Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
5
Helpful
1
Replies

Multiple networks on one SSID and private-VLANs

Spork Schivago
Level 1
Level 1

‎01-26-2019 02:57 PM

Hi!

I am reading about private-VLANs and I think they might be the solution to my current issue.   I currently have two VLANs, and two wireless SSIDs.   VLAN1 (10.0.0.0 / 24) is mapped to the Company SSID, VLAN40 (10.0.40.0 / 24) is mapped to the Company's Guests SSID.

I have a need for more networks though and I know I can just create more VLANs and more wireless SSIDs, but I'm trying to do it without creating anymore SSIDs.   I see this when I google private-VLANs:

A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to 
isolate the ports on the switch from each other.

That sounds like something I could use.   I was thinking maybe instead of creating multiple VLANs and SSIDs, I could partition the two VLANs I currently have and try to isolate the devices.    For example, on the Company VLAN, only company equipment can be on it.   We have some residential devices that need to be connected to the internet as well though, such as our car, garage door opener, game consoles, etc.   I didn't want to put some of these on the guest network for various reasons.


I do not think access groups are a solution, because the wireless APs for the guests and the company stuff are the same APs.   They're not in different buildings or anything.   I have a Cisco C1111-8PW router, three Cisco 1832i wireless APs.   The C1111 has a built-in WLC and AP.


Would the private-VLANs be the best way to go here?   I was reading there was some way to do this with something called 802.1x authentication or something, but I'm having a hard time finding examples of how to configure something like this with the 802.1x authentication.

Thanks.

Labels:
0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎01-26-2019 10:34 PM

Hi

On controller based AP, you can go to the advanced tab and deny P2P between clients.

I would recommend using the 802.1x solution.
There was a recent post talking about it on the forum. Take a look here:
https://community.cisco.com/t5/identity-services-engine-ise/dynamic-vlan-assignment-ise-and-wlc/td-p/3572816

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card