Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentAironet 340 Series
919293949596979899100
4-5
Cisco Aironet Access Point Software Configuration Guide
OL-0657-07
Chapter 4 Configuring VLANs
VLAN Security Policy
Note With an encryption key configured, the VLAN supports standardized WEP. However, TKIP, MIC, and
broadcast key rotation features can optionally be configured as noted above.
Table 4-1 lists the SSID and VLAN ID configuration parameters.
Broadcast Domain Segmentation
All Layer 2 broadcast and multicast messages are propagated over the air so that each WLAN client
receives broadcast and multicast traffic belonging to different VLANs. A wired client receives Layer 2
broadcast and multicast traffic only for its own VLAN. Therefore, a unique broadcast/multicast
encryption key is used to segment the Layer 2 broadcast domains on the wireless LAN. The unique
encryption key must be configured during initial VLAN setup. If broadcast key rotation is enabled, this
encryption key is generated dynamically and delivered to WLAN clients in IEEE 802.1x messages.
The requirement to segment broadcast domains on the wireless side restricts the use of unencrypted
VLAN per ESS. A maximum of one VLAN can be unencrypted per WLAN ESS. The behavior of a
WLAN client on an encrypted VLAN should be to discard unencrypted Layer 2 broadcast or multicast
traffic.
Native VLAN Configuration
The native VLAN setting on the access point must match the native VLAN of the wired trunk. Also, the
access point receives and communicates using the Inter-Access Point Protocol (IAPP) with other access
points in the same wireless LAN ESS using the native VLAN. Therefore, it is a requirement that all
access points in an ESS use the same native VLAN ID and that all Telnet and http management traffic
be routed to the access point on the native VLAN, Cisco recommends that you map the native VLAN of
the access point to the management VLAN of the network and do not route the native VLAN of the
access point with non-native VLANs.
You may or may not wish to map the native VLAN of the access point to an SSID (for example, to the
wireless ESS). Scenarios where the native VLAN must be mapped to an SSID are as follows:
An associated workgroup bridge to be treated as an infrastructure device
For a root bridge to connect to a nonroot bridge
Table 4-1 /SSID and VLAN ID Configuration Parameters
Parameter SSID
Parameter
VLAN ID
Parameter
Authentication types x x
Maximum number of associations x
Encryption key (broadcast key) x
TKIP/MIC x
WEP rotation interval x
Policy group x
Default Priority (CoS mapping)