Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentAironet 340 Series
919293949596979899100
4-9
Cisco Aironet Access Point Software Configuration Guide
OL-0657-07
Chapter 4 Configuring VLANs
A Wireless VLAN Deployment Example
A Wireless VLAN Deployment Example
This section outlines a typical use of wireless VLANs. For the example, assume your company, XYZ,
determines the need for wireless LANs in its network. Following the guidelines in the previous sections,
your findings are as follows:
Five different groups are present at Company XYZ: full-time employees, part-time employees,
contract employees, guests, and maintenance workers.
Full-time and contract employees use company-supplied PCs to access the wireless network. The
PCs are capable of supporting IEEE 802.1x authentication methods to access the wireless LAN.
Full-time employees need full access to the wired network resources. The IT department has
implemented application level privileges for each user (using Microsoft NT or 2000 AD
mechanisms).
Part-time and contract employees are not allowed access to certain wired resources (such as HR or
data storage servers). The IT department has implemented application level privileges for part time
employees (using Microsoft NT or 2000 AD mechanisms).
Guest users want access to the Internet and are likely to launch a VPN tunnel back to their own
company headquarters.
Maintenance workers use specialized hand-held devices to access information specific to
maintenance issues (such as trouble tickets). They access the information from a server in an
Application Servers VLAN. The handhelds only support static 40- or 128-bit WEP.
Existing wired VLANs are localized per building and use Layer-3 policies to prevent users from
accessing critical applications.
Using the information above, you could deploy wireless VLANs by creating four wireless VLANs as
follows:
A full-time VLAN and a part-time VLAN using IEEE 802.1x with dynamic WEP and TKIP features
for WLAN access. User login is tied to the RADIUS server with a Microsoft back-end user database.
This configuration enables the possibility of single sign-on for WLAN users.
RADIUS-based SSID access control for both full-time and part-time employee WLAN access.
Cisco recommends this approach to prevent part-time employees from VLAN hopping, such as
trying to access the WLAN using the full-time VLAN.
Note In this deployment scenario, VLANs are localized per building, enabling users to access the
WLAN from anywhere within the campus. Cisco recommends using SSID access control rather
than using fixed VLAN ID assignment.
A guest VLAN uses the primary SSID with open or no WEP access. Policies are enforced on the
wired network side to force all guest VLAN access to an Internet gateway and denies access into the
XYZ corporate network.
A maintenance VLAN uses open with WEP plus MAC authentication. Policies are enforced on the
wired network side to allow access only to the maintenance server on the application servers
VLAN.
Figure 4-5 shows the wireless VLAN deployment scenario described above.