cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
67319
Views
12
Helpful
11
Replies

Single SSID with multiple vlans

AhmAd_Rabie
Level 1
Level 1

Hello all,

I have a question for wireless networking engineers

It's known that SSID supports only one vlan

but is there any way to make a single SSID have multiple Vlans?

This will be needed in the case of when a company have multiple departments, each departments is assigned to a different vlan, and we need all of these departments use the same SSID.

I've read about a similar case in which we can use a radius server which is needed to authenticate users and assign them to their vlans based on their authentication. But will this allow the SSID to have multiple vlans as the same time? I mean will this make 3 users from 3 different vlans for example to use the same SSID and connect to the wireless network simultaneously?

Thanks in advance

2 Accepted Solutions

Accepted Solutions

"Consider the company have 20 deps. in 20 different VLANs can all of them use the same SSID?"

Yes, if there is dynamic vlan assignment on the authentication server. You associate the SSID to the management interface, and then trunk 20 dynamic interfaces to the wlc. The authentication server passes the interface name back to the WLC which maps clients to different vlans on the wired network.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

Another way to have people on different subnets using the same SSID is to configure access points into different AP Groups which are linked to different subnets, that is doing it on a per AP basis rather than per user basis.

View solution in original post

I mean when a manager is already connected to VLAN 100 can an engineer connect to VLAN 200 using the same SSID without affecting the managers?

And can this be achieve for more than 2 departments? Consider the company have 20 deps. in 20 different VLANs can all of them use the same SSID?

Yes managers won't be disconnected. And definitely it will work 20 VLANs as well as for 2.

But I point again on the major thing - it will be 802.1X auth, so clients should understand how to use it. You won't be able use usual WPA2-PSK method - keep this in mind, because you have to tell somehow to ACS that you're "manager" or you're "engineer" and it's done by entering username/password or certificates.

View solution in original post

11 Replies 11

misha_bac
Level 1
Level 1

Hi there, if your APs which should put users in different VLAN's are separated geographically (they don't see each other) you can use AP groups, read more at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml

Second option - using CiscoACS and dynamic VLAN assignment, as you said after authentification, ACS will send to WLC special fields that will force WLC to put this particular user in different VLAN. But bear in mind that you should use 802.1x auth for that. Read more at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

Hope this helps.

This is great, thank you for the information

But let me stress on what I want to make sure of, can  multiple users in different vlans join the same SSID simultaneously ?

In other words can vlan1, vlan2, vlan3, vlan4 and vlan5 be members of the same SSID at the same moment ?

Thanks for your reply

In other words can vlan1, vlan2, vlan3, vlan4 and vlan5 be members of the same SSID at the same moment ?

Well, such question put me in confusion, because I read it like "can user connected to SSID be in several VLANs at the same time" - the answer is no. Because they should get IP, and this IP will be only from one subnet :-)

Let me draw the picture how dynamic VLAN asignment work, because I think this is what will be solution for your problem.

Suppose you have department of managers and engineers, and you have SSID "Acme", and you would like when managers connects to "Acme" they should go to VLAN 100, and when engineers connects to the same "Acme" SSID - they should go to VLAN 200.

In ACS you create group of engineers and group of managers, and assign rules, that when user (he should enter his username and password uppon connection to the SSID, it's where you need 802.1X and you have to check that user's devices support it) connects to the SSID, his VLAN should be 100 or 200.

So, when one of the managers connects he will be put in VLAN 100, and when engineers do the same - they get VLAN 200 and it doesn't matter what controller settings says about this SSID, this SSID can be mapped to VLAN 100, but all engineers will go to VLAN 200 anyway.

Does this scenario was what you were asking for and meant by "several vlans be members of the same SSID at the same moment"?

Hi misha_bac

Please don't be confused. Yes, the scenario you stated is very similar to the scenario  I'm talking about, so let's discuss it more.

So,
 when one of the managers connects he will be put in VLAN 100, and when 
engineers do the same - they get VLAN 200 and it doesn't matter what 
controller settings says about this SSID, this SSID can be mapped to 
VLAN 100, but all engineers will go to VLAN 200 anyway.

This is good, so for example the engineers can connect to VLAN 200 using the "Acme" SSID while the managers are already connected to VLAN 100 using the same "Acme" SSID. Will this keep the managers connected to VLAN 100 or this will log them out?

I mean when a manager is already connected to VLAN 100 can an engineer connect to VLAN 200 using the same SSID without affecting the managers?

And can this be achieve for more than 2 departments? Consider the company have 20 deps. in 20 different VLANs can all of them use the same SSID?

Thanks for you great answers

"Consider the company have 20 deps. in 20 different VLANs can all of them use the same SSID?"

Yes, if there is dynamic vlan assignment on the authentication server. You associate the SSID to the management interface, and then trunk 20 dynamic interfaces to the wlc. The authentication server passes the interface name back to the WLC which maps clients to different vlans on the wired network.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c9bd1.shtml

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

Another way to have people on different subnets using the same SSID is to configure access points into different AP Groups which are linked to different subnets, that is doing it on a per AP basis rather than per user basis.

Can this be done with Windows 2003 RADIUS (IAS)?  I've been able to do everything else I need to manage an WLC w/o ACS.

Ah, nevermind, found another thread:

https://supportforums.cisco.com/thread/339396

Hi Mc Carthy ,

i do understand that

1) configuring multiple VLANs with Single SSID would require using Wireless Controller . Is this possible without using WLC .

2) configuring multiple SSID with single VLAN doesn't need WLC .This can be achieved without using WLC .

Can you please provide CLI & GUI guide on this .

I mean when a manager is already connected to VLAN 100 can an engineer connect to VLAN 200 using the same SSID without affecting the managers?

And can this be achieve for more than 2 departments? Consider the company have 20 deps. in 20 different VLANs can all of them use the same SSID?

Yes managers won't be disconnected. And definitely it will work 20 VLANs as well as for 2.

But I point again on the major thing - it will be 802.1X auth, so clients should understand how to use it. You won't be able use usual WPA2-PSK method - keep this in mind, because you have to tell somehow to ACS that you're "manager" or you're "engineer" and it's done by entering username/password or certificates.

I see your response as an acceptable answer in your scenario, but how does it work if the devices are "Smart Devices" without authentication log-in to differentiate access thru credentials.  what if it consisted of device type within a Smart Home, per say.

Leo Laohoo
Hall of Fame
Hall of Fame

802.1X will assign authenticated users to the correct VLANs.

Review Cisco Networking for a $25 gift card