Wireless Network VLANs - How to Implement Wireless VLANs
The wireless access points operate as bridges with no routing defined anywhere on the
wireless network segment. All VLANs are defined on the wired switches and mapped with
specific SSIDs at each access point. The maximum number of VLANs and SSIDs per access
point that can be mapped is 16. The wireless client attaches or associates with a specific
SSID which in turn will map client with membership in a specific VLAN.
There is an option to configure the maximum number of wireless client associations
allowed per SSID improving network performance and availability. The access point is
assigned a primary SSID with the 802.11 standard, advertising it with beacons on that
segment to all wireless clients. There is a guest SSID defined that companies should
define a VLAN policy for that group or with access control list security policies denying
access to the corporate network. Guest traffic for the most part should be directed across
the internet unless they have specific network rights.
VLAN membership of each wireless client is assigned considering what servers are most
accessed, specific company department and security rights. Device types such as a scanner
with less security won't be assigned the same VLAN as an engineering group with sensitive
information and 802.1x security.
VLAN 1 is the default native VLAN and doesn't tag traffic. The native VLAN number
assigned on the wired switches must match the VLAN assigned at all attached access points
on that network segment. The native VLAN is sometimes assigned to network management
traffic or the RADIUS server. Companies will implement access control lists at each
network switch to filter traffic securing the management VLAN traffic. With most designs
the native VLAN isn't mapped to a SSID except with connecting root bridges and non root
bridges. Define an infrastructure SSID for infrastructure devices such as a repeater or
workgroup hub and map the native VLAN allowing those devices to associate with non root
bridge and root bridges.
Wireless clients configured with 802.1x authentication will have a RADIUS server
configured with mapped SSIDs per wireless client. This is called RADIUS SSID control. The
server sends the list to the access point where the client is allowed to associate with an
access point should they be a member of one or several SSIDs. RADIUS VLAN control assigns
each client with a specific VLAN and default SSID. The mapping can be overridden with the
RADIUS sever configuration. During authentication the wireless client is assigned to that
specific VLAN. The employee however can't be a member of any wired VLAN except that.
Policy group filters or class map policies can be defined per VLAN. You should deny all
infrastructure devices to be members of any non-infrastructure SSID. Wireless clients will
see all broadcasts and multicasts of all mapped VLANs unless 802.1x per VLAN encryption is
implemented with TKIP, MIC and broadcast keys.
Trunking is implemented to switch traffic between network segments that have multiple
VLANs defined. Each VLAN defines a separate broadcast domain comprised of a group of
employees with a company department. The trunk is a physical switch port interface with
defined Ethernet subinterfaces configured with 802.1q or ISL encapsulation. Those packets
are tagged with specific VLAN number before it is sent between access point and wired
network switch. The access point Ethernet interface is configured as a hybrid trunk.
Access control lists should be defined at the wired switch Ethernet interface that drops
packets from VLANs not defined with any SSID.
VLAN 100 = 192.168.37.x - SSID = Engineers
VLAN 200 = 192.168.38.x - SSID =
VLAN 300 = 192.168.39.x - SSID = Sales
Shaun Hummel is the author of
Network Planning and Design Guide
which teaches an effective methodology for planning and designing enterprise networks with
relevant new technologies. It is a reference guide that efficiently explains principles,
methodologies, technologies and case studies while remaining focused on the audience
More Networking Topologies Articles:
• A Guide to Broadband Internet Connections
• Build Your Own Fiber Optic Network Like a Professional Network Engineer
• Cable: Cat5, Cat5e, Cat6, Cat6A ; What's the Difference?
• Multilayer Switch
• Here's a Quick Way to Build Your Fiber Optic Network
• Static Versus Dynamic Routing
• How to Set up a Private Network
• MPO Connector, MTP Connector, What's the Difference?
• Network Interface Cards (NIC)
• How Do Fiber Optic Couplers Work and How are They Made?