Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

A VLAN is a switched network that is logically segmented by functions, project teams, or applications rather than on a physical or geographical basis. For example, all workstations and servers used by a particular workgroup team can be connected to the same VLAN, regardless of their physical connections to the network or whether they are intermingled with other teams. You use VLANs to reconfigure the network through software rather than physically unplugging and moving devices or wires.

A VLAN can be thought of as a broadcast domain that exists within a defined set of switches. A VLAN consists of a number of end systems, either hosts or network equipment (such as bridges and routers), connected by a single bridging domain. The bridging domain is supported on various pieces of network equipment such as LAN switches that operate bridging protocols between them with a separate group for each VLAN.

VLANs provide the segmentation services traditionally provided by routers in LAN configurations. VLANs address scalability, security, and network management. You should consider several key issues when designing and building switched LAN networks:

• LAN segmentation

• Security

• Broadcast control

• Performance

• Network management

• Communication between VLANs

You extend VLANs into a wireless LAN by adding IEEE 802.11q tag awareness to the AP. Frames destined for different VLANs are transmitted by the AP wirelessly on different service set identifiers (SSIDs). Only the clients associated with that VLAN receive those packets. Each SSID can have one VLAN assigned to it. The benefit of using multiple SSIDs and VLANs is that you can configure different security features for each group. For example, users in VLAN 1 might be forced to use MAC authentication while users in VLAN 2 are not.

The figure below shows both wired and wireless VLANs coexisting on a router with an integrated AP and switch.

Figure 1. LAN and VLAN Segmentation with Wireless Devices

The basic wireless components of a VLAN consist of an AP and a client associated to it using wireless technology.

You configure an AP to connect to a specific VLAN by configuring its SSID to recognize that VLAN. Because VLANs are identified by a VLAN ID, it follows that if the SSID on an AP is configured to recognize a specific VLAN ID, a connection to the VLAN is established. When this connection is made, associated wireless client devices having the same SSID can access the VLAN through the AP. The VLAN processes data to and from the clients the same way that it processes data to and from wired connections.

You can configure up to 10 SSIDs or VLANs on the Cisco 800 series routers, and up to 16 SSIDs or VLANs on the Cisco 1800 series fixed-configuration routers and the Cisco 1841, 2800 and 3800 series modular routers with an AP high-speed WAN interface card (HWIC). You can assign only one SSID to a VLAN.

The limits for the 16 configurable VLANs on routers with an AP HWIC are:

• 1 static and 15 dynamic VLANs

• 1 static and 15 unsecured VLANs

• 16 dynamic VLANs

• 16 unsecured VLANs

The limits for the 16 configurable VLANs on the Cisco 1800 series fixed-configuration routers are:

• 1 static Wired Equivalent Privacy (WEP) encrypted VLAN, 7 dynamic WEP VLANs, and 8 unsecured VLANs

• 1 static and 15 unsecured VLANs

• 8 dynamic and 8 unsecured VLANs

• 16 unsecured VLANs

The limits for the 10 configurable VLANs on the Cisco 800 series routers are:

• 1 static WEP encrypted VLAN, 3 dynamic WEP VLANs, and 6 unencrypted VLANs

You can use the VLAN feature to deploy wireless devices with greater efficiency and flexibility. For example, one AP can handle the specific requirements of multiple users having widely varied network access and permissions. Without VLAN capability, multiple APs would be needed to serve classes of users based on the access and permissions they were assigned.

These are two common strategies for deploying wireless VLANs:

• Segmentation by user groups: You can segment your wireless LAN user community and enforce a different security policy for each user group. For example, you can create wired and wireless VLANs in an enterprise environment for full-time and part-time employees and also provide guest access.

• Segmentation by device types: You can segment your wireless LAN to allow different devices with different security capabilities to join the network. For example, some wireless users might have handheld devices that support only static WEP, and some wireless users might have more sophisticated devices using dynamic WEP. You can group and isolate these devices into separate VLANs.

You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network.

The VLAN-mapping process consists of these steps:

1. A client device associates to the AP using any SSID configured on the AP.

2. The client begins RADIUS authentication.

3. When the client authenticates, the RADIUS server maps the client to a specific VLAN, regardless of the VLAN mapping defined for the SSID the client is using on the AP. If the server does not return any VLAN attribute for the client, the client is assigned to the VLAN specified by the SSID mapped locally on the AP.

These are the RADIUS user attributes used for VLAN ID assignment. Each attribute must have a common tag value to identify the grouped relationship.

• IETF 64 (Tunnel Type): Set this attribute to VLAN.

• IETF 65 (Tunnel Medium Type): Set this attribute to 802.

• IETF 81 (Tunnel Private Group ID): Set this attribute to a VLAN ID.

The following VLAN configuration scenario shows how to use VLANs to manage wireless devices in a typical branch office. In this example, two levels of access are available through VLANs configured on the network:

• Employee access—Users can access all company files, databases, and sensitive information. Employees are required to authenticate using Cisco Light Extensible Authentication Protocol (LEAP).

• Guess access—Users can access only the Internet and any external files stored specifically for guest users.

In this scenario, a minimum of two VLAN connections are required, one for each level of access. Because the AP can support up to 16 SSIDs on the AP HWIC and Cisco 1800 fixed-configuration routers, and up to 10 SSIDs on the Cisco 800 series routers, you can use the basic design shown in the table below.

Employees configure their wireless client adapters to use the SSID named employee and guests configure their client adapters to use the SSID named guest. When these clients associate to the AP, they automatically belong to the correct VLAN. Wired clients attached to the router through the integrated switch can also belong to a specific VLAN. Wireless VLAN clients and wired VLAN clients can share subnets or they can belong to completely different subnets. This type of configuration can be accomplished using bridging or integrated routing and bridging (IRB) or routing on the dot11 interface.

The following examples show two configuration methods:

1. Bridge traffic between wireless VLANs and wired VLANs using IRB and route traffic from these networks through the bridged virtual interface (BVI). The clients in the wireless VLANs and wired VLANs will be in the same respective subnets as the IP address of the BVI interfaces.

2. Use routing to keep the wireless and wired VLANs in separate subnets.

Using the VLAN configuration scenario above, this example shows how to configure VLAN 1 and VLAN 2 on an AP in bridging mode. When the AP has been configured, the example shows how to configure each client device to recognize either the employee SSID or the guest SSID.

This example shows the following configuration steps:

• Create a global SSID.

• Assign a VLAN to each configured SSID.

• Assign authentication types to each SSID.

• Configure subinterfaces and 802.1q encapsulation for each VLAN under the dot11 interface.

• Assign a bridge group for each subinterface.

• Assign the same bridge group to the relevant wired VLAN.

• Create a BVI interface and assign an IP address for each bridge group.

• Configure the protocol to route each bridge group.

configure terminal
 dot11 ssid employee
	 vlan 1
	  authentication open eap eap_methods
	  authentication network-eap eap_methods
	  authentication key-management wpa
	  exit
	 interface dot11Radio 0/0/0
	  no ip address
   encryption vlan 1 mode ciphers aes-ccm
	  ssid employee
	  exit
  exit
 dot11 ssid guest
	 vlan 2
  authentication open
  exit
	interface dot11Radio 0/0/0.1
	encapsulation dot1q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
	bridge-group 1 spanning-disabled
	bridge-group 1 block-unknown-source
	no bridge-group 1 source-learning
	no bridge-group 1 unicast-flooding
	exit
	interface dot11Radio 0/0/0.2
	encapsulation dot1q 2
	bridge-group 2
 exit
interface FastEthernet 0/1/2
 switchport access vlan 2
 exit
interface FastEthernet 0/1/3
 switchport access vlan 2
	exit
	interface vlan 1
	bridge group 1
 exit
interface vlan 2
	bridge group 2
	exit
	interface bvi 1
	ip address 10.10.10.1 255.255.255.0
 exit
interface bvi 2
 ip address 20.20.20.1 255.255.255.0
	exit
bridge 1 route ip
bridge 2 route ip
exit
	copy running-config to startup-config

Using the VLAN configuration scenario described in the previous section, this example shows how to configure VLAN 1 and VLAN 2 on an AP in routing mode. Routing can be used to keep the wireless and wired VLANs on separate subnets. After the AP has been configured, the example shows how to configure each client device to recognize either the employee SSID or the guest SSID.

This example shows the following configuration steps:

• Create a global SSID.

• Assign a VLAN to each configured SSID.

• Assign authentication types to each SSID.

• Configure subinterfaces and 802.1q encapsulation for each VLAN under the dot11 interface.

• Configure an IP address for each subinterface.

configure terminal
	dot11 ssid employee
	vlan 1
	authentication open eap eap_methods
	authentication network-eap eap_methods
	authentication key-management wpa
	exit
	interface dot11Radio 0/0/0
	no ip address
	encryption vlan 1 mode ciphers aes-ccm
	ssid employee
	exit
exit
	dot11 ssid guest
	vlan 2
	authentication open
	exit
	interface dot11Radio 0/0/0
	ssid guest
	exit
exit
	interface dot11Radio 0/0/0.1
	encapsulation dot1Q 1 native
	ip address 10.10.10.1 255.255.255.0
exit
	interface dot11Radio 0/0/0.2
	encapsulation dot1q 2
	ip address 50.50.50.1 255.255.255.0
end
	copy running-config startup-config

If you want to configure quality of service (QoS) parameters on an AP, see the “Configuring QoS on an Access Point” module.