Specifications

Configuring and Managing VLANs

4-14 Configuring and Managing Ports and VLANs

Configuring and Managing VLANs

Understanding VLANs in Enterasys Networks MSS

AvirtualLAN(VLAN)isaLayer2broadcastdomainthatcanspanmultiplewiredorwireless

LANsegments.EachVLANisaseparatelogicalnetworkand,ifyouconfigureIPinterfacesonthe

VLANs,MSStreatseachVLANasaseparateIPsubnet.

Onlynetworkportscanbepreconfiguredto

bemembersofoneormoreVLAN(s).Youconfigure

VLANsonaRoamAboutSwitch’snetworkportsbyconfiguringthemontheswitchitself.You

configureaVLANbyassigninganameandnetworkportstotheVLAN.Optionally,youcan

assignVLANtagvaluesonindividualnetworkports.Youcan

configuremultipleVLANsona

RoamAboutSwitch’snetworkports.Optionally,eachVLANcanhaveanIP address.

VLANsarenotconfiguredonwiredauthenticationports,becausetheVLANmembershipofthese

typesofportsisdetermineddynamicallythroughtheauthenticationandauthorizationprocess.

UserswhorequireauthenticationconnectthroughRoamAboutSwitch

portsthatareconfigured

forwiredauthenticationaccess.UsersareassignedtoVLANsautomaticallythrough

authenticationandauthorizationmechanismssuchas802.1X.

Bydefault,noneofaRoamAboutSwitch’sportsareinVLANs.Aswitchcannotforwardtrafficon

thenetworkuntilyouconfigureVLANsandaddnetworkportsto

thoseVLANs.

VLANs, IP Subnets, and IP Addressing

Generally,VLANsareequivalenttoIPsubnets.IfaRoamAboutSwitchisconnectedtothe

networkbyonlyoneIPsubnet,theswitchmusthaveatleastoneVLANconfigured.Optionally,

eachVLANcanhaveitsownIPaddress.However,notwoIPaddressesontheswitchcanbelong

tothe

sameIPsubnet.

YoumustassignthesystemIPaddresstooneoftheVLANs,forcommunicationsbetween

RoamAboutswitchesandforunsolicitedcommunicationssuchasSNMPtrapsandRADIUS

accountingmessages.AnyIPaddressconfiguredonaRoamAboutSwitchcanbeusedfor

managementaccessunlessexplicitly restricted.(For

moreinformationaboutthesystemIP

address,seeChapter 5,”ConfiguringandManagingIPInterfacesand Services”.)

Note: The CLI commands in this chapter configure VLANs on RoamAbout Switchnetwork ports. The

commands do not configure VLAN membership for wireless or wired authentication users. To assign

a user to a VLAN, configure the RADIUS Tunnel-Private-Group-ID attribute or the VLAN-Name

vendor specific attribute (VSA) for that user. (For more information, see Chapter 17, ”Configuring

AAA for Network Users”.)

Note: A wireless client cannot join a VLAN if the physical network ports on the RoamAbout Switchin

the VLAN are down. However, a wireless client that is already in a VLAN whose physical network

ports go down remains in the VLAN even though the VLAN is down.