Cisco Router 860, 880 Series User Manual

							CH A P T E R
 
13-1
Book Title
OL-xxxxx-xx
13
Configuring VLANs
This chapter describes how to configure an access point to operate with the VLANs set up on a wired 
LAN. This chapter includes in the following sections:
 Understanding VLANs, page 13-1
 Configuring VLANs, page 13-3
 VLAN Configuration Example, page 13-8
Understanding VLANs
A VLAN is a switched network that is logically segmented by functions, project teams, or applications; 
rather than segmented on a physical or geographical basis. For example, all workstations and servers 
used by a particular workgroup team can be connected to the same VLAN, regardless of their physical 
connections to the network or the fact that they might be intermingled with other teams. You use VLANs 
to reconfigure the network through software rather than by physically unplugging and moving devices 
or wires.
A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN 
consists of a number of end systems, either hosts or network equipment (such as bridges and routers), 
connected by a single bridging domain. The bridging domain is supported on various pieces of network 
equipment such as LAN switches that operate bridging protocols between them with a separate group 
for each VLAN.
VLANs provide the segmentation services traditionally provided by routers in LAN configurations. 
VLANs address scalability, security, and network management. You should consider several key issues 
when designing and building switched LAN networks:
 LAN segmentation
 Security
 Broadcast control
 Performance
 Network management
 Communication between VLANs
You extend VLANs into a wireless LAN by adding IEEE 802.11Q tag awareness to the access point. 
Frames destined for different VLANs are transmitted by the access point wirelessly on different Service 
Set Indentifier (SSIDs) with different WIrted Equivalent Privacy (WEP) keys. Only the clients 
associated with that VLAN receive those packets. Conversely, packets coming from a client associated 
with a certain VLAN are 802.11Q tagged before they are forwarded on to the wired network. 
						

							 
13-2
Book Title
OL-xxxxx-xx
Chapter 13      Configuring VLANs
  Understanding VLANs
If 802.1q is configured on the Fast Ethernet interface of an access point, the access point always sends 
keepalives on VLAN1 even if VLAN 1 is not defined on the access point. As a result, the Ethernet switch 
connects to the access point and generates a warning message. There is no loss of function on either the 
access point or the switch. However, the switch log contains meaningless messages that may cause more 
important messages to be wrapped and not be seen.
This behavior creates a problem when all SSIDs on an access point are associated to mobility networks. 
If all SSIDs are associated to mobility networks, the Ethernet switch port that the access point is 
connected to can be configured as an access port. The access port is normally assigned to the native 
VLAN of the access point, which is not necessarily VLAN1, which causes the Ethernet switch to 
generate warning messages saying that traffic with an 802.1q tag is sent from the access point. 
You can eliminate the excessive messages on the switch by disabling the keepalive function. 
Figure 13-1 shows the difference between traditional physical LAN segmentation and logical VLAN 
segmentation with wireless devices connected.
Figure 13-1 LAN and VLAN Segmentation with Wireless Devices
Catalyst
VLAN switchVLAN 1VLAN Segmentation
Traditional LAN Segmentation
VLAN 2 VLAN 3
LAN 1
Shared hub
Shared hub
Shared
hub
SSID 0
SSID 0SSID 0SSID 1SSID 2SSID 3 Floor 3
Floor 2
Floor 1
Trunk
portSSID 1 = VLAN 1
SSID 2 = VLAN 2
SSID 3 = VLAN 3 LAN 2
LAN 381652
Catalyst
VLAN switch
Catalyst
VLAN 
switch 
						

							 
13-3
Book Title
OL-xxxxx-xx
Chapter 13      Configuring VLANs
  Configuring VLANs
Related Documents
These following documents provide more detailed information about VLAN design and configuration:
 Cisco IOS Switching Services Configuration Guide. Click this link to browse to this document: 
http://cisco.com/en/US/products/sw/iosswrel/ps5187/prod_configuration_guide09186a008017d12
9.html
 Cisco Internetwork Design Guide. Click this link to browse to this document: 
http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/index.htm
 Cisco Internetworking Technology Handbook. Click this link to browse to this document: 
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/index.htm
 Cisco Internetworking Troubleshooting Guide. Click this link to browse to this document: 
http://www.cisco.com/univercd/cc/td/doc/cisintwk/itg_v1/index.htm
Incorporating Wireless Devices into VLANs
The basic wireless components of a VLAN consist of an access point and a client associated to it through 
wireless technology. The access point is physically connected through a trunk port to the network VLAN 
switch on which the VLAN is configured. The physical connection to the VLAN switch is through the 
access point’s Ethernet port.
In fundamental terms, the key to configuring an access point to connect to a specific VLAN is to 
configure its SSID to recognize that VLAN. Because VLANs are identified by a VLAN ID or name, if 
the SSID on an access point is configured to recognize a specific VLAN ID or name, a connection to the 
VLAN is established. When this connection is made, associated wireless client devices with the same 
SSID can access the VLAN through the access point. The VLAN processes data to and from the clients 
the same way that it processes data to and from wired connections. You can configure up to 16 SSIDs 
on an access point, which means that you can support up to 16 VLANs. You can assign only one SSID 
to a VLAN.
You can use the VLAN feature to deploy wireless devices with greater efficiency and flexibility. For 
example, one access point can handle the specific requirements of multiple users with varied network 
access and permissions. Without VLAN capability, multiple access points would have to be used to serve 
classes of users based on their assigned access and permissions.
These are two common strategies for deploying wireless VLANs:
 Segmentation by user groups: You can segment your wireless LAN user community and enforce a 
different security policy for each user group. For example, you can create three wired and wireless 
VLANs in an enterprise environment for full-time employees and part-time employees, and guests.
 Segmentation by device types: You can segment your wireless LAN to allow different devices with 
different security capabilities to join the network. For example, some wireless users might have 
handheld devices that support only static WEP, and some wireless users might have more 
sophisticated devices using dynamic WEP. You can group and isolate these devices into separate 
VLANs.
Configuring VLANs
These sections describe how to configure VLANs on an access point:
 Configuring a VLAN, page 13-4 
						

							 
13-4
Book Title
OL-xxxxx-xx
Chapter 13      Configuring VLANs
  Configuring VLANs
 Assigning Names to VLANs, page 13-6
 Using a RADIUS Server to Assign Users to VLANs, page 13-7
 Viewing VLANs Configured on the Access Point, page 13-8
Configuring a VLAN
NoteWhen you configure VLANs on access points, the Native VLAN must be VLAN1. In a single 
architecture, client traffic received by the access point is tunneled through an IP-GRE tunnel, which is 
established on the access point’s Ethernet interface native VLAN. Because of the IP-GRE tunnel, some 
users may configure another switch port as VLAN1. This misconfiguration causes errors on the switch 
port. 
Configuring your access point to support VLANs is a three-step process:
1.Enable the VLAN on the radio and Ethernet ports.
2.Assign SSIDs to VLANs.
3.Assign authentication settings to SSIDs.
This section describes how to assign SSIDs to VLANs and how to enable a VLAN on the access point 
radio and Ethernet ports. 
For detailed instructions on assigning authentication types to SSIDs, see Chapter 12, “Authentication 
Types for Wireless Devices.”
For instructions on assigning other settings to SSIDs, see Chapter 9, “Service Set Identifier (SSID).”
You can configure up to 16 SSIDs on the access point, so you can support up to 16 VLANs that are 
configured on your LAN. Or, the total number VLANs you can configure on your LAN is determined by 
the number of LANs supported by the host router.
To assign an SSID to a VLAN and enable the VLAN on the access point radio and Ethernet ports, follow 
these steps beginning in privileged EXEC mode:
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2interface dot11radio 0Enters interface configuration mode for the radio interface.
The 2.4-GHz radio and the 2.4-GHz 802.11n radio are 0. 
						

							 
13-5
Book Title
OL-xxxxx-xx
Chapter 13      Configuring VLANs
  Configuring VLANs
Step 3ssid ssid-stringCreates an SSID and enters SSID configuration mode for the 
new SSID. The SSID can consist of up to 32 alphanumeric 
characters. SSIDs are case sensitive.
The first character cannot contain the following characters:
 Exclamation point (!)
 Pound sign (#)
 Semicolon (;)
The following characters are invalid and cannot be used in an 
SSID:
 Plus sign (+)
 Right bracket (])
 Front slash (/)
 Quotation mark ()
 Ta b
 Trailing spaces
NoteYou use the ssid command’s authentication options to 
configure an authentication type for each SSID. See 
Chapter 14, “Using an Access Point as a Local 
Authenticator,” for instructions on configuring 
authentication types.
Step 4vlan vlan-id(Optional) Assigns the SSID to a VLAN on your network. 
Client devices that associate using the SSID are grouped into 
this VLAN. Enter a VLAN ID from 1 to 4095. You can assign 
only one SSID to a VLAN.
TipIf your network uses VLAN names, you can also assign 
names to the VLANs on your access point. See the 
“Assigning Names to VLANs” section on page 13-6 for 
instructions.
Step 5exitReturns to interface configuration mode for the radio interface.
Step 6interface dot11radio 0.x | 1.xEnters interface configuration mode for the radio VLAN 
subinterface.
Step 7encapsulation dot1q vlan-id 
[native] Enables a VLAN on the radio interface. 
(Optional) Designates the VLAN as the native VLAN. On 
many networks, the native VLAN is VLAN 1.
Step 8exit Returns to global configuration mode.
Step 9interface fastEthernet0.xEnters interface configuration mode for the Ethernet VLAN 
subinterface.
Step 10encapsulation dot1q vlan-id 
[native]Enables a VLAN on the Ethernet interface. 
(Optional) Designates the VLAN as the native VLAN. On 
many networks, the native VLAN is VLAN 1.
Command Purpose 
						

							 
13-6
Book Title
OL-xxxxx-xx
Chapter 13      Configuring VLANs
  Configuring VLANs
The following example shows how to:
 Name an SSID
 Assign the SSID to a VLAN
 Enable the VLAN on the radio and Ethernet ports as the native VLAN
ap# configure terminalap(config)# interface dot11radio0
ap(config-if)# ssid batman
ap(config-ssid)# vlan 1ap(config-ssid)# exit
ap(config)# interface dot11radio0.1
ap(config-subif)# encapsulation dot1q 1 nativeap(config-subif)# exit
ap(config)# interface fastEthernet0.1
ap(config-subif)# encapsulation dot1q 1 nativeap(config-subif)# exit
ap(config)# end
Assigning Names to VLANs
You can assign a name to a VLAN in addition to its numerical ID. VLAN names can contain up to 32 
ASCII characters. The access point stores each VLAN name and ID pair in a table. 
Guidelines for Using VLAN Names
Keep these guidelines in mind when using VLAN names:
 The mapping of a VLAN name to a VLAN ID is local to each access point, so across your network, 
you can assign the same VLAN name to a different VLAN ID.
NoteIf clients on your wireless LAN require seamless roaming, We recommend that you assign the 
same VLAN name to the same VLAN ID across all access points, or that you use only VLAN 
IDs without names.
 Every VLAN that is configured on your access point must have an ID, but VLAN names are 
optional.
 VLAN names can contain up to 32 ASCII characters. However, a VLAN name cannot be a number 
between 1 and 4095. For example, vlan4095 is a valid VLAN name, but 4095 is not. The access point 
reserves the numbers 1 through 4095 for VLAN IDs.
Step 11endReturns to privileged EXEC mode.
Step 12copy running-config startup-config(Optional) Saves your entries in the configuration file.
Command Purpose 
						

							 
13-7
Book Title
OL-xxxxx-xx
Chapter 13      Configuring VLANs
  Configuring VLANs
Creating a VLAN Name
To assign a name to a VLAN follow these steps, beginning in privileged EXEC mode:
Use the no form of the command to remove the name from the VLAN. To list all the VLAN name and 
ID pairs configured on the access point, use the show dot11 vlan-name in privileged EXEC mode.
Using a RADIUS Server to Assign Users to VLANs
You can configure your RADIUS authentication server to assign users or groups of users to a specific 
VLAN when they authenticate to the network.
NoteUnicast and multicast cipher suites advertised in a WPA information element (and negotiated during 
802.11 association) may potentially mismatch with the cipher suite supported in an explicitly assigned 
VLAN. If the RADIUS server assigns a new VLAN ID which uses a cipher suite that is different from 
the previously negotiated cipher suite, there is no way for the access point and client to switch back to 
the previous cipher suite. Currently, the WPA and CCKM protocols do not allow the cipher suite to be 
changed after the initial 802.11 cipher negotiation phase. In this scenario, the client device is 
disassociated from the wireless LAN. 
The VLAN-mapping process consists of these steps:
1.A client device associates to the access point by using any SSID configured on the access point. 
2.The client begins RADIUS authentication.
3.When the client authenticates successfully, the RADIUS server maps the client to a specific VLAN, 
regardless of the VLAN mapping defined for the SSID that the client is using on the access point. 
If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN 
specified by the SSID mapped locally on the access point.
These are the RADIUS user attributes used for VLAN ID assignment. Each attribute must have a 
common tag value between 1 and 31 to identify the grouped relationship.
 IETF 64 (Tunnel Type): Set this attribute to VLAN
 IETF 65 (Tunnel Medium Type): Set this attribute to 802
 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id
CommandPurpose
Step 1configure terminalEnters global configuration mode.
Step 2dot11 vlan-name name vlan vlan-idAssigns a VLAN name to a VLAN ID. The name can contain 
up to 32 ASCII characters.
Step 3endReturns to privileged EXEC mode.
Step 4copy running-config startup-config(Optional) Saves your entries in the configuration file. 
						

							 
13-8
Book Title
OL-xxxxx-xx
Chapter 13      Configuring VLANs
  VLAN Configuration Example
Viewing VLANs Configured on the Access Point
In privileged EXEC mode, use the show vlan command to view the VLANs that the access point 
supports. This is sample output from a show vlan command:
Virtual LAN ID:  1 (IEEE 802.1Q Encapsulation)
   vLAN Trunk Interfaces:  Dot11Radio0FastEthernet0
Virtual-Dot11Radio0
 This is configured as native Vlan for the following interface(s) :
Dot11Radio0
FastEthernet0Virtual-Dot11Radio0
   Protocols Configured:   Address:              Received:        Transmitted:        Bridging        Bridge Group 1             201688                   0
        Bridging        Bridge Group 1             201688                   0
        Bridging        Bridge Group 1             201688                   0
Virtual LAN ID:  2 (IEEE 802.1Q Encapsulation)
   vLAN Trunk Interfaces:  Dot11Radio0.2
FastEthernet0.2
Virtual-Dot11Radio0.2
   Protocols Configured:   Address:              Received:        Transmitted:
VLAN Configuration Example
This example shows how to use VLANs to manage wireless devices on a college campus. In this 
example, three levels of access are available through VLANs configured on the wired network:
 Management access—Highest level of access; users can access all internal drives and files, 
departmental databases, top-level financial information, and other sensitive information. 
Management users are required to authenticate using Cisco LEAP.
 Faculty access—Medium level of access; users can access school’s intranet and the Internet, access 
internal files, access student databases, and view internal information such as human resources, 
payroll, and other faculty-related information. Faculty users are required to authenticate using Cisco 
LEAP.
 Student access—Lowest level of access; users can access school’s intranet and the Internet, obtain 
class schedules, view grades, make appointments, and perform other student-related activities. 
Students are allowed to join the network using static WEP.
In this scenario, at least three VLAN connections are required, one for each level of access. Because the 
access point can handle up to 16 SSIDs, you can use the basic design shown in 
Ta b l e 13-1.
Ta b l e 13-1 Access Level SSID and VLAN Assignment 
Level of AccessSSID
Managementboss
Facultyteach
Studentlearn 
						

							 
13-9
Book Title
OL-xxxxx-xx
Chapter 13      Configuring VLANs
  VLAN Configuration Example
Managers configure their wireless client adapters to use SSID boss, faculty members configure their 
clients to use SSID teach, and students configure their wireless client adapters to use SSID learn. When 
these clients associate to the access point, they automatically belong to the correct VLAN.
You would complete these steps to support the VLANs in this example:
1.Configure or confirm the configuration of these VLANs on one of the switches on your LAN.
2.On the access point, assign an SSID to each VLAN.
3.Assign authentication types to each SSID.
4.Configure VLAN 1, the Management VLAN, on both the Fast Ethernet and dot11radio interfaces 
on the access point. You should make this VLAN the native VLAN.
5.Configure VLANs 2 and 3 on both the Fast Ethernet and dot11radio interfaces on the access point. 
6.Configure the client devices.
Ta b l e 13-2 shows the commands needed to configure the three VLANs in this example.
Ta b l e 13-2 Configuration Commands for VLAN Example 
Configuring VLAN 1Configuring VLAN 2Configuring VLAN 3
ap# configure terminal
ap(config)# interface 
dot11radio 0
ap(config-if)# ssid boss
ap(config-ssid)# vlan 01ap(config-ssid)# end
ap# configure terminal
ap(config)# interface dot11radio 0ap(config-if)# ssid teach
ap(config-ssid)# vlan 02
ap(config-ssid)# end
ap# configure terminal
ap(config)# interface dot11radio 0ap(config-if)# ssid learn
ap(config-ssid)# vlan 03
ap(config-ssid)# end
ap# configure terminal
ap(config) interface 
FastEthernet0.1
ap(config-subif) encapsulation 
dot1Q 1 native
ap(config-subif) exit
ap(config) interface FastEthernet0.2
ap(config-subif) encapsulation dot1Q 
2
ap(config-subif) bridge-group 2
ap(config-subif) exit
ap(config) interface FastEthernet0.3
ap(config-subif) encapsulation dot1Q 
3
ap(config-subif) bridge-group 3
ap(config-subif) exit
ap(config)# interface 
Dot11Radio 0.1
ap(config-subif)# encapsulation 
dot1Q 1 native
ap(config-subif)# exit
NoteYou do not need to configure 
a bridge group on the 
subinterface that you set up 
as the native VLAN. This 
bridge group is moved to the 
native subinterface 
automatically to maintain 
the link to BVI 1, which 
represents both the radio and 
Ethernet interfaces.
ap(config) interface Dot11Radio 0.2
ap(config-subif) encapsulation dot1Q 
2 
ap(config-subif) bridge-group 2
ap(config-subif) exit
ap(config) interface Dot11Radio 0.3
ap(config-subif) encapsulation dot1Q 
3 
ap(config-subif) bridge-group 3
ap(config-subif) exit 
						

							 
13-10
Book Title
OL-xxxxx-xx
Chapter 13      Configuring VLANs
  VLAN Configuration Example
Ta b l e 13-3 shows the results of the configuration commands in Ta b l e 13-2. Use the show running 
command to display the running configuration on the access point.
Notice that when you configure a bridge group on the radio interface, these commands are set 
automatically:
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-sourceno bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
When you configure a bridge group on the Fast Ethernet interface, these commands are set 
automatically:
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
Ta b l e 13-3 Results of Example Configuration Commands 
VLAN 1 InterfacesVLAN 2 InterfacesVLAN 3 Interfaces
interface Dot11Radio0.1
encapsulation dot1Q 1 nativeno ip route-cache
no cdp enable
bridge-group 1bridge-group 1 
subscriber-loop-control
bridge-group 1 
block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-floodingbridge-group 1 spanning-disabled
interface Dot11Radio0.2
encapsulation dot1Q 2no ip route-cache
no cdp enable
bridge-group 2bridge-group 2 
subscriber-loop-control
bridge-group 2 
block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-floodingbridge-group 2 spanning-disabled
interface Dot11Radio0.3
encapsulation dot1Q 3no ip route-cache
bridge-group 3
bridge-group 3 
subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learningno bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface FastEthernet0.1
encapsulation dot1Q 1 nativeno ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 2no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled