user manual

ManualsBrandsCisco Systems ManualsNetwork RouterNetwork Router DL-2159-05

4-6

Cisco Aironet 1200 Series Access Point Software Configuration Guide

OL-2159-05

Chapter 4 Configuring VLANs

VLAN Security Policy

management traffic as well as the RADIUS traffic is routed to the access point through the native VLAN.

It is recommended that you restrict user access to the native (default) VLAN of the access points through

the use of Layer-3 ACLs and policies on the wired infrastructure side.

You may or may not wish to map the native VLAN of the access point to an SSID (for example, to the

wireless ESS). Scenarios where the native VLAN must be mapped to an SSID are as follows:

• An associated workgroup bridge to be treated as an infrastructure device

• For a root bridge to connect to a nonroot bridge

In these scenarios, Cisco recommends that you configure an infrastructure SSID for each access point.

Figure 4-3 illustrates combined deployment of infrastructure devices along with non infrastructure

devices in an enterprise LAN. As the figure shows, the native VLAN of the access point is mapped to

the infrastructure SSID. WEP encryption along with TKIP (at least per packet key hashing) should be

turned on for the infrastructure SSID. Cisco also recommends that you configure a secondary SSID as

the infrastructure SSID. The concepts of primary and secondary SSIDs are explained in the next section.

Figure 4-3 Deployment of Infrastructure and Non infrastructure Devices

Primary and Secondary SSIDs

When multiple wireless VLANs are enabled on an access point or bridge, multiple SSIDs are created.

Each SSID maps to a default VLAN ID on the wireless side. IEEE 802.11 specifications require that only

one SSID be broadcast in the beacons, so you must define a primary SSID to be broadcast in the IEEE

802.11 beacon management frames. All other SSIDs are secondary SSIDs and are not broadcast in the

beacon management frames.

SSID = Guest

SSID = Employee

Infrastructure SSID:

VLAN = 10

Nonroot

Bridge

SSID = Infrastructure

802.1Q Trunk

Native

VLAN = 10

Root

access

point

Root

Bridge

802.1Q Trunk

(native VLAN = 10)

Workgroup

bridge repeater

Branch

office

Management

VLAN

(VLAN = 10)

RADIUS

server

Enterprise

network

81665