05-13-2003 10:36 AM - edited 07-04-2021 08:42 AM
I'm implementing a large WLAN for a hospital. they will be using Cisco VPN and RSA OTP to provide authentication and data confidentiality/integrity. They also desire a Wireless LAN Solution Engine.
I wish to create a "user" VLAN-SSID mapping, and a "wireless network management" VLAN-SSID mapping, so I can require users to use VPN to get off their local segment, but also use WLSE & HPOV to manage the WAPs via a managment interface.
To trunk the mgmt vlan, I think i need to map it to an ssid on the WAP. However, I do not want the mngmt vlan/ssid to accept client associations. I basically only want the mngmt vlan to exist on the wire and at the AP, not on the RF.
How would I accomplish this?
05-13-2003 08:25 PM
It is a little bit of a kludge to do this but.
On the vlan SSID page set the max allowed associations to 1 ( 0 will mean max number of associations will be 2047) This will allow only on client to associate, now you can block this one by creating a MAC address filter on that VLAN that has no MAC address in it and the default action for both multicast and unicast is discard.
You could do just the filter but if the filtre is ever turned off then you have the added bonus of only one client getting through
David
05-15-2003 08:02 AM
Hello,
One way I tried to do that was by, on the security setup page, where you choose the type of security association you want (Network EAP,OPEN, etc) I noticed that there was the option to NOT check any box. Is it a bug or a feature?
We are using that in order to have the "management Vlan" of the AP on it, and not to allow wireless clients to do it.
My question is, is that safe? Is ti recommended? are there any info against it?
Thank you
05-15-2003 08:08 AM
Hmmm....seems a lot cleaner than creating bogus MAC filters!
Cisco? Any response?
05-19-2003 12:13 AM
Hi,
this is exactly what I am doing too. I leave all the boxes unchecked, and it seems to work.
I assume that you are using SSID ID [0] for the "management vlan". Are you able to change the type of security association for SSID [0] using the CiscoWorks WLAN Solutions Engine? I cant seem to figure this one out.
06-05-2003 06:58 AM
I have configuered a management vlan 1, and a public vlan 112. my native vlan is 1, I have only the vlan 112 mapped to an ssid public.
I receive some warnings in the log, but it works fine.
06-09-2003 11:49 AM
Hello there,
I implement two VLANs: one for the users (public Vlan184) and one for management (WAPs only Vlan46). Everything works fine for my Cisco clients; however, the 802.1x clients cannot associate. I checked Cisco's configuration, but it's rather confusing.
Any pointers?
Thank you,
Carlos Tinajero
IBM-CCNA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide