Specifications
4-8
Cisco Aironet Access Point Software Configuration Guide
OL-0657-07
Chapter 4 Configuring VLANs
Guidelines for Deploying Wireless VLANs
Guidelines for Deploying Wireless VLANs
You should evaluate the need for deploying wireless VLANs in their own environment. Cisco
recommends that you review the VLAN deployment rules and policies before considering wireless
VLAN deployment and that you use similar policies to extend wired VLANs to the wireless LAN. This
section details criteria for wireless VLAN deployment, a summary of rules for wireless LAN (WLAN)
VLAN deployment, and best practices to use on the wired infrastructure side when you deploy wireless
VLANs.
Criteria for Wireless VLAN Deployment
Criteria for wireless VLAN deployment are likely to be different for each scenario. The following are
the most likely criteria:
• Common resources being used by the WLAN:
–
Wired network resources, such as servers, commonly accessed by wireless users
–
QoS level needed by each application (default CoS, voice CoS, etc.)
• Common devices used to access the WLAN, such as the following:
–
Security mechanisms (static WEP, MAC authentication and EAP authentication supported by
each device type)
–
Wired network resources, such as servers, commonly accessed by WLAN device groups
–
QoS level needed by each device group
• Revisions to the existing wired VLAN deployment:
–
Existing policies for VLAN access
–
Localized wired VLANs or flat Layer 2 switched network policies
–
Other affected policies
You should consider the following implementation criteria before deploying wireless VLANs:
• Use policy groups (a set of filters) to map wired polices to the wireless side.
• Use IEEE 802.1x to control user access to VLANs by using either RADIUS-based VLAN
assignment or RADIUS-based SSID access control.
• Use separate VLANs to implement different classes of service.
• Adhere to any other criteria specific to your organization’s network infrastructure.
Based on these criteria, you could choose to deploy wireless VLANs using the following strategies:
• Segmentation by user groups—you can segment your WLAN user community and enforce a
different security policy for each user group. For example, you could create three wired and wireless
VLANs in an enterprise environment for full- and part-time employees, as well as providing guest
access.
• Segmentation by device types—You can segment your WLAN to enable different devices with
different security levels to access the network. For example, you have hand-held devices that support
only 40- or 128-bit static WEP coexisting with other devices using IEEE 802.1x with dynamic WEP
in the same ESS. Each of these devices would be isolated into separate VLANs.