cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
833
Views
0
Helpful
6
Replies

Managment VLAN - SSID mapping

ED CARMODY
Level 4
Level 4

I'm implementing a large WLAN for a hospital. they will be using Cisco VPN and RSA OTP to provide authentication and data confidentiality/integrity. They also desire a Wireless LAN Solution Engine.

I wish to create a "user" VLAN-SSID mapping, and a "wireless network management" VLAN-SSID mapping, so I can require users to use VPN to get off their local segment, but also use WLSE & HPOV to manage the WAPs via a managment interface.

To trunk the mgmt vlan, I think i need to map it to an ssid on the WAP. However, I do not want the mngmt vlan/ssid to accept client associations. I basically only want the mngmt vlan to exist on the wire and at the AP, not on the RF.

How would I accomplish this?

6 Replies 6

derwin
Level 5
Level 5

It is a little bit of a kludge to do this but.

On the vlan SSID page set the max allowed associations to 1 ( 0 will mean max number of associations will be 2047) This will allow only on client to associate, now you can block this one by creating a MAC address filter on that VLAN that has no MAC address in it and the default action for both multicast and unicast is discard.

You could do just the filter but if the filtre is ever turned off then you have the added bonus of only one client getting through

David

Hello,

One way I tried to do that was by, on the security setup page, where you choose the type of security association you want (Network EAP,OPEN, etc) I noticed that there was the option to NOT check any box. Is it a bug or a feature?

We are using that in order to have the "management Vlan" of the AP on it, and not to allow wireless clients to do it.

My question is, is that safe? Is ti recommended? are there any info against it?

Thank you

Hmmm....seems a lot cleaner than creating bogus MAC filters!

Cisco? Any response?

Hi,

this is exactly what I am doing too. I leave all the boxes unchecked, and it seems to work.

I assume that you are using SSID ID [0] for the "management vlan". Are you able to change the type of security association for SSID [0] using the CiscoWorks WLAN Solutions Engine? I cant seem to figure this one out.

fabian@zurich
Level 1
Level 1

I have configuered a management vlan 1, and a public vlan 112. my native vlan is 1, I have only the vlan 112 mapped to an ssid public.

I receive some warnings in the log, but it works fine.

Hello there,

I implement two VLANs: one for the users (public Vlan184) and one for management (WAPs only Vlan46). Everything works fine for my Cisco clients; however, the 802.1x clients cannot associate. I checked Cisco's configuration, but it's rather confusing.

Any pointers?

Thank you,

Carlos Tinajero

IBM-CCNA

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: