This deployment guide describes the implementation of wireless virtual LANs (VLANs) over the 802.11 interfaces for Cisco Aironet® 1200, 1100, 350, and 340 Series Access Points and the Cisco Aironet 350 Series Wireless Bridge. Within this document, the concept of wired and wireless VLANs is introduced, detailed feature descriptions of wireless VLANs are presented, and guidelines for deploying wireless VLANs are reviewed.
According to the IEEE, VLANs define broadcast domains in a Layer 2 network. Traditional networks use routers to define broadcast domain boundaries. Layer 2 switches create broadcast domains based on the configuration of the switch. Switches are multi-port bridges that allow the creation of multiple broadcast domains. Each broadcast domain is a distinct virtual bridge within a switch.
VLANs have the same attributes as physical LANs with the additional capability to group end stations physically to the same LAN segment regardless of the end stations' geographical location. Figure 1 shows an example of three wired VLANs in logically defined networks.
Figure 1 Example Deployment of Wired VLANs
Single or multiple virtual bridges can be defined within a switch. Each virtual bridge created in the switch defines a new broadcast domain (VLAN). Switch interfaces assigned to VLANs manually are referred to as interface-based or static membership-based VLANs. This type of VLAN is often associated with IP sub-networks. For example, when all of the end stations in a particular IP subnet belong to the same VLAN, traffic cannot pass directly to another VLAN (between broadcast domains) within the switch or between two switches. Traffic between VLANs must be routed.
To interconnect two different VLANs, routers or Layer 3 switches are used. These routers or Layer 3 switches execute inter-VLAN routing or routing of traffic between VLANs. Broadcast traffic is then terminated and isolated by these Layer 3 devices (for example, a router or Layer 3 switch will not route broadcast traffic from one VLAN to another).
The two most common VLAN trunking protocols used on Cisco switches and routers are Inter-Switch Link (ISL) and IEEE 802.1Q. ISL, a proprietary Cisco protocol, and 802.1Q are encapsulation standards used to interconnect multiple switches and routers via trunking. For more information on these VLAN trunking protocols, please refer to the following URL: http://www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:Trunking
The concept of Layer 2 wired VLANs is extended to the wireless LAN (WLAN) with wireless VLANs. As with wired LANS, wireless VLANs define broadcast domains and segregate broadcast and multicast traffic between VLANs. When VLANs are not used, an IT administrator must install additional wireless LAN infrastructure to segment traffic between user groups or device groups. For example, to segment traffic between employee and guest VLANs, an IT administrator must install two access points at each location throughout an enterprise WLAN network (as shown in Figure 2). However, with the use of wireless VLANs, one access point at each location can be used to provide access to both groups.
Figure 2 User Segmentation Without Wireless VLANs
With VxWorks Firmware Release 12.00T or later and Cisco IOS® Software Release 12.2.4-JA or later, an 802.1Q trunk can be terminated on an access point (Cisco Aironet 1200, 1100, 350, or 340 Series) or on a bridge (Cisco Aironet 350 Series), allowing access up to 16 wired VLANs. A unique Service Set Identifier (SSID) defines a wireless VLAN on the access point and the bridge. Each SSID is mapped to a VLAN-ID on the wired side with a default SSID to VLAN-ID mapping. Additionally, with wireless LANs, a per-VLAN network security policy is defined on the access point and on the bridge by the IT administrator. Sections 3 and 4 discuss this in detail.
Wireless VLAN deployment is different for indoor and outdoor environments. For indoor deployments, the access point is generally configured to map several wired VLANs to the wireless LAN. For outdoor environments, 802.1Q trunks are deployed between bridges with each bridge terminating and extending as an 802.1Q trunk, participating in the 802.1d-based Spanning-Tree Protocol process.
Figure 3 shows an indoor wireless VLAN deployment scenario. Four wireless VLANs are provisioned across the campus to provide WLAN access to full-time employees (segmented into engineering, marketing, and human resources user groups) and guests.
Figure 3 Indoor Wireless VL
As shown in Table 1, each wireless VLAN is configured with an appropriate network security policy and mapped to a wired VLAN. An IT administrator enforces the appropriate network security policies within the wired network for each different user group.
Table 1 Configuration for Wireless VLANs in Figure 3
An outdoor wireless VLAN deployment scenario is shown in Figure 4. In this example, wireless trunking is used to connect the root bridge to the non-root bridges. The root and non-root bridges terminate the 802.1Q trunk and participate in the Spanning-Tree Protocol process of bridging networks together.
Figure 4 Outdoor Wireless VLANs Deployment
This section discusses the wireless VLAN features available with VxWorks Firmware Release 12.00T or later and Cisco IOS Software Release 12.2.4-JA or later. With these releases, an 802.1Q trunk can be enabled between the access point or bridge and the wired infrastructure, allowing up to 16 wired VLANs to be extended to the WLAN.
As discussed in Section 2.0, a per-VLAN network security policy can be defined on the access point to allow the IT administrator to define appropriate restrictions per VLAN. The following parameters are configurable on the SSID wireless VLAN:
- SSID name: Configures a unique name per wireless VLAN
- Default VLAN ID: Default VLAN-ID mapping on the wired side
- Authentication types: Open, shared, and network-Extensible Authentication Protocol (EAP) types
- Media Access Control (MAC) authentication: Under open, shared, and network-EAP
- EAP authentication: Under open and shared authentication types
- Maximum number of associations: Ability to limit maximum number of WLAN clients per SSID
Note: The IT administrator must define a unique encryption key per VLAN. This is discussed more in detail in Section 3.2.
- Enhanced Message Integrity Check (MIC) verification for WEP: Enables MIC per VLAN. This is a component of the Cisco Wireless Security Suite.
- Temporal Key Integrity Protocol (TKIP): Enables per-packet key hashing per VLAN. This is a component of the Cisco Wireless Security Suite.
- WEP (broadcast) key rotation interval: Enables broadcast WEP key rotation per VLAN. This is only supported for wireless VLANs with IEEE 802.1X EAP protocols enabled (such as EAP Cisco Wireless [LEAP], EAP-Transport Layer Security [EAP-TLS], Protected Extensible Authentication Protocol [PEAP], and EAP-Subscriber Identity Module [EAP-SIM]). This is a component of the Cisco Wireless Security Suite.
- Default policy group: Applies policy group (set of Layer 2, 3, and 4 filters) per VLAN. Each filter (within a policy group) is configurable to allow or deny certain types of traffic.
- Default priority: Applies default class of service (CoS) priority per VLAN.
With an encryption key configured, the VLAN supports standardized WEP. However, Cisco TKIP, MIC, and broadcast key rotation features are optionally configurable as noted above. Table 2 lists the SSID and VLAN-ID configuration parameters.
Table 2 SSID and VLAN-ID Configuration Parameters
|SSID Parameter||VLAN-ID Parameter|
|Maximum number of associations|
|Encryption key (broadcast key)|
|WEP (broadcast) key rotation interval|
|Default priority (CoS mapping)|
All Layer 2 broadcast and multicast wireless LAN messages are propagated over the air. Thus, each WLAN client receives broadcast and multicast traffic belonging to different VLANs. This is different from wired VLAN broadcast and multicast traffic.
With wired LANs, a wired client receives Layer 2 broadcast or multicast traffic for its own VLAN only. Thus, a unique encryption (broadcast or multicast) key per VLAN is used to segment the Layer 2 broadcast domains on the wireless LAN. This unique encryption key must be configured during initial VLAN setup. If broadcast key rotation is enabled, this encryption key is generated dynamically and delivered to WLAN clients in 802.1X messages.
The requirement to segment broadcast domains on the wireless side restricts the use of unencrypted VLAN per WLAN Extended Sub System (ESS). A maximum of one VLAN can be unencrypted per WLAN ESS. Also, the behavior of a WLAN client on an encrypted VLAN should lead to the discarding of unencrypted Layer 2 broadcast or multicast traffic.
The access point or the bridge native VLAN (the default VLAN) must be set to the native VLAN of the wired trunk. This allows the access point or bridge to receive and communicate using the Inter-Access Point Protocol (IAPP) with other access points or bridges in the same wireless LAN ESS.
It is a requirement that all access points and bridges in an ESS must use the same native VLAN-ID. All Telnet and http management traffic as well as the Remote Authentication Dial-In User Service (RADIUS) server traffic is routed to the access point via the native VLAN. Cisco recommends that IT managers restrict user access to the default VLAN of the access points and bridges by using Layer 3 access control lists (ACLs) and policies on the wired infrastructure side.
Figure 5 illustrates the combined deployment of infrastructure devices (such as workgroup bridges, non-root bridges, and repeaters) along with non-infrastructure devices (such as WLAN clients) in an enterprise WLAN. Native VLAN of the access point is mapped to the "Infrastructure" SSID. WEP encryption along with TKIP (at least per-packet key hashing) should be turned on for the "Infrastructure" SSID. Configuration of a secondary SSID as the "Infrastructure" SSID is also recommended. The concepts of primary and secondary SSIDs are explained in the next section.
Figure 5 Combined Deployment of Infrastructure and Non-Infrastructure Devices
When enabling multiple wireless VLANs on the access point or bridge, multiple SSIDs are created with each SSID mapping to a default VLAN-ID on the wired side. However, as per 802.11 specifications, only one SSID can be broadcast in the beacons. The IT administrator defines a primary (Guest) SSID that is broadcast in the 802.11 beacon management frames. All other SSIDs are secondary SSIDs and are not broadcast in the 802.11 beacon management frames.
An IT administrator can also map the primary SSID to the VLAN-ID on the wired infrastructure in different ways. For example, in an enterprise rollout scenario, the primary SSID could be mapped to the unencrypted VLAN on the wired side to provide "Guest" VLAN access.
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
VLAN assignment: Both "Engineering" and "Marketing" VLANs are configured to only allow 802.1X authentication (LEAP, EAP-TLS, PEAP, and so on). As shown in Figure 6, when John uses the "Engineering" SSID to gain access to the wireless LAN, the RADIUS server maps John to VLAN-ID 24. This may or may not be the default VLAN-ID mapping for the "Engineering" SSID. Using this method, a user is mapped to a fixed wired VLAN throughout an enterprise network.
RADIUS-based SSID access control: David uses the "Marketing" SSID to gain access to the wireless LAN. However, the permitted SSID list sent back by the RADIUS server indicates that David is only allowed access to the "Engineering" SSID. Upon receipt of this information, the access point disassociates David from the wireless LAN network. Using this method, a user is given access to only one SSID or to predetermined SSIDs throughout an enterprise network.
Figure 6 RADIUS-Based VLAN Access Control
In order to properly deploy wireless VLANs, an IT administrator should evaluate the need for deploying wireless VLANs within their environment. Existing wired VLAN deployment rules and policies should be reviewed. Existing wired VLAN policies can be used as the basis for wireless VLAN deployment policies.
This section details selection criteria for wireless VLAN deployment, provides a deployment example, summarizes the of rules for wireless VLAN deployment, and provides best practices to use on the wired infrastructure when deploying wireless VLANs.
- Security mechanisms (Static WEP, MAC authentication, EAP authentication [LEAP, EAP-TLS or PEAP], virtual private network [VPN], and so on) supported by each device type
- Wired network resources (such as servers) commonly accessed by WLAN device groups
- QoS level needed by each device group (default CoS, voice CoS, and so on)
1. Segmentation by user groups: Segmentation of the WLAN user community and enforcement of specific access-security policies per user group. For example, three wired and wireless VLANs in an enterprise environment could be created for full-time employee, part-time employee and guest access.
2. Segmentation by device types: Segmentation of the WLAN to allow different devices with different access-security "levels" to access the WLAN. For example, it is not recommended to allow handheld computers that support only 40/128-bit static-WEP to co-exist with other WLAN client devices using 802.1X with dynamic WEP in the same VLAN. In this scenario, devices are grouped and isolated with different "levels" of access security into separate VLANs.
A wireless VLAN deployment example is outlined below. The IT administrator of company XYZ determines the need for wireless LANs in his network. Using the guidelines described in Section 4.1, his findings are as follows:
3. Full-time employees need full access to the wired network resources. The IT department has implemented application-level privileges for each user (using Microsoft Windows NT or Active Directory (AD) mechanisms).
4. Part-time employees are not allowed access to certain wired resources (such as human resource servers, data storage servers, and so on). Furthermore, the IT department has implemented application-level privileges for part-time employees (using Microsoft Windows NT or AD mechanisms).
6. Maintenance personal (electrical, facilities, and others) use specialized handheld computers that support static 40- or 128-bit encryption to access trouble ticket information via an application server VLAN.
1. Create "Full-Time" and "Part-Time" VLANsImplement 802.1X with dynamic WEP along with TKIP capability for WLAN access. Tie user login on the RADIUS server with Microsoft back-end user database to enable "single sign-on" for WLAN users.
Implement RADIUS-based SSID access control for both "Full-Time" and "Part-Time" employees to access WLAN. This is recommended to prevent part-time employees from VLAN "hopping" (for example, trying to access the WLAN using "Full-Time" VLAN).
Note: In this deployment scenario, VLANs are localized per building with user group mapping to wired VLAN-IDs different for each building. In order to enable users to access the WLAN from anywhere on campus, SSID access control is recommended rather than fixed VLAN-ID assignments.
2. Create a "Guest" VLAN: Implement open/no WEP access with a broadcast SSID by using the primary SSID for "Guest" VLAN. Enforce policies on the wired network side to force all "Guest" VLAN access to an Internet gateway and deny access into the corporate network.
3. Create a "Maintenance" VLANImplement open/with WEP plus MAC authentication for this VLAN. Enforce policies on the wired infrastructure to only allow access to the maintenance server on the application server's VLAN.
Figure 7 Wireless VLAN Deployment Example
Table 3 Configuration for VLANs in Figure 7
|SSID||VLAN-ID||Security Policy||RADIUS-Based VLAN Access Control|
1. Limit broadcast and multicast traffic to the access point and bridge by enabling VLAN filtering and Internet Group Management Protocol (IGMP) snooping on the switch ports. On the 802.1Q trunks to the access point and bridge, filter to allow only active VLANs in the ESS. Enabling IGMP snooping prevents the switch from flooding all switch ports with Layer 3 multicast traffic.
3. The access point does not support Virtual Terminal Protocol (VTP) or Generic Attribute Registration Protocol VLAN Registration Protocol (GVRP) protocols for dynamic management of VLANs because the access point acts as a "stub" node. The IT administrator must use the wired infrastructure to maintain and manage the wired VLANs.
- The IT administrator could implement ACLs on the wired infrastructure to force all "guest" VLAN traffic to the Internet gateway.
- The IT administrator should restrict user access to the native/default VLAN of the access points and bridges with the use of Layer 3 ACLs and policies on the wired infrastructure.
- Example: Traffic to access points and bridges via the native/default VLAN is only allowed to and from the management VLAN where all the management servers including the RADIUS server reside.
Figure 8 Main Setup Page
Figure 9 Main VLAN Set Up Page
Figure 10 Native VLAN Configuration
Figure 11 Enabling 802.1Q Trunking
Figure 12 802.1Q Encapsulation Mode
Figure 13 "Guest" VLAN Configuration
Figure 14 Enabling the Unencrypted VLAN
Figure 15 Encrypted VLAN Configuration
Figure 16 List of VLANs
Figure 17 VLAN Summary Status Table
11. Figure 18. Click on Setup > Service Sets. (This is the same screen as shown in Step 1 of this Appendix.) The SSIDs lists are configurable per radio. On a Cisco Aironet 1200 Series Access Point with two radios, 802.11b radio SSIDs are referred to as "Internal" SSIDs and 802.11a radio SSIDs are referred to as "Module" SSIDs.
Figure 18 Main Setup Page
Figure 19 Access Point Radio Internal Service SetsPrimary SSID
Figure 20 Access Point Radio Internal Primary SSID Configuration
Figure 21 Creating a Secondary SSID
Figure 22 Secondary SSID "Open_WEP" Configuration
16. Figure 23. Create an SSID for infrastructure devices: Map the native VLAN of the access point to this SSID in order to allow infrastructure devices (such as workgroup bridges and repeaters) to associate to the access point using this SSID.
Figure 23 SSID for Infrastructure Devices
17. Figure 24. Infrastructure SSID configuration: Set the index of the SSID created in Step 16 as the "Infrastructure" SSID. Disallow all infrastructure devices on non-Infrastructure SSIDs (recommended).
Figure 24 Infrastructure SSID Configuration
Figure 25 Internal Service Set Summary Status Table
6 Appendix B: VLAN Configuration Example for Cisco IOS Software Release 12.2.4-JA for Cisco Aironet 1100 Series Access Point
Figure 26 "Guest" SSID Configuration
Figure 27 Enabling 802.1Q Trunking
Figure 28 Creating the Default VLAN
3. Figure 29. Set the native VLAN-ID: Click on Services > VLAN. Set the default VLAN-ID (native VLAN-ID) of the Cisco Aironet 1100 Series Access Point. A WARNING message will be displayed, click "OK."
Figure 29 Set the Default (Native) VLAN-ID
Figure 30 Creation of VLAN-ID 12
Figure 31 List of Active VLANs
Figure 32 Create and Map SSIDs to the Active VLANs
Figure 33 Example SSID to VLAN ID Mapping
Figure 34 Setting the Guest (Primary) SSID
9. Figure 35. Create an Infrastructure SSID and map to native VLAN (if there is a requirement): This is only needed if Infrastructure devices (such as workgroup bridges and repeaters) will associate to the access point.
Figure 35 Creating an Infrastructure SSID with Mapping to Native VLAN
Figure 36 Setting the Infrastructure SSID
Figure 37 Enabling VLAN Encryption for VLAN-ID 12
12. Figure 38. Enable VLAN encryption: Click on Security > WEP Key Manager. For VLAN-ID 10 (native VLAN), WEP encryption is enabled along with per-packet key hashing (as part of Cisco TKIP). A unique encryption key is set for the native (default) VLAN.
Figure 38 Enabling Encryption for VLAN-ID 10 (Default VLAN
Table 4 Cisco Aironet 1100 Series Access Point CLI Configuration for VLANs
7 Appendix C: Procedure to Configure RADIUS-Based User Access Control on Cisco Secure Access Control Server Software
The procedure to configure RADIUS-based user access control on Cisco Secure ACS Version 2.6 or later is provided below. This procedure provides configuration information for Internet Engineering Task Force (IETF), Cisco IOS Software and Cisco PIX® Firewall options that enable RADIUS-based user access control (using VLAN-ID and/or SSID-list).
- Confirm that the following option is available on the Cisco Secure ACS: Configuration > RADIUS (Cisco IOS/PIX). If this option is not available, add a device with network access server-type RADIUS (Cisco IOS/PIX). This device is needed to enable Cisco IOS/PIX attributes.
- After adding a Cisco IOS Software or Cisco PIX Firewall device, select Interface Configuration > RADIUS (Cisco IOS/PIX):
- Enable the "[026/009/001] cisco-av-pair" option. Enable this option at both User and Group levels.
- Click on "Submit."