Archive of Ciscoskills
Wireless VLANs

Wireless VLANs

April 16, 2018·Ryan
Ryan

It’s been fun four months of 2018 so far and I’m back to talk about Wireless VLANs. With 802.11ax around the corner (2019) I think we all can agree that “weird” connections although less likely have interference isn’t as mobile as a wireless LAN. Also, with 802.11ax the maximum theoretical throughput is 10Gbps! We’re going to need some serious backend infrastructure available to be able to support that type of bandwidth. So, let’s look at configuring a wireless VLANs for our mobile users!

Just like regular weird LANs, we want to separate traffic to be able to have a secure network, because it’s usually not only your employees that will use the wireless network, we could have guest networks, department networks and even infrastructure/IoT networks. Like for security cameras, motion sensors, thermostats, lights, and so much more, just within that list you have at least three wireless networks if not four if you needed to have further separation. So how do you configure wireless to have multiple VLANs attached to it? First you must look at the wireless hardware you are working with. That hardware at least needs to support a trunk link, that’s what makes this magic happen. If supports VLAN trunks, then chances are it comes in two flavors:

  • Wireless Controller with “lightweight” access points, which essentially tunnel the traffic back to the controller. The controller has a trunk link with all the Wireless VLANs connected to it. The access points don’t need access to all those wireless VLANs, they can join a management network and route/tunnel the traffic back to the controller.
  • Autonomous access points which as the name suggest act on their own they don’t join a controller and therefore would need access to all wireless VLANs that are configured in the network.

Next, if your wireless hardware supports multiple VLANs then it can probably support multiple networks and broadcast multiple SSIDs, which is how you can get multiple wireless networks on the same hardware. Each network can have different restrictions as well as different authentication methods to get on the network. Like using 802.1x (WPA2 Enterprise), WPA2 Personal, and even WPA3 which was certified this year. Once you have all that information and know what type of access point you have the last thing to do is configuring the switchport which is probably the simplest thing when it comes to WLANs. So in this example we have four networks that we want to put on the airwaves.

  • (410) - GUEST-WLAN
  • (420) - MARKET-DEPT-WLAN
  • (430) - DEFUALT-EMPLOYEE-WLAN
  • (440) - SECURITY-WLAN

If we look at show vlan output we can see I have the VLANs created on this switch.

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Eth2/1, Eth2/2, Eth2/3, Eth2/4
                                                Eth2/5
410  GUEST-WLAN                       active    Eth2/1, Eth2/2, Eth2/3, Eth2/4
                                                Eth2/5
420  MARKET-DEPT-WLAN                 active    Eth2/1, Eth2/2, Eth2/3, Eth2/4
                                                Eth2/5
430  DEFUALT-EMPLOYEE-WLAN            active    Eth2/1, Eth2/2, Eth2/3, Eth2/4
                                                Eth2/5
440  SECURITY-WLAN                    active    Eth2/1, Eth2/2, Eth2/3, Eth2/4

In this example I have a wireless controller connected to ethernet 2/10. I simply need to add a trunk link and only allow these VLANs to the port.

SW01(config)# interface ethernet 2/10
SW01(config-if)# switchport mode trunk
SW01(config-if)# switchport trunk allowed vlan 410,420,430,440
SW01(config-if)# no shutdown

I would do the same configuration if I was using an autonomous access point, I would also probably add a management VLAN as well. This configuration would need to be applied to every access point that is connected within the organization. Wireless is going to continue to grow and this is just another side of how much bandwidth wireless is going to take up. I find it hard to imagine that weird networks might be the thing of the past for end-users but it’s moving into the direction, especially when you can get more than 1Gbps out of a wireless connection, that changes things. You now must look at getting switches that support either NBASE-T or even just 10GBASE-T otherwise what’s the point of buying that 802.11ax access point? The silver lining in all of this is it gets cheaper on the switching side :) That’s all I got for now, I hope this information is helpful.

Private VLANsConfiguring Layer Three EtherChannel