Separate VLAN for CAPWAP

Hello,
I'm in the process of deploying a WLC2504 in an eviroment  which requires a private VLAN for access to file servers and other network resources, as well as a guest network for internet access. 
As far as performance is concerned, will I get acceptable throughput on my WLANs with the CAPWAP tunnel flowing over the same subnet as the private network? I've seen some suggestions that recommend a separate VLAN dedicated to CAPWAP, but I don't know if this is just a suggestion for security. I understand that CAPWAP supports encryption of control messages, but not data transmissions without additional licensing. If this is just a suggestion for security, I don't think this is much of a concern. I don't see anyone on the private network intercepting guest transmissions. Could someone please advise me on this?

Thanks for your clarification guys! I'm in the process of installing my fist CUWN. We are implementing 10 APs and have dealt with a few issues, namely throughput for laptops. I knew other factors could definitely come into play, but I wanted to rule topology out. Laptops are currently pulling very low internet speed tests results, whereas mobile devices seem to fare much better. I've tried testing with mostly 2.4 GHz connections from laptops, but even the 5GHz seem to struggle. I'm working with the Cisco TAC a bit on this one. Per their suggestion, I'm going to run Iperf to test internal performance before I involve network firewalls and Internet connectivity in the mix. 

Similar Messages

  • Separate vlan for wireless voice

    Hi all, I'm about to embark on reconfiguring my home lab, at present I have just 2 vlans which are for VoIP and data, I'm going to split my network so I have the following:
    Data VLAN for our home PC's
    Voice VLAN for phones
    1 wireless VLAN for home laptops
    1 wireless VLAN for games consoles
    1 wireless guest access so I don't have to give out my own ssid credentials
    1 Management VLAN
    My question is do I have a separate VLAN for wireless VOIP or do I just use the same Voice VLAN?
    Regards
    Martyn
    Sent from Cisco Technical Support iPad App

    Martyn:
    Both solutions are valid. You can use the current voice VLAN or create a new VLAN.
    If you create a new VLAN you need to apply needed QoS to wired side as well.
    If your current Voice VLAN is already configured for QoS then using it for wirelss voice is easier.
    So the preffered option is to use your current voice VLAN for wireless voice as well.
    HTH
    Amjad

  • Separate VLAN for manag. only on wire?

    I'm having hard time trying to understand how to configure Aironet 1200 in a way such that I have two VLANs (for example X and Y, both not 1) so that I have X for only management and management is not seen on wireless side at all, and Y for public traffic.
    I went thru' all the old postings about this subject but found no complete example of running config to do it. If anyone has successfully completed doing this, please, can you post a example of IOS command listing how to do it.
    Regards,
    Pauli Borodulin

    Here is a working config that I have. I have two wireless vlans (186, 187) and a third ethernet only vlan (101) which is the management vlan.
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption vlan 186 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
    encryption vlan 186 key 2 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
    encryption vlan 186 key 3 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
    encryption vlan 186 key 4 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
    encryption vlan 186 mode wep mandatory
    encryption vlan 187 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
    encryption vlan 187 mode wep mandatory
    ssid weponly
    vlan 186
    authentication open
    ssid wepeap
    vlan 187
    authentication open eap eap_methods
    authentication network-eap eap_methods
    speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
    rts threshold 2312
    channel 2412
    station-role root
    no cdp enable
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Dot11Radio0.186
    encapsulation dot1Q 186
    no ip route-cache
    no cdp enable
    bridge-group 186
    bridge-group 186 subscriber-loop-control
    bridge-group 186 block-unknown-source
    no bridge-group 186 source-learning
    no bridge-group 186 unicast-flooding
    bridge-group 186 spanning-disabled
    interface Dot11Radio0.187
    encapsulation dot1Q 187
    no ip route-cache
    no cdp enable
    bridge-group 187
    bridge-group 187 subscriber-loop-control
    bridge-group 187 block-unknown-source
    no bridge-group 187 source-learning
    no bridge-group 187 unicast-flooding
    bridge-group 187 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    ntp broadcast client
    interface FastEthernet0.101
    encapsulation dot1Q 101 native
    no ip route-cache
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface FastEthernet0.186
    encapsulation dot1Q 186
    no ip route-cache
    bridge-group 186
    no bridge-group 186 source-learning
    bridge-group 186 spanning-disabled
    interface FastEthernet0.187
    encapsulation dot1Q 187
    no ip route-cache
    bridge-group 187
    no bridge-group 187 source-learning
    bridge-group 187 spanning-disabled
    interface BVI1
    ip address 172.25.101.17 255.255.255.0
    no ip route-cache
    ip default-gateway 172.25.101.1

  • Separate VLAN for WPA - Cisco 1100

    Hello,
    Cisco 1100 :
    First config. : no vlan with WEP for access network
    But when you create a vlan for wpa-psk with simple config (no server manager, no radius, no eap), have you to modify the other peripherals networks (router...).
    For example to declare the vlan.
    I did not find this information in the documentation of the aironet 1100.
    Thank you for your help.
    Eddy

    There is a good document on Cisco.com which explains how to configure WPA-PSK. The document is available at
    http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#pers
    If you are still having issues configuring wpa-psk, please post the configuration so that we can troubleshoot the issue.

  • Separate vlan for Voice and Video

    I'm implementing a Polycom HDX9002 video conf codec into my network (point to point). What is the prefered method, do I segregate the traffic with another VLAN or use the existing Voice VLAN at both sites.
    Thanks
    Paul

    Voice vlan is fine. What really matters, is QoS in the WAN.

  • VLANs for the WiSM

    Hi Everybody,
    we followed the cisco layered model in our campus design where we have 6500 switch at the core, 4500 at the distribution and 3750 at the access layer.
    The connectivity between the core and the distribution is layer 3, the connectivity between the distribution and access layer is layer 2.we have all the intervlan routing on the distribution switches.we have recently installed two WiSM controllers in our core and planning to deploy light weight access points.
    we want to use the exiting VLANS that we created for the wired users on the distribution switch for Wireless LAN users . I wanted to know if this is possible because as the dynamic interfaces for the Wireless VLANS would be created on the WiSM that is on the core switch and as the dynamic interface are like SVIs for the Wireless VLANS.
    Secondly i wanted to know what does it mean to assign a VLAN to the WiSM
    Regards,
    Ahmed Zubedi

    I would recommend keeping the wired vlan separate from the wireless vlan.
    You need to assign a vlan for the service port of the controllers. This is local to the 6500 and is not routeable. This is how the controllers talk to the 6500. I normally do like a 192.168.1.x

  • VLANs for multiple customers on the same switch accessing ISP

    I have multiple customers accessing the Internet from the same ISP through the same SRW 2016.  The switch is set completely at default, with all ports on VLAN 1.  I want to separate all the (3) customers' traffic into 3 VLANs for security, but I want them to still access the ISP through port 1.  Can I do that with this switch?  How would I set port 1 so that all VLANs can send and receive packets through port 1 but still be isolated from each other on the LAN?

    Hi,
    I had a simular situation. In the past I didn't have a VLAN-capable modem/router and just connected the modem as a normal device to the layer2 switch (Cisco 3548XL at that time). In my setup, I gave all separated LAN's its own multi-VLAN port(s) in its own unique VLAN and the modem a single-VLAN port in its own VLAN. Next I made all the ports who needed internet access member of the modem's VLAN. A nmap scan and testing showed me that the seperated LAN's couldn't connect to eachother.
    So, I don't know if i did something stupid (in security way), but it worked like a charm.
    Sorry for my English ;-)

  • Dedicated vlan for WLC

    Hi,
    In reviewing the lab for WLC configuration, they used a dedicated vlan for all APs and the WLC to communicate with CAPWAP.
    In the production environment I'm designing for, a campus network that has many LAN connected sites all with different vlans at the edge, that would entail trunking another vlan out to the edge switches. It also requires the MetroEthernet provider to provision the same beforehand.
    One of the advantages of the WLC is the ability to avoid having to add vlans at the edge for WLANs, but what about a dedicated vlan for the APs and WLC to communicate with CAPWAP? A best practice?
    Thanks.

    As best practice we've only two options, keep the AP on L2 vlan(not scalable) of management or on any L3(vlan that is not part of dynamic interface of WLC) which is scalable and good for highavailability.

  • VLAN for Management Traffic

    Hello Everyone,
    I'm still learning cisco and networks in general but I need to separate management traffic from the regular network.  The switch is a cisco catalyst 5406-E.  My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are
    Switch(config)# vlan 15
    switch(config-vlan)# name Management
    switch(config)# interface GigabitEthernet2/6
    switch(config-if)# switchport access vlan 15
    Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15.  How do I add it to a new subnet?  Am I going in the right direction?

    In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.
    Example:
    ==== C4500 – L3 SWITCH CONFIG ====
    //create VLAN 15
    vlan 15
    name MGMT
    //create access list with ip addresses, from which management of all switches with SVI 15 will be accessible
    //Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)
    ip access-list extended MGMT_SWITCH
    remark ====ICMP====
    permit icmp any 10.0.15.0 0.0.0.255
    remark ====ADMIN====
    permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255
    remark ====MONIORING-SERVERS====
    permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255
    remark ====NTB-SERVICE====
    permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255
    //create SVI/interface of the VLAN 15, add IP address and assign access list
    //Note: DO NOT assign empty access list to interface, it can make your router inaccessible!
    interface Vlan15
    description MGMT
    ip address 10.0.15.1 255.255.255.0
    ip access-group MGMT_SWITCH out
    //create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL
    ip access-list standard VTY
    remark ====ADMIN====
    permit 10.0.1.0 0.0.0.255
    remark ====MONIORING-SERVERS====
    permit 10.0.100.0 0.0.0.255
    remark ====NTB-SERVICE====
    permit 10.0.200.0 0.0.0.255
    //assign ACL to vty lines
    line vty 0 4
    access-class VTY in
    ==== OTHER L2-ONLY SWITCHES CONFIG ====
    //create VLAN 15
    vlan 15
    name MGMT
    //create SVI 15
    interface Vlan15
    description MGMT
    ip address 10.0.15.50 255.255.255.0
    //set default gateway/default route to SVI of c4500
    ip default-gateway 10.0.15.1
    //some higher-level switches require use of following CLI parameters instead:
    ip routing
    ip route 0.0.0.0 0.0.0.0 10.0.15.1
    This is just one of many ways to do the management separation.

  • Binding to server on a separate VLAN

    Set up a new network today in an IT lab where the clients had all successfully been bound to a Snow Leopard server for Open Directory authentication and Home Folders. My engineers want to put servers on a separate VLAN with clients on DHCP and the server on static.
    The clients see the server in the Network Account Server set up (Login Options) - the 'light' went green - but they failed to authenticate.
    We had to put them all on the same VLAN for now - it works but it is not what we wanted
    Can anybody help?

    Sure it can be done but you need a router running I think enterprise software that supports appletalk routing . Take a look at the layer 3 device which does your current routing between vlans and see if it supports appletalk routing . then you need to setup appletalk on all your layer 3 definitions which involves assigning a cable range and zone name for each subnet (vlan). Of course your clients have to be running appletalk (ethertalk) , can't be windows pc's though I'm not sure if there are any appletalk emulators out there for windows. Not many people use it anymore.

  • Setting up VLANS for WAPS on 3850 switches

    This may not be the right forum to ask, but I have asked under LAN switching and routing and have not gotten any help, so maybe posting here will help - here is what I need help with:
    Set up two SSID's on four autonomous 1600 series WAPs - one for employees wireless network access and one for customer guest access, both password protected. We have two 3850 switches, stacked.  The WAPS are plugged into ports 41 and 42 on each switch.  I know I need two separate VLANs - one for each SSID, but don't know how to do this on the switches - can someone help me with the syntax of the commands to apply to the switch?
    Here is the configuration of the port now:
    interface GigabitEthernet1/0/41
     switchport trunk allowed vlan 1,10,11,1001-1005
     switchport mode trunk
     switchport voice vlan 11
     trust device cisco-phone
     spanning-tree portfast
     service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
     service-policy output AutoQos-4.0-Output-Policy
    end
    Thank you

    Hi Steve,
    Here is the configs, try this & see. modify <> content as you want. I have shown one AP config. You can assign different IP/hostname to the 2nd AP. Make sure you erase AP current config & apply below.
    conf t
    hostname <AP-01>
    dot11 ssid A4HS
    vlan 10
    authentication open
    authentication key-management wpa version 2
    mbssid guest-mode
    wpa-psk ascii <A4HS_PASSWORD>
    dot11 ssid A4HS-Guest
    vlan 20
    authentication open
    authentication key-management wpa version 2
    mbssid guest-mode
    wpa-psk ascii <A4HS-Guest_PASSWORD>
    interface Dot11Radio0
    encryption vlan 10 mode ciphers aes-ccm
    encryption vlan 20 mode ciphers aes-ccm
    mbssid
    ssid A4HS
    ssid A4HS-Guest
    no shut
    interface Dot11Radio1
    channel width 40-above
    encryption vlan 10 mode ciphers aes-ccm
    encryption vlan 20 mode ciphers aes-ccm
    mbssid
    ssid A4HS
    ssid A4HS-Guest
    no shut
    interface Dot11Radio0.10
    encapsulation dot1Q 10
    bridge-group 10
    interface Dot11Radio0.20
    encapsulation dot1Q 20
    bridge-group 20
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    bridge-group 1
    interface Dot11Radio1.10
    encapsulation dot1Q 10
    bridge-group 10
    interface Dot11Radio1.20
    encapsulation dot1Q 20
    bridge-group 20
    interface Dot11Radio1.1
    encapsulation dot1Q 1 native
    bridge-group 1
    interface GigabitEthernet0.10
    encapsulation dot1Q 10
    bridge-group 10
    interface GigabitEthernet0.20
    encapsulation dot1Q 20
    bridge-group 20
    interface GigabitEthernet0.1
    encapsulation dot1Q 1 native
    bridge-group 1
    interface BVI1
    ip address 192.168.0.31 255.255.255.0
    ip default-gateway 192.168.0.2
    end
    write memory
    Here is the switch configs. I hope you have defined DHCP pools for vlan 10/20 on your DHCP server (192.168.0.101).
    interface GigabitEthernet1/0/41
    Description AP-01
    switchport trunk allowed vlan 1,10,20
    switchport mode trunk
    spanning-tree portfast trunk
    interface GigabitEthernet1/0/42
    Description AP-02
    switchport trunk allowed vlan 1,10,20
    switchport mode trunk
    spanning-tree portfast trunk
    interface Vlan10
    ip address <x.x.x.x> 255.255.255.0
    ip helper-address 192.168.0.101
    interface Vlan20
    ip address <x.x.x.x> 255.255.255.0
    ip helper-address 192.168.0.101
    **** Pls do not forget to rate our responses if you find them useful ****
    HTH
    Rasika

  • I currently have one iTunes account for my personal iPod Touch and for my work iPhone and iPad.  Can I create a separate account for work and keep my current account for my personal use - on the same computers?

    I have an iTunes account for my personal iPod Touch - have had for several years.  When my work provided me with an iPhone and now and iPad 2, they all fall under my personal iTunes account.  Is it possible for me to create a separate account for my work devices and apps, while leaving my personal account intact?  I use both my compter at home and at work to sync occasionally.

    A much simpler solution would be to go into Settings > Store and turn off Automatic Downloads

  • My wife and I share the same iTunes account.  How can I setup a separate account for her iPhone using my iMac?

    My wife and I share the same iTunes account. How do I setup a separate account for her? Can I do it using my iMac?
    Thanks

    Using More than One iDevice on the Same Computer
    This applies mainly to couples who are adding another device and do not want their email, messages, etc. being duplicated on both devices. To begin read: How to use multiple iPhone, iPad, or iPod devices with one computer. You need to establish a separate Apple ID and password for whomever will use the new iDevice. See Apple - My Apple ID and Frequently asked questions about Apple ID. The easiest way is to do this on the computer using iTunes: iTunes- How to set up an Apple ID within iTunes.
    On the computer create a new user account for the person with the new iDevice. This will be the user account that person will always use. He/She will no longer use the other user account. This way that person will have a separate iTunes Library
    Start by transferring the new device(s) to a new account along with all your data.  Save any photo stream photos that you want to keep to your camera roll (unless they are already in the camera roll) by opening your Photos app, tap on Albums icon at the bottom. Now, tap on My Photo Stream album; tap Select; tap on the photos you want to select;, tap the share icon (box with upward facing arrow) in the lower left corner; then tap Save to Camera Roll.
    If you are syncing notes with iCloud that you want to keep then you need to open each of your notes and email them to yourself. Later you can copy and paste the text into new notes created in your new account.
    Tap on Settings > iCloud > Delete Account (only deletes it from this device, not from iCloud; the person keeping the current account will not be affected,) provide the password to turn off Find My Phone and choose Keep on My iDevice when prompted.  Sign in with a different Apple ID to create your new account. Choose Merge to upload your data.
    Once you are on separate accounts, you can each go to icloud.com and delete the other person's data from your account.
    Note: The essence of the above was created by user, randers4. I
    have made substantial changes to improve readability and syntax.

  • Is there a separate download for iMac.  I bought and downloaded what I thought was the right download but it is not working and feel it might be a windows version.  How doe I get it right

    s there a separate download for iMac.  I bought and downloaded what I thought was the right download but not working and feel it might be a windows version.  How doe I get it right

    Check the link below for requirements and instructions for upgrading to Snow Leopard (10.6)
    http://store.apple.com/us/product/MC573/mac-os-x-106-snow-leopard

  • What cables do I need to connect my 2013 macbook pro to my HD tv? I know I need mini display to HDMI, but male? female HDMI??? and also, do I need a separate cable for sound?

    what cables do I need to connect my 2013 macbook pro to my HD tv? I know I need mini display to HDMI, but male? female HDMI??? and also, do I need a separate cable for sound?

    Actually you need a Thunderbolt to HDMI adapter. It will carry both audio and video.
    This one will work: Mini DisplayPort | Thunderbolt® to HDMI® Adapter w/ Audio Support

Maybe you are looking for

  • Sharing Music: using one iTunes account for two users on one MacBook Air

    I'm trying to set up my parents on their new MacBook Air and I have set up an account for each of them. To keep their music collection simple & compact I want them both to use one iTunes account on the one machine. Can two separate users work off the

  • XML with PHP DOM

    I have XML files that i want to be able to add an attribute to the parent nodes in the file. I can add a attribute to new parent nodes when created but what about setting attributes to existing parent nodes. I add attributes to new parent nodes with

  • Firefox blocks a wesite that I use often and need as unsafe. How do I get it back?

    The website gtefcu.com is my online banking site. I use it often and need it. When I go to it. I get a window that says that the site is unsafe. There is no provision for overriding or going past this window. Please give me directions for getting my

  • When I log in on my macbook, my mouse doesn't work

    A couple of days ago I turned on my computer, and there was another profile, labeled "Guest Account" next to my name. My mouse will move around, but will not click on anything. In order to log in, I have to start typing my name, and then hit enter to

  • Radio missing from latest version?

    I just noticed that the Radio section of iTunes has vanished as of the latest update. I confirmed that it is turned on in preferences, but it is no where to be found in the left navigation section of the app.