Dynamic VLAN for wireless

Similar Messages

• Separate vlan for wireless voice

  Hi all, I'm about to embark on reconfiguring my home lab, at present I have just 2 vlans which are for VoIP and data, I'm going to split my network so I have the following:
  Data VLAN for our home PC's
  Voice VLAN for phones
  1 wireless VLAN for home laptops
  1 wireless VLAN for games consoles
  1 wireless guest access so I don't have to give out my own ssid credentials
  1 Management VLAN
  My question is do I have a separate VLAN for wireless VOIP or do I just use the same Voice VLAN?
  Regards
  Martyn
  Sent from Cisco Technical Support iPad App

  Martyn:
  Both solutions are valid. You can use the current voice VLAN or create a new VLAN.
  If you create a new VLAN you need to apply needed QoS to wired side as well.
  If your current Voice VLAN is already configured for QoS then using it for wirelss voice is easier.
  So the preffered option is to use your current voice VLAN for wireless voice as well.
  HTH
  Amjad

• ISE change of VLAN for wireless endpoints

  Hi,
  I have configured posture policy on ISE for posture compliant and non compliant end points such that, posture compliant end points will fall in clean VLAN and non compliant will fall in other.
  Now, my issue is, even if an end point is posture compliant it is not getting placed in clean VLAN. For getting ip address from clean VLAN, it requires ipconfig /release and ipconfig /renew to be manually done. 
  how to resolve the issue..
  regards,
  aditya

  Aditya, 
  At the end of a posture process(NAC agent informs ISE about compliant status) the endpoint already grabbed an IP address on the VLAN is placed as per WLAN settings. 
  If at this point you push down an overriding  VLAN attribute in access-accept(compliant or not) the WLC will successfully switch the client to the new VLAN,  but there is no way to force the client to go through DHCP release/ renew. 
  The only way to trigger something like this after the endpoint grabbed an IP address in old VLAN is to redirect the endpoint back to one of ISE's portals ( CWA / DRW  ) and then trigger a VLAN DHCP release renew through java applet. This is the solution salodoh is referring to.
  That is the reason why we always recommend dynamic VLAN assignment only  as a  result of a layer 2 authentication( when client didn't grab an IP yet) .
  Regards,
  Tony 

• VLANs for Wireless LAN controller

  Hello,
  Just finished the configuration of wireless controller and connected Access point.
  I have a scheme like this:
  Cisco 3945 with WLC on SRE------TRUNK-------L3 switch-------TRUNK----------L2 switch--------ACCESS PORT-------ACCESS POINT-----WIRELESS----CLIENT
  2 VLANs on the  WLC (with DHCP on the router):
  1. management (VLAN 200 for management and access points - works fine)
  2. clients (VLAN 300, all setting are same, except Enable Dynamic AP Management setting, which is off and IP subnet, DHCP on router too).
  Clients are able to connect, but they can't get address or ping the gateway of the clients VLAN (if i put this VLAN in the WLAN
  Interface/Interface Group(G) setting), but everything is fine, if i set management VLAN to Interface/Interface Group(G) setting of the WLAN.
  do i need to add any additional setting on the switches or on the router to allow this clients VLAN?...
  P.S. i am able to ping both vlans, or get DHCP address from the switch and router...

  yes, just for test, i set up IP from clients VLAN on the L2 switch, and from that switch i am able to ping the controller interface (clients interface).
  Just to be clear, do I need to have both VLANS (ap-management and clients VLANs) on all the switches and router on my setup?
  As I understand i need to have ap-management vlan only on L2 and L3 switches. Any other VLANs go throught the tunnel between AP and WLC?

• VLAN for Wireless network

  Dear Team,
  If wireless is setup in a corporate network and there is no requirement to provide guest access to outside users, is it still recommended to segregate the Wireless network? What are the advantages for segregating wireless network considering that wireless users will have complete access to corporate network. Kindly share your views if the total number of users in office is less than 50.
  Reason is because, we do not have a Layer 3 switch, hence if VLAN is required for small number of users, we will have to enable it on the WAN router.
  Would appreciate if you can share any documentation related to best practices. Thank you.
  Regards,
  Manoj

  Hi Manoj,
  I agree with Scott,
  If you have same subnet for wired & wireless, then devices like Laptops will get same network IP for wired & wireless, client devices may not like that & sometimes may not work.
  It is always good idea to have two seperate network for wired & wireless. From scalability point of view having a L3 switch in your network is always beneficial
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Criticial VLAN for Wireless Users

  Hi
  I have a setup were all users (LAN & WIRELESS) Are being authenticated using Dot1x with ACS
  In case of ACS failure (without a secondary one), I know i can configure the switch port on the LAN to have a critical VLAN, so in case ACS was detected as Dead, a new user being authenticated is assigned to the Critical VLAN,
  Is there any Similar solutions for users connecting through the wireless connection? Can we do a critical VLAN in case of ACS Failure, or anything similar to it? knowing that there is a WLC in the setup with Light weight access points.
  Thanks
  Best regards,

  Hello,
  Since in wireless network, the Radius server has an active part in the encryption key derivation, the WLC can't just grant network access to the end client when the radius server is down, as the client wouldn't have the necessary keying material (nor the WLC as well).
  The best option would be to either have multiple radius servers, or to make the WLC act as a radius server and use it as a backup method, so that if your radius server is down, your WLC will handle the radius request and generate the keying material. The issue is that you will need to have a consistent user database on the WLC.
  The easiest way would be to have a separate SSID with legacy WPA/WPA2 that are pre configured on clients computer, and allow network access to this SSID only when the primary SSID with Dot1x is down. This can be done manually, or on the layer 3 gateway using PBR/EEM...
  For example with PBR, you can set output interface to null0 from traffic originating from the WPA SSID, only of Radius server is reachable, otherwise let the traffic flow.

• Can router dhcp different addresses to different vlans for wireless clients

  is it possible for the router to hand out different ip's to wireless clients on different vlans?

  Yes, the router needs to have a dhcp pool on each subnet and have an "interface Vlan x" for each vlan. It will then assign ips to clients in different vlans.
  One vlan per SSID.

• 871W can use 1 vlan for wireless and wire client?

  Any example, Thanks.

  Here is the URL for the configuration for the 871W and vlan configuration which will help you :
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080608364.shtml#maintask1
  http://www.cisco.com/en/US/docs/routers/access/1800/wireless/configuration/guide/s37vlan.html#wp1034625

• Auto assign vlan for Wireless AP 1142

  Hi,
  Instead of statically assigning a vlan to a switch port where the AP is connected, is there a way to use 802.1x or NAC to assign the right vlan to an AP itself (not the clients)?

  You should be able to do this if you setup switchport authentication on the switch the AP is connecting to and have the IETF attribuiles 64, 65, and 82 passed down from the Radius server.

• ACS- Dynamic VLANS for different ACS groups with AD

  Hi all,
  How do I tied diff Active Directory domain groups to diff ACS defined groups? Each domain group will be tied to an ACS defined group with a diff vlan. I read about the option in help but don't see the option to actually do it.
  using ACS 3.3.
  JT

  You could refer to the document 'User Group Mapping and Specification' at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/qg.htm#.

• 802.1x dynamic vlan assignment using ACS 4.2

  Hi
  we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
  we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
  we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
  is the above scenario doable using dot1x with the ACS server?
  waiting your replies
  Mohamed

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• 802.1x Dynamic Vlan assignment using ACS

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
  Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication  based on the Network Device Group. Please refer the attached diagram

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• Dynamic vlan

  I am thinking of configuring a dynamic vlan for some of the devices on our LAN. Can you share with me your experience with dynamic vlans? Thank you.

  you should use dynamic vlans, aka VMPS when you require or want specific MAC addresses to be able to connect to the switch; and when you don't want unknown MAC addresses connecting to the switch.
  if you have no need to monitor/maintain what MAC addresses connect to your switch, then VMPS will not be required and will only provide additional administration overhead.
  if you do need/want VMPS, please see this link for VMPS configuration and design:
  http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008012238d.html

• Dynamic vlan assignment with single SSID

  Hi All,
  I have 300 APs deployed  and  concurrent client associations that number 3000+ daily
  at the moment I have a single subnet for all users, there is no authentication just a click through
  page with email entry to gain access.
  The APs are assigned to groups based upon the building zone they are in, is it possible to
  assign a vlan based upon the AP the user is associated to but still only broadcast a single SSID.
  TIA

  You can assign dynamic vlan for 802.1X authentication using aaa override from RADIUS server.
  In your case, since it is webconsent ssid you can use AP groups to put clients on differnt vlans per the AP group
  Sent from Cisco Technical Support iPhone App

• Managed subnet and dynamic vlans

  Hi all,
  I have confusion with managed subnet, we have 3 untrusted vlans, 9 trusted vlans and 3 separate vlans for vlan mapping. all vlans have different ip subnets, but untrusted vlans don’t have ip subnet, it will another vlan’s ip subnet so which vlan and which subnet ip should  I use for managed subnet?
  Here is the detail of vlan and ip
  Untrusted vlan               
  101      for floor 1         
  102     for floor 2              
  103 for floor    3               
  We have separate vlan for vlan mapping
  101 <-> 901            (172.30.1.0/24)
  102 <-> 902         (172.30.2.0/24)
  103 <-> 903         (172.30.3.0/24)
  In the initial phase untrusted client should get 172. 30.X.X range ip address from dhcp and for trusted clients they should get the ip address as per the trusted vlans as follows
  Trusted Vlan                              (ip subnet)
  501     for floor 1 sales dept     (192.168.1.0/24)     
  502     for floor 2 sale dept           (192.168.2.0/24)
  503    for floor 3 sales dept        (192.168.3.0/24)
  601 for floor 1 mkt dept          (192.168.4.0/24)
  602  for floor 2 mkt dept        (192.168.5.0/24)
  603 for floor 3 mkt dept        (192.168.6.0/24)
  701 for floor 1  admin dept      (192.168.7.0/24)
  702 for floor 2 admin dept      (192.168.8.0/24)
  703 for floor 3 admin dept     (192.168.9.0/24)
  And I need to configure dynamic vlan for all users. E.g. if user is from sales department and login from floor 1 trusted vlan should be 501 and if this user login from floor 2 then trusted vlan should be 502. Can anyone give me the configuration sample or ideas for this scenario?
  Thank you

  Laxman,
  Your managed subnets should be the IP range of 172.30.x.y (where y is a valid number and NOT the network number, i.e.0 or 255) with a VLAN tag of 101, 102 or 103.
  For ensuring that the VLANs translate properly according to where your users are, you can assing named VLANs in the role-based VLAN config screens. Make sure the case matches as you define them on the switch and CAM. So this way if a user is on first floor and his role-based assigned VLAN is Sales, it will translate to 501, etc
  HTH,
  Faisal