Separate VLAN for WPA - Cisco 1100

Similar Messages

• Separate vlan for wireless voice

  Hi all, I'm about to embark on reconfiguring my home lab, at present I have just 2 vlans which are for VoIP and data, I'm going to split my network so I have the following:
  Data VLAN for our home PC's
  Voice VLAN for phones
  1 wireless VLAN for home laptops
  1 wireless VLAN for games consoles
  1 wireless guest access so I don't have to give out my own ssid credentials
  1 Management VLAN
  My question is do I have a separate VLAN for wireless VOIP or do I just use the same Voice VLAN?
  Regards
  Martyn
  Sent from Cisco Technical Support iPad App

  Martyn:
  Both solutions are valid. You can use the current voice VLAN or create a new VLAN.
  If you create a new VLAN you need to apply needed QoS to wired side as well.
  If your current Voice VLAN is already configured for QoS then using it for wirelss voice is easier.
  So the preffered option is to use your current voice VLAN for wireless voice as well.
  HTH
  Amjad

• Separate VLAN for CAPWAP

  Hello,
  I'm in the process of deploying a WLC2504 in an eviroment  which requires a private VLAN for access to file servers and other network resources, as well as a guest network for internet access. 
  As far as performance is concerned, will I get acceptable throughput on my WLANs with the CAPWAP tunnel flowing over the same subnet as the private network? I've seen some suggestions that recommend a separate VLAN dedicated to CAPWAP, but I don't know if this is just a suggestion for security. I understand that CAPWAP supports encryption of control messages, but not data transmissions without additional licensing. If this is just a suggestion for security, I don't think this is much of a concern. I don't see anyone on the private network intercepting guest transmissions. Could someone please advise me on this?

  Thanks for your clarification guys! I'm in the process of installing my fist CUWN. We are implementing 10 APs and have dealt with a few issues, namely throughput for laptops. I knew other factors could definitely come into play, but I wanted to rule topology out. Laptops are currently pulling very low internet speed tests results, whereas mobile devices seem to fare much better. I've tried testing with mostly 2.4 GHz connections from laptops, but even the 5GHz seem to struggle. I'm working with the Cisco TAC a bit on this one. Per their suggestion, I'm going to run Iperf to test internal performance before I involve network firewalls and Internet connectivity in the mix. 

• Separate VLAN for manag. only on wire?

  I'm having hard time trying to understand how to configure Aironet 1200 in a way such that I have two VLANs (for example X and Y, both not 1) so that I have X for only management and management is not seen on wireless side at all, and Y for public traffic.
  I went thru' all the old postings about this subject but found no complete example of running config to do it. If anyone has successfully completed doing this, please, can you post a example of IOS command listing how to do it.
  Regards,
  Pauli Borodulin

  Here is a working config that I have. I have two wireless vlans (186, 187) and a third ethernet only vlan (101) which is the management vlan.
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 186 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
  encryption vlan 186 key 2 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
  encryption vlan 186 key 3 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
  encryption vlan 186 key 4 size 128bit 7 xxxxxxxxxxxxxxxxxxxx
  encryption vlan 186 mode wep mandatory
  encryption vlan 187 key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key
  encryption vlan 187 mode wep mandatory
  ssid weponly
  vlan 186
  authentication open
  ssid wepeap
  vlan 187
  authentication open eap eap_methods
  authentication network-eap eap_methods
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  rts threshold 2312
  channel 2412
  station-role root
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.186
  encapsulation dot1Q 186
  no ip route-cache
  no cdp enable
  bridge-group 186
  bridge-group 186 subscriber-loop-control
  bridge-group 186 block-unknown-source
  no bridge-group 186 source-learning
  no bridge-group 186 unicast-flooding
  bridge-group 186 spanning-disabled
  interface Dot11Radio0.187
  encapsulation dot1Q 187
  no ip route-cache
  no cdp enable
  bridge-group 187
  bridge-group 187 subscriber-loop-control
  bridge-group 187 block-unknown-source
  no bridge-group 187 source-learning
  no bridge-group 187 unicast-flooding
  bridge-group 187 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  ntp broadcast client
  interface FastEthernet0.101
  encapsulation dot1Q 101 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.186
  encapsulation dot1Q 186
  no ip route-cache
  bridge-group 186
  no bridge-group 186 source-learning
  bridge-group 186 spanning-disabled
  interface FastEthernet0.187
  encapsulation dot1Q 187
  no ip route-cache
  bridge-group 187
  no bridge-group 187 source-learning
  bridge-group 187 spanning-disabled
  interface BVI1
  ip address 172.25.101.17 255.255.255.0
  no ip route-cache
  ip default-gateway 172.25.101.1

• Separate vlan for Voice and Video

  I'm implementing a Polycom HDX9002 video conf codec into my network (point to point). What is the prefered method, do I segregate the traffic with another VLAN or use the existing Voice VLAN at both sites.
  Thanks
  Paul

  Voice vlan is fine. What really matters, is QoS in the WAN.

• Creating VLAN on our Cisco 300 series router

  I am wanting to create separate VLANs on our Cisco 300 series switches, but I am struggling to find any decent examples out there.
  Our basic infrastructure is
  Router with
  192.168.1.1 VLAN1
  192.168.2.1 VLAN2
  The switch is set up on ports 2345 for VLAN2
  Port 1 is attached to the router on VLAN1 and VLAN2 assigned.
  My problems seem to be that I really not sure what settings I should be using for each the ports to get this to work correctly

  Hi,
  Hope below link will have the information which you are looking for.
  https://supportforums.cisco.com/document/140341/vlan-configuration-articles-sx200300-series-managed-switches
  If you are looking for only vlan creation then below link will help.
  http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=2&app=search&vw=1&articleid=80
  According to your above description you have connected the router to port 1 of switch and you have configured it as vlan 1...Should this port be trunk???
  Regards
  Najaf

• HP 3800 switch port-security one mac in two VLAN for Cisco IP Phone

  Hellow all!
  I'm want use port-security for ports on my HP 3800. But PC connected
  to network via PC port on Cisco ip phone. For phone used 10 voice VLAN,
  for data - 1 VLAN (native). Cisco phone add self mac-address in these
  two VLAN. On Cisco Switch 2960 i resolve this for 4 command:
  switchport port-security maximum 3
  switchport port-security mac-address pc_mac
  switchport port-security mac-address ip_phone_mac
  switchport port-security mac-address ip_phone_mac vlan voice
  How i can add one mac in two VLAN's on HP 3800 Switch?
  Sorry for my English, please ^_^
  This topic first appeared in the Spiceworks Community

  Hi Kuarzo, please reference the following;
  https://supportforums.cisco.com/document/116426/how-configure-dynamic-mac-port-security-sx300
  https://supportforums.cisco.com/document/116256/how-configure-static-mac-port-security-sx300

• Setting up VLANS for WAPS on 3850 switches

  This may not be the right forum to ask, but I have asked under LAN switching and routing and have not gotten any help, so maybe posting here will help - here is what I need help with:
  Set up two SSID's on four autonomous 1600 series WAPs - one for employees wireless network access and one for customer guest access, both password protected. We have two 3850 switches, stacked.  The WAPS are plugged into ports 41 and 42 on each switch.  I know I need two separate VLANs - one for each SSID, but don't know how to do this on the switches - can someone help me with the syntax of the commands to apply to the switch?
  Here is the configuration of the port now:
  interface GigabitEthernet1/0/41
   switchport trunk allowed vlan 1,10,11,1001-1005
   switchport mode trunk
   switchport voice vlan 11
   trust device cisco-phone
   spanning-tree portfast
   service-policy input AutoQos-4.0-CiscoPhone-Input-Policy
   service-policy output AutoQos-4.0-Output-Policy
  end
  Thank you

  Hi Steve,
  Here is the configs, try this & see. modify <> content as you want. I have shown one AP config. You can assign different IP/hostname to the 2nd AP. Make sure you erase AP current config & apply below.
  conf t
  hostname <AP-01>
  dot11 ssid A4HS
  vlan 10
  authentication open
  authentication key-management wpa version 2
  mbssid guest-mode
  wpa-psk ascii <A4HS_PASSWORD>
  dot11 ssid A4HS-Guest
  vlan 20
  authentication open
  authentication key-management wpa version 2
  mbssid guest-mode
  wpa-psk ascii <A4HS-Guest_PASSWORD>
  interface Dot11Radio0
  encryption vlan 10 mode ciphers aes-ccm
  encryption vlan 20 mode ciphers aes-ccm
  mbssid
  ssid A4HS
  ssid A4HS-Guest
  no shut
  interface Dot11Radio1
  channel width 40-above
  encryption vlan 10 mode ciphers aes-ccm
  encryption vlan 20 mode ciphers aes-ccm
  mbssid
  ssid A4HS
  ssid A4HS-Guest
  no shut
  interface Dot11Radio0.10
  encapsulation dot1Q 10
  bridge-group 10
  interface Dot11Radio0.20
  encapsulation dot1Q 20
  bridge-group 20
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  bridge-group 1
  interface Dot11Radio1.10
  encapsulation dot1Q 10
  bridge-group 10
  interface Dot11Radio1.20
  encapsulation dot1Q 20
  bridge-group 20
  interface Dot11Radio1.1
  encapsulation dot1Q 1 native
  bridge-group 1
  interface GigabitEthernet0.10
  encapsulation dot1Q 10
  bridge-group 10
  interface GigabitEthernet0.20
  encapsulation dot1Q 20
  bridge-group 20
  interface GigabitEthernet0.1
  encapsulation dot1Q 1 native
  bridge-group 1
  interface BVI1
  ip address 192.168.0.31 255.255.255.0
  ip default-gateway 192.168.0.2
  end
  write memory
  Here is the switch configs. I hope you have defined DHCP pools for vlan 10/20 on your DHCP server (192.168.0.101).
  interface GigabitEthernet1/0/41
  Description AP-01
  switchport trunk allowed vlan 1,10,20
  switchport mode trunk
  spanning-tree portfast trunk
  interface GigabitEthernet1/0/42
  Description AP-02
  switchport trunk allowed vlan 1,10,20
  switchport mode trunk
  spanning-tree portfast trunk
  interface Vlan10
  ip address <x.x.x.x> 255.255.255.0
  ip helper-address 192.168.0.101
  interface Vlan20
  ip address <x.x.x.x> 255.255.255.0
  ip helper-address 192.168.0.101
  **** Pls do not forget to rate our responses if you find them useful ****
  HTH
  Rasika

• Management VLAN -- New to Cisco

  I've been working on configuring VLANs for my network and I came across something that confuses me. Under practical tips in this docuemnt http://www.cisco.com/warp/public/473/189.html#tips it states:
  Separate the management VLAN from the user or server VLAN, as in this diagram. The management VLAN is different from the user or server VLAN. With this separation, any broadcast/packet storm that occurs in the user or server VLAN does not affect the management of switches.
  Do not use VLAN 1 for management. All ports in Catalyst switches default to VLAN 1, and any devices that connect to nonconfigured ports are in VLAN 1. The use of VLAN 1 for management can cause potential issues for the management of switches, as the first tip explains.
  I understand the concept, and i've made my managment VLAN 10. However, when I connect a computer to the switch it doesn't default to VLAN1 it defaults to VLAN10 which puts the computer by default in the management VLAN.
  What's the point of creating a different VLAN ID for management if the workstations are going to default to it anyhow? I understand once I configure the ports it will take them out of the management VLAN, I'm just wondering why I couldn't use VLAN1 as the management domain.
  Regards,
  David

  To support an inband management VLAN, you'll have to configure trunking (802.1Q) between switch uplinks allowing your management vlan (VLAN 10) traffic to traverse the trunk in addition to the user vlan (lets say vlan 20). To trunk, you must utilize a unique VLANs per subnet. I like to force trunking (switchport encap dot1q, switchport mode trunk, switchport nonnegotiate) so as not to utilize DTP (dynamic trunking protocol).
  For user access, you need to configure the vlan on the switch and enable switchport mode access along with switchport access vlan 20 (user vlan).
  Keep in mind, inband management works well for user access; however, for data center server access trunking is not recommended.
  With all that said, you still may have to use VLAN 1 in certain scenarios. For instance, an IBM Blade center management module required the use of vlan 1 to manage the blade center.

• VLANs for the WiSM

  Hi Everybody,
  we followed the cisco layered model in our campus design where we have 6500 switch at the core, 4500 at the distribution and 3750 at the access layer.
  The connectivity between the core and the distribution is layer 3, the connectivity between the distribution and access layer is layer 2.we have all the intervlan routing on the distribution switches.we have recently installed two WiSM controllers in our core and planning to deploy light weight access points.
  we want to use the exiting VLANS that we created for the wired users on the distribution switch for Wireless LAN users . I wanted to know if this is possible because as the dynamic interfaces for the Wireless VLANS would be created on the WiSM that is on the core switch and as the dynamic interface are like SVIs for the Wireless VLANS.
  Secondly i wanted to know what does it mean to assign a VLAN to the WiSM
  Regards,
  Ahmed Zubedi

  I would recommend keeping the wired vlan separate from the wireless vlan.
  You need to assign a vlan for the service port of the controllers. This is local to the 6500 and is not routeable. This is how the controllers talk to the 6500. I normally do like a 192.168.1.x

• VLANs for multiple customers on the same switch accessing ISP

  I have multiple customers accessing the Internet from the same ISP through the same SRW 2016.  The switch is set completely at default, with all ports on VLAN 1.  I want to separate all the (3) customers' traffic into 3 VLANs for security, but I want them to still access the ISP through port 1.  Can I do that with this switch?  How would I set port 1 so that all VLANs can send and receive packets through port 1 but still be isolated from each other on the LAN?

  Hi,
  I had a simular situation. In the past I didn't have a VLAN-capable modem/router and just connected the modem as a normal device to the layer2 switch (Cisco 3548XL at that time). In my setup, I gave all separated LAN's its own multi-VLAN port(s) in its own unique VLAN and the modem a single-VLAN port in its own VLAN. Next I made all the ports who needed internet access member of the modem's VLAN. A nmap scan and testing showed me that the seperated LAN's couldn't connect to eachother.
  So, I don't know if i did something stupid (in security way), but it worked like a charm.
  Sorry for my English ;-)

• VLAN for Management Traffic

  Hello Everyone,
  I'm still learning cisco and networks in general but I need to separate management traffic from the regular network.  The switch is a cisco catalyst 5406-E.  My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are
  Switch(config)# vlan 15
  switch(config-vlan)# name Management
  switch(config)# interface GigabitEthernet2/6
  switch(config-if)# switchport access vlan 15
  Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15.  How do I add it to a new subnet?  Am I going in the right direction?

  In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.
  Example:
  ==== C4500 – L3 SWITCH CONFIG ====
  //create VLAN 15
  vlan 15
  name MGMT
  //create access list with ip addresses, from which management of all switches with SVI 15 will be accessible
  //Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)
  ip access-list extended MGMT_SWITCH
  remark ====ICMP====
  permit icmp any 10.0.15.0 0.0.0.255
  remark ====ADMIN====
  permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255
  remark ====MONIORING-SERVERS====
  permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255
  remark ====NTB-SERVICE====
  permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255
  //create SVI/interface of the VLAN 15, add IP address and assign access list
  //Note: DO NOT assign empty access list to interface, it can make your router inaccessible!
  interface Vlan15
  description MGMT
  ip address 10.0.15.1 255.255.255.0
  ip access-group MGMT_SWITCH out
  //create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL
  ip access-list standard VTY
  remark ====ADMIN====
  permit 10.0.1.0 0.0.0.255
  remark ====MONIORING-SERVERS====
  permit 10.0.100.0 0.0.0.255
  remark ====NTB-SERVICE====
  permit 10.0.200.0 0.0.0.255
  //assign ACL to vty lines
  line vty 0 4
  access-class VTY in
  ==== OTHER L2-ONLY SWITCHES CONFIG ====
  //create VLAN 15
  vlan 15
  name MGMT
  //create SVI 15
  interface Vlan15
  description MGMT
  ip address 10.0.15.50 255.255.255.0
  //set default gateway/default route to SVI of c4500
  ip default-gateway 10.0.15.1
  //some higher-level switches require use of following CLI parameters instead:
  ip routing
  ip route 0.0.0.0 0.0.0.0 10.0.15.1
  This is just one of many ways to do the management separation.

• How to set up a VLAN for a School Network for student ipads/ipods?

  I work at a small private school that is going to implement about 20 ipads for classes. Students bring their ipods and iphones and are connecting to the existing unsecured wireless access points and are taking up the remaining IP addresses in the DHCP scope. I am running out of IP addresses and was wondering if I could set up a VLAN using the Cisco WRVS4400N for all of these wireless devices the students will be using. I plan to pull out all unsecured wireless AP's and replace with what ever solution we come up with. I will need about 6 access points/routers to cover the entire school. There is not a lot of money for technology and the ipods were donated. I have never set up a VLAN before. Is there an inexpensive way to allow the students with their personal ipads/ipods and the 20 ipads owned by the school to connect to a VLAN to keep from using up our DHCP IP addresses from the server. Thanks in advance. 

  Hi pctiger92!
  The WRVS4400N is now being handled by the Cisco Small Business Support Community.
  For discussions about this product, please go here.

• Setting up a Test Voice VLAN for Lync 2013

  I want to set up a second voice vlan to be a test vlan.
  In the current situation the customer has voice and data running on  vlan1. The customer insist on taking incremental steps to improve QoS. I have advocated separated vlans for voice and data. They just want to move everything (phase 1) to a different
  vlan. They want to see how getting all traffic of vlan 1 will improve there performance. Again, I recommended the best practice, they want to try this approach first.
  I am conducting a pilot test with just one cx600 IP phone. and a single switchport. I created a new vlan99 using VTP.  I configured the switchports on the Cisco 2960-x switch as follows.
  #switchport mode access
  #switchport access vlan 99
  The phone gets its correct vlan id, and pulls its IP from the correct dhcp scope. However the phone displays "connecting with the lync server" for a long time, then "connecting to download its certificates". This takes a long time then fails.
  If I change the switchport back to vlan1 it works fine. What can be the problem? Does the vlan99 need to be defined on the lync server? How many vlans can be supported by Lync 2013?
  Thank you,
  gigiu

  Did you set the VLAN Configuration for Lync Phone Edition?
  You can check the following links:
  http://blog.schertz.name/2011/01/manual-vlan-configuration-for-lync-phone-edition/
  http://www.bricomp.com/blogs/post.cfm/dedicated-voice-vlan-for-lync-devices
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please
  make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Lisa Zheng
  TechNet Community Support

• Is it possible to use management Vlan as FT Vlan for ACE4710?

  Is it allowed to configure ACE4710 management vlan as a FT vlan between two appliances? If allowed, what's the consequence of not using a dedicated FT Vlan?
  Thanks a lot

  You should not have any other traffic on the dedicated FT vlan.
  This is from the docs.
  Note Do not use this dedicated VLAN for any other network traffic, including HSRP and data
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/redundcy.html#wp999787
  Having any other traffic on this vlan could cause a problem with FT heart beats being dropped, and both ACE could become active. Definitely use a dedicated FT Vlan.
  Regards
  Jim