from VLAN "hopping" (for example, trying to access the WLAN using "Full-Time" VLAN).
Note: In this deployment scenario, VLANs are localized per building with user group mapping to wired VLAN-IDs different for each building. In order to enable users to access the WLAN from anywhere on campus, SSID access control is recommended rather than fixed VLAN-ID assignments.
2. Create a "Guest" VLAN: Implement open/no WEP access with a broadcast SSID by using the primary SSID for "Guest" VLAN. Enforce policies on the wired network side to force all "Guest" VLAN access to an Internet gateway and deny access into the corporate network.
3. Create a "Maintenance" VLAN—Implement open/with WEP plus MAC authentication for this VLAN. Enforce policies on the wired infrastructure to only allow access to the maintenance server on the application server's VLAN.
Figure 7 illustrates this WLAN deployment scenario. Table 3 lists the configuration details for Figure 7 VLANs.
Figure 7 Wireless VLAN Deployment Example
Table 3 Configuration for VLANs in Figure 7
| SSID | VLAN-ID | Security Policy | RADIUS-Based VLAN Access Control |
|---|---|---|---|
| Full-Time | |||
| Part-Time | |||
| Maintenance | |||
| Guest |
4.3 Summary of Rules for Wireless VLAN Deployment
This section summarizes the VLAN rules and guidelines discussed in this document:
1. 802.1Q VLAN trunking (hybrid mode only) is supported between the switch and the access point or bridge.
2. A maximum of 16 VLANs per ESS are supported with each wireless VLAN represented with a unique SSID name.
3. IT administrator must configure a unique encryption key per VLAN.
4. A maximum of one unencrypted VLAN per ESS is supported.
5. A maximum of one primary/guest SSID per ESS is supported.
6. TKIP, MIC, and broadcast key rotation can be enabled per VLAN.
7. Open, shared-key, MAC, network-EAP (LEAP), and EAP authentication types are supported per SSID.
8. Shared-key authentication is supported only on the SSID mapped to the native VLAN. (This is most likely to be the "Infrastructure" SSID.)
9. One unique policy group (set of Layer 2, 3 and 4 filters) is allowed per VLAN.
10. Each SSID is mapped to a default wired VLAN where the ability to override this default SSID to VLAN-ID mapping is provided via RADIUS-based VLAN access-control mechanisms.
11. The ability to assign a CoS mapping per VLAN with eight different levels of priorities is supported.
12. The ability to control several clients per SSID is supported.
13. All access points and bridges in the same ESS must use the same native VLAN-ID to facilitate Inter-Access Point Protocol (IAPP) communication between access points and bridges.
14. All wireless LAN security policies should be mapped to the wired LAN security policies on the switches and routers.
4.4 Best Practices for the Wired Infrastructure
The following best practices are recommended for the wired infrastructure when 802.1Q trunking is extended to the access points and bridges:
1. Limit broadcast and multicast traffic to the access point and bridge by enabling VLAN filtering and Internet Group Management Protocol (IGMP) snooping on the switch ports. On the 802.1Q trunks to the access point and bridge, filter to allow only active VLANs in the ESS. Enabling IGMP snooping prevents the switch from flooding all switch ports with Layer 3 multicast traffic.
2. Map wireless security policies to the wired infrastructure with ACLs and other mechanisms.
3. The access point does not support Virtual Terminal Protocol (VTP) or Generic Attribute Registration Protocol VLAN Registration Protocol (GVRP) protocols for dynamic management of VLANs because the access point acts as a "stub" node. The IT administrator must use the wired infrastructure to maintain and manage the wired VLANs.
4. Enforce network security policies via Layer 3 ACLs on the "guest" and management VLANs (recommended).
- The IT administrator could implement ACLs on the wired infrastructure to force all "guest" VLAN traffic to the Internet gateway.
- The IT administrator should restrict user access to the native/default VLAN of the access points and bridges with the use of Layer 3 ACLs and policies on the wired infrastructure.
- Example: Traffic to access points and bridges via the native/default VLAN is only allowed to and from the management VLAN where all the management servers including the RADIUS server reside.
5 Appendix A: VLAN Configuration Example for VxWorks Software Release 12.00T or Later
This section provides configuration examples for VxWorks Software Release 12.00T or later for Cisco Aironet 1200, 350, and 340 Series Access Points and the Cisco Aironet 350 Series Wireless Bridge.
1. Figure 8. Setup Page: VLAN and Service Set Identifiers (SSID) Options (Figure 8).
2. Figure 8. Click on Setup > VLAN: Add the native VLAN of the 802.1Q trunk to the access point.
Figure 8 Main Setup Page
3. Figure 9 and Figure 10. Native VLAN configuration: Enable this VLAN and set a unique encryption key and enable TKIP (recommended).
Figure 9 Main VLAN Set Up Page
Figure 10 Native VLAN Configuration
4. Figure 11. Enable 802.1Q Trunking: Set the Native VLAN ID of the access point and enable 802.1Q tagging.
Figure 11 Enabling 802.1Q Trunking
5. Figure 12. Enable 802.1Q Trunking: Upon successful completion of Steps 2 to 4, 802.1Q Encapsulation Mode is displayed as "Hybrid Trunk."
Figure 12 802.1Q Encapsulation Mode
6. Figure 13. Create a "guest" VLAN with open/no WEP configuration: Do not set an encryption key. Apply a policy group (set of Layer 2, 3, and 4 filters) for this VLAN.
Figure 13 "Guest" VLAN Configuration
7. Figure 14. Create a "guest" VLAN: Set the unencrypted VLAN (guest VLAN created in Step 6) in the main VLAN setup page.
Figure 14 Enabling the Unencrypted VLAN
8. Figure 15. Adding an encrypted VLAN. Set a unique encryption key.
Figure 15 Encrypted VLAN Configuration
9. Figure 16. List of VLANs are displayed on the main VLAN setup page.
Figure 16 List of VLANs
10. Figure 17. Click on "VLAN Summary Status" link to view the summary table.
Figure 17 VLAN Summary Status Table
11. Figure 18. Click on Setup > Service Sets. (This is the same screen as shown in Step 1 of this Appendix.) The SSIDs lists are configurable per radio. On a Cisco Aironet 1200 Series Access Point with two radios, 802.11b radio SSIDs are referred to as "Internal" SSIDs and 802.11a radio SSIDs are referred to as "Module" SSIDs.
Figure 18 Main Setup Page
12. Figure 19. On the SSID main setup page, select the primary SSID > Click on "Edit."
Figure 19 Access Point Radio Internal Service Sets—Primary SSID
13. Figure 20. Primary SSID setup: Rename the primary SSID to "guest" and map it to "Open/no WEP" VLAN.
Figure 20 Access Point Radio Internal Primary SSID Configuration
14. Figure 21. Create a secondary SSID: Create a SSID called "OPEN_WEP."
Figure 21 Creating a Secondary SSID
15. Figure 22. Create a secondary SSID: Map "OPEN_WEP" SSID to Open/with WEP VLAN and allow "Open" 802.11 authentication.
Figure 22 Secondary SSID "Open_WEP" Configuration
16. Figure 23. Create an SSID for infrastructure devices: Map the native VLAN of the access point to this SSID in order to allow infrastructure devices (such as workgroup bridges and repeaters) to associate to the access point using this SSID.
Figure 23 SSID for Infrastructure Devices
17. Figure 24. Infrastructure SSID configuration: Set the index of the SSID created in Step 16 as the "Infrastructure" SSID. Disallow all infrastructure devices on non-Infrastructure SSIDs (recommended).
Figure 24 Infrastructure SSID Configuration
18. Figure 25. Click on the Service Set Summary Status link to view the SSID summary table.
Figure 25 Internal Service Set Summary Status Table
6 Appendix B: VLAN Configuration Example for Cisco IOS Software Release 12.2.4-JA for Cisco Aironet 1100 Series Access Point
This section provides configuration examples for Cisco IOS Software Release 12.2.4-JA for the Cisco Aironet 1100 Series Access Point.
1. Figure 26. Enabling VLAN trunking: Create a VLAN and map it to an existing SSID. In the example configuration, VLAN-ID 11 is mapped to "guest" SSID.
a. Click on Security > SSID Manager. Rename the existing SSID to "guest."
Figure 26 "Guest" SSID Configuration
b. Figure 27. Click on Services > VLAN. Create VLAN-ID 11 and map to SSID "guest." This enables 802.1Q trunking on the Cisco Aironet 1100 Series Access Point.
Figure 27 Enabling 802.1Q Trunking
2. Figure 28. Create the default VLAN: Click on Services > VLAN. Create the default (native) VLAN-ID for the Cisco Aironet 1100 Series Access Point.
Figure 28 Creating the Default VLAN
3. Figure 29. Set the native VLAN-ID: Click on Services > VLAN. Set the default VLAN-ID (native VLAN-ID) of the Cisco Aironet 1100 Series Access Point. A WARNING message will be displayed, click "OK."
Figure 29 Set the Default (Native) VLAN-ID
4. Figure 30. Create other VLANs as needed. The screen capture shows the creation of VLAN-ID 12.
Figure 30 Creation of VLAN-ID 12
5. Figure 31. List display of active VLANs.
Figure 31 List of Active VLANs
6. Figure 32. SSID to VLAN-ID mapping: Click on Security > SSID Manager. Create and map SSIDs to the active VLANs.
Figure 32 Create and Map SSIDs to the Active VLANs
7. Figure 33. Example SSID-to-VLAN ID mapping: "EAP-TKIP" SSID is configured to allow LEAP, PEAP, and EAP-TLS authentication. As shown "EAP_TKIP" SSID is mapped to VLAN-ID 14.
Figure 33 Example SSID to VLAN ID Mapping
8. Figure 34. Guest (primary) SSID for the Cisco Aironet 1100 Series Access Point: Click on Security > SSID Manager. Set the guest SSID (created in Step 1) under "Global SSID Properties."
Figure 34 Setting the Guest (Primary) SSID
9. Figure 35. Create an Infrastructure SSID and map to native VLAN (if there is a requirement): This is only needed if Infrastructure devices (such as workgroup bridges and repeaters) will associate to the access point.
Figure 35 Creating an Infrastructure SSID with Mapping to Native VLAN
10. Figure 36. Infrastructure SSID: Click on Security > SSID Manager. Set the Infrastructure SSID on the access point.
Figure 36 Setting the Infrastructure SSID
11. Figure 37. Enable VLAN encryption: Click on Security > WEP Key Manager. For VLAN-ID 12 (mapped to "OPEN_WEP" SSID), encryption is enabled and a unique encryption key is set.
Figure 37 Enabling VLAN Encryption for VLAN-ID 12
12. Figure 38. Enable VLAN encryption: Click on Security > WEP Key Manager. For VLAN-ID 10 (native VLAN), WEP encryption is enabled along with per-packet key hashing (as part of Cisco TKIP). A unique encryption key is set for the native (default) VLAN.
Figure 38 Enabling Encryption for VLAN-ID 10 (Default VLAN
)
Table 4 shows the Cisco Aironet 1100 Series Access Point CLI configuration for VLANs.
Table 4 Cisco Aironet 1100 Series Access Point CLI Configuration for VLANs
7 Appendix C: Procedure to Configure RADIUS-Based User Access Control on Cisco Secure Access Control Server Software
The procedure to configure RADIUS-based user access control on Cisco Secure ACS Version 2.6 or later is provided below. This procedure provides configuration information for Internet Engineering Task Force (IETF), Cisco IOS Software and Cisco PIX® Firewall options that enable RADIUS-based user access control (using VLAN-ID and/or SSID-list).
1. Select Interface Configuration > Advanced Options; Enable "Per-user TACACS+/RADIUS Attributes" > Click on "Submit."
2. Select Interface Configuration > RADIUS (IETF).
3. Select Network Configuration:
- Confirm that the following option is available on the Cisco Secure ACS: Configuration > RADIUS (Cisco IOS/PIX). If this option is not available, add a device with network access server-type RADIUS (Cisco IOS/PIX). This device is needed to enable Cisco IOS/PIX attributes.
- After adding a Cisco IOS Software or Cisco PIX Firewall device, select Interface Configuration > RADIUS (Cisco IOS/PIX):
- Enable the "[026/009/001] cisco-av-pair" option. Enable this option at both User and Group levels.
- Click on "Submit."
4. Add a User (User Setup > Add/Edit).
8 Appendix D: Example Switch and Router Configuration for Wireless VLAN Deployment
Cisco Catalyst® 3524 XL Switch Configuration:
Router (Cisco 2621 Multiservice Platform) Configuration: