Separate vlan for wireless voice

Similar Messages

• Separate VLAN for CAPWAP

  Hello,
  I'm in the process of deploying a WLC2504 in an eviroment  which requires a private VLAN for access to file servers and other network resources, as well as a guest network for internet access. 
  As far as performance is concerned, will I get acceptable throughput on my WLANs with the CAPWAP tunnel flowing over the same subnet as the private network? I've seen some suggestions that recommend a separate VLAN dedicated to CAPWAP, but I don't know if this is just a suggestion for security. I understand that CAPWAP supports encryption of control messages, but not data transmissions without additional licensing. If this is just a suggestion for security, I don't think this is much of a concern. I don't see anyone on the private network intercepting guest transmissions. Could someone please advise me on this?

  Thanks for your clarification guys! I'm in the process of installing my fist CUWN. We are implementing 10 APs and have dealt with a few issues, namely throughput for laptops. I knew other factors could definitely come into play, but I wanted to rule topology out. Laptops are currently pulling very low internet speed tests results, whereas mobile devices seem to fare much better. I've tried testing with mostly 2.4 GHz connections from laptops, but even the 5GHz seem to struggle. I'm working with the Cisco TAC a bit on this one. Per their suggestion, I'm going to run Iperf to test internal performance before I involve network firewalls and Internet connectivity in the mix. 

• Separate VLAN for manag. only on wire?

  I'm having hard time trying to understand how to configure Aironet 1200 in a way such that I have two VLANs (for example X and Y, both not 1) so that I have X for only management and management is not seen on wireless side at all, and Y for public traffic.
  I went thru' all the old postings about this subject but found no complete example of running config to do it. If anyone has successfully completed doing this, please, can you post a example of IOS command listing how to do it.
  Regards,
  Pauli Borodulin

  Here is a working config that I have. I have two wireless vlans (186, 187) and a third ethernet only vlan (101) which is the management vlan.
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 186 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
  encryption vlan 186 key 2 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
  encryption vlan 186 key 3 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
  encryption vlan 186 key 4 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
  encryption vlan 186 mode wep mandatory
  encryption vlan 187 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
  encryption vlan 187 mode wep mandatory
  ssid weponly
  vlan 186
  authentication open
  ssid wepeap
  vlan 187
  authentication open eap eap_methods
  authentication network-eap eap_methods
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  rts threshold 2312
  channel 2412
  station-role root
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.186
  encapsulation dot1Q 186
  no ip route-cache
  no cdp enable
  bridge-group 186
  bridge-group 186 subscriber-loop-control
  bridge-group 186 block-unknown-source
  no bridge-group 186 source-learning
  no bridge-group 186 unicast-flooding
  bridge-group 186 spanning-disabled
  interface Dot11Radio0.187
  encapsulation dot1Q 187
  no ip route-cache
  no cdp enable
  bridge-group 187
  bridge-group 187 subscriber-loop-control
  bridge-group 187 block-unknown-source
  no bridge-group 187 source-learning
  no bridge-group 187 unicast-flooding
  bridge-group 187 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  ntp broadcast client
  interface FastEthernet0.101
  encapsulation dot1Q 101 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.186
  encapsulation dot1Q 186
  no ip route-cache
  bridge-group 186
  no bridge-group 186 source-learning
  bridge-group 186 spanning-disabled
  interface FastEthernet0.187
  encapsulation dot1Q 187
  no ip route-cache
  bridge-group 187
  no bridge-group 187 source-learning
  bridge-group 187 spanning-disabled
  interface BVI1
  ip address 172.25.101.17 255.255.255.0
  no ip route-cache
  ip default-gateway 172.25.101.1

• Separate VLAN for WPA - Cisco 1100

  Hello,
  Cisco 1100 :
  First config. : no vlan with WEP for access network
  But when you create a vlan for wpa-psk with simple config (no server manager, no radius, no eap), have you to modify the other peripherals networks (router...).
  For example to declare the vlan.
  I did not find this information in the documentation of the aironet 1100.
  Thank you for your help.
  Eddy

  There is a good document on Cisco.com which explains how to configure WPA-PSK. The document is available at
  http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#pers
  If you are still having issues configuring wpa-psk, please post the configuration so that we can troubleshoot the issue.

• Separate vlan for Voice and Video

  I'm implementing a Polycom HDX9002 video conf codec into my network (point to point). What is the prefered method, do I segregate the traffic with another VLAN or use the existing Voice VLAN at both sites.
  Thanks
  Paul

  Voice vlan is fine. What really matters, is QoS in the WAN.

• Criticial VLAN for Wireless Users

  Hi
  I have a setup were all users (LAN & WIRELESS) Are being authenticated using Dot1x with ACS
  In case of ACS failure (without a secondary one), I know i can configure the switch port on the LAN to have a critical VLAN, so in case ACS was detected as Dead, a new user being authenticated is assigned to the Critical VLAN,
  Is there any Similar solutions for users connecting through the wireless connection? Can we do a critical VLAN in case of ACS Failure, or anything similar to it? knowing that there is a WLC in the setup with Light weight access points.
  Thanks
  Best regards,

  Hello,
  Since in wireless network, the Radius server has an active part in the encryption key derivation, the WLC can't just grant network access to the end client when the radius server is down, as the client wouldn't have the necessary keying material (nor the WLC as well).
  The best option would be to either have multiple radius servers, or to make the WLC act as a radius server and use it as a backup method, so that if your radius server is down, your WLC will handle the radius request and generate the keying material. The issue is that you will need to have a consistent user database on the WLC.
  The easiest way would be to have a separate SSID with legacy WPA/WPA2 that are pre configured on clients computer, and allow network access to this SSID only when the primary SSID with Dot1x is down. This can be done manually, or on the layer 3 gateway using PBR/EEM...
  For example with PBR, you can set output interface to null0 from traffic originating from the WPA SSID, only of Radius server is reachable, otherwise let the traffic flow.

• VLANs for Wireless LAN controller

  Hello,
  Just finished the configuration of wireless controller and connected Access point.
  I have a scheme like this:
  Cisco 3945 with WLC on SRE------TRUNK-------L3 switch-------TRUNK----------L2 switch--------ACCESS PORT-------ACCESS POINT-----WIRELESS----CLIENT
  2 VLANs on the  WLC (with DHCP on the router):
  1. management (VLAN 200 for management and access points - works fine)
  2. clients (VLAN 300, all setting are same, except Enable Dynamic AP Management setting, which is off and IP subnet, DHCP on router too).
  Clients are able to connect, but they can't get address or ping the gateway of the clients VLAN (if i put this VLAN in the WLAN
  Interface/Interface Group(G) setting), but everything is fine, if i set management VLAN to Interface/Interface Group(G) setting of the WLAN.
  do i need to add any additional setting on the switches or on the router to allow this clients VLAN?...
  P.S. i am able to ping both vlans, or get DHCP address from the switch and router...

  yes, just for test, i set up IP from clients VLAN on the L2 switch, and from that switch i am able to ping the controller interface (clients interface).
  Just to be clear, do I need to have both VLANS (ap-management and clients VLANs) on all the switches and router on my setup?
  As I understand i need to have ap-management vlan only on L2 and L3 switches. Any other VLANs go throught the tunnel between AP and WLC?

• VLAN for Wireless network

  Dear Team,
  If wireless is setup in a corporate network and there is no requirement to provide guest access to outside users, is it still recommended to segregate the Wireless network? What are the advantages for segregating wireless network considering that wireless users will have complete access to corporate network. Kindly share your views if the total number of users in office is less than 50.
  Reason is because, we do not have a Layer 3 switch, hence if VLAN is required for small number of users, we will have to enable it on the WAN router.
  Would appreciate if you can share any documentation related to best practices. Thank you.
  Regards,
  Manoj

  Hi Manoj,
  I agree with Scott,
  If you have same subnet for wired & wireless, then devices like Laptops will get same network IP for wired & wireless, client devices may not like that & sometimes may not work.
  It is always good idea to have two seperate network for wired & wireless. From scalability point of view having a L3 switch in your network is always beneficial
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Can router dhcp different addresses to different vlans for wireless clients

  is it possible for the router to hand out different ip's to wireless clients on different vlans?

  Yes, the router needs to have a dhcp pool on each subnet and have an "interface Vlan x" for each vlan. It will then assign ips to clients in different vlans.
  One vlan per SSID.

• 871W can use 1 vlan for wireless and wire client?

  Any example, Thanks.

  Here is the URL for the configuration for the 871W and vlan configuration which will help you :
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080608364.shtml#maintask1
  http://www.cisco.com/en/US/docs/routers/access/1800/wireless/configuration/guide/s37vlan.html#wp1034625

• ISE change of VLAN for wireless endpoints

  Hi,
  I have configured posture policy on ISE for posture compliant and non compliant end points such that, posture compliant end points will fall in clean VLAN and non compliant will fall in other.
  Now, my issue is, even if an end point is posture compliant it is not getting placed in clean VLAN. For getting ip address from clean VLAN, it requires ipconfig /release and ipconfig /renew to be manually done. 
  how to resolve the issue..
  regards,
  aditya

  Aditya, 
  At the end of a posture process(NAC agent informs ISE about compliant status) the endpoint already grabbed an IP address on the VLAN is placed as per WLAN settings. 
  If at this point you push down an overriding  VLAN attribute in access-accept(compliant or not) the WLC will successfully switch the client to the new VLAN,  but there is no way to force the client to go through DHCP release/ renew. 
  The only way to trigger something like this after the endpoint grabbed an IP address in old VLAN is to redirect the endpoint back to one of ISE's portals ( CWA / DRW  ) and then trigger a VLAN DHCP release renew through java applet. This is the solution salodoh is referring to.
  That is the reason why we always recommend dynamic VLAN assignment only  as a  result of a layer 2 authentication( when client didn't grab an IP yet) .
  Regards,
  Tony 

• QOS configuration for Wireless voice over IP

  HI, I've been asked to install approx 5 wireless phones on a network that consists of the following:-
  1 x 4006 core switch
  8 x 3550 Access switches
  6 x 1100 AP's (that are connected to the Access switches.
  My question is this - does anyone have a basic QoS configuration that I can place onto the LAN infrastructure (Core/Access switches).
  Kind Regards
  Steve

  Should refer to http://www.cisco.com/en/US/products/hw/phones/ps379/products_implementation_design_guide_book09186a00802a029a.html. Also Cat 4K should have Sup2+ or higher to support voice.

• Dynamic VLAN for wireless

  Hi Team,
  I have a doubt .....
  In our office we have 4 access point .... and as wifi users increases we are planning to create 4 VLAN and each VLAN
  have one AP .. but the problem is When wifi users roam from one AP to another AP i,e from one vlan to another vlan they get disconnected.
  My question is .... if i deploy dynamic VLAN, will the client be able to get connected to the internet when roaming from one VLAN to another VLAN
  without any hiccups .... as this can be real issue when they are on call or transferring files
  Below is our current network topology:
  Router: LAN: 192.168.1.1 255.255.255.0
  DHCP Scope on Router:
  VLAN1 - 192.168.1.3 - 250 
  VLAN10 - 192.168.10.3 - 250
  VLAN20 -  192.168.20.3 - 250
  VLAN30 - 192.168.30.3 - 250
  VLAN40 - 192.168.40.3 - 250
  Switch SG300: L3 Mode
  VLAN1 - ip 192.168.1.254 (Default VLAN)
  VLAN10 - ip 192.168.10.254
  VLAN20 - 192.168.20.254
  VLAN30 - 192.168.30.254
  VLAN40 - 192.168.40.254
  AP1 = VLAN10, AP2 = VLAN20, AP3 = VLAN30, AP4 = VLAN40
  All local routing between the VLANs are taken care by the Switch
  and the router is routing the traffic for all VLANs when client wants to go to internet...
  Pliz help......

  Hi,
  can you please mention are using any controller for these ap's.
  If so they should not disconnect because all the traffic is handled by controller.
  let say you have client 1 on AP1 as below,
  client1- AP1---- AP2
  when it roam from AP1 to AP2 it should not disconnect. Due to mobility functionality client should not disconnect nor loss the traffic. Only controller get updated with AP binding table

• Auto assign vlan for Wireless AP 1142

  Hi,
  Instead of statically assigning a vlan to a switch port where the AP is connected, is there a way to use 802.1x or NAC to assign the right vlan to an AP itself (not the clients)?

  You should be able to do this if you setup switchport authentication on the switch the AP is connecting to and have the IETF attribuiles 64, 65, and 82 passed down from the Radius server.

• Wireless voice and QoS

  I'm pretty sure I know the answer to this but I'm checking here as well.
  With a Cisco WISM2, is it possible to have only voice set up for QoS? I'm not talking about having a dedicated SSID set up for wireless voice with QoS set to Platinum, but a generic SSID that will identify voice traffic and apply the correct QoS settings?
  From what I've seen it's not possible. The reason I ask is we want to install softphones on our tablets and use our existing wireless network to be able to use wireless voice. However, it looks like if we set the QoS on that SSID to Platinum then ALL data on that SSID gets marked as high priority, not just voice traffic.
  Am I correct?

  The QOS settings in the profile on the WLC does not mark packets, it simply allows packets that were marked by the client to keep it's markings up to a set level.
  If you want Wireless Voice to work on your PC's.
  1. Make sure that SSID is set to Platinum (Make sure Platinum is set to a value of 6).
  2. Make sure CUCM is configured to use the desired DSCP values for call control and RTP traffic.
  3. Trust DSCP on the switch port connecting to the on the AP.
  The risk that you take here is that it allows an application on the PC to mark it's packets up to EF and it could chew up your entire priority queue on your network. This is why most people put the wireless phones on it's own SSID.
  I hope this helps.
  Scape