VLAN & SSID

when using a cisco aironet 1300 or so...

how exactly does the SSID & VLAN work?

when a user checks for wireless networks, do they see lots of them, and
then pick one, which then corresponds to a VLAN?

or can you set one SSID, to correspond to Multiple VLANs, like a VLAN pool
almost?

Smowk

"Smowk" <(E-Mail Removed)> wrote in message
news:Xns961311AC27754SmowkieBandit@216.196.97.131. ..
> when using a cisco aironet 1300 or so...
>
> how exactly does the SSID & VLAN work?
>
> when a user checks for wireless networks, do they see lots of them,
and
> then pick one, which then corresponds to a VLAN?

Yes. If you had 3 ssids assigned to 3 different vlans they would see
all 3 unless
of course you were not broadcasting all 3 SSIDs
Now, if there were no authenication involved for the vlans they could
connect to
any of them but that defeats the purpose of the vlan. Vlan 1 with SSID
1
might require radius authentication , Vlan 2 with SSID 2 might use
WPA-PSK or WEP
for authentication. Vlan 3 with SSID 3 may be open for the public to
use. Each VLAN
has a tag, consider 3 cars with different car tags, specific car tags
can only drive on
certain highways and therefore only have access to the things on that
highway.
You need an AP that supports VLAN tagging and multiple SSIDs or
Virtual APs as
some refer to them. You can have as many VLANs as you can the number
of SSIDs the AP supports
(if the switch supports that many)

>
> or can you set one SSID, to correspond to Multiple VLANs, like a
VLAN pool
> almost?

I dont thinks so, its one VLAN per SSID, not to say that a particular
user or users
could not be defined to use multiple VLANS, but if it was set up this
way for everybody
there would be no reason to have a VLAN









> Smowk

i'm setting this up for a hotel, and for hotel guests. i've already got
all the rooms hardwired and tagged with a VLAN...240 of them. I need to
just separate the wireless traffic so that they can't network neighborhood
browse, or even ping another computer.

is there a way to setup 50 SSIDs, all broadcasting, that allow only 1 user
at a time connected to each? that way we could have 50 SSIDs with no
authentication, and just tell a user to pick one. i'm guessing the only
problem with that, is finding an open SSID. could i set it up someway stop
broadcasting that SSID once a user is connected?

there has to be some kind of hardware that can do this, with all the wifi
coffee shops and wifi hotspots going around. how are they making them
secure?

smowk

Smowk,

If you're using Cisco Aironet access points, then you will want to
turn on the PSFP (Public Secure Packet Forwarding) feature ... this
keeps one wireless client from (directly) accessing another.
http://www.cisco.com/en/US/products/...d.html#1038494

Aaron

---

~ i'm setting this up for a hotel, and for hotel guests. i've already got
~ all the rooms hardwired and tagged with a VLAN...240 of them. I need to
~ just separate the wireless traffic so that they can't network neighborhood
~ browse, or even ping another computer.
~
~ is there a way to setup 50 SSIDs, all broadcasting, that allow only 1 user
~ at a time connected to each? that way we could have 50 SSIDs with no
~ authentication, and just tell a user to pick one. i'm guessing the only
~ problem with that, is finding an open SSID. could i set it up someway stop
~ broadcasting that SSID once a user is connected?
~
~ there has to be some kind of hardware that can do this, with all the wifi
~ coffee shops and wifi hotspots going around. how are they making them
~ secure?
~
~ smowk

"Smowk" <(E-Mail Removed)> wrote in message
news:Xns9613EA125107ASmowkieBandit@216.196.97.131. ..
> i'm setting this up for a hotel, and for hotel guests. i've already
got
> all the rooms hardwired and tagged with a VLAN...240 of them. I
need to
> just separate the wireless traffic so that they can't network
neighborhood
> browse, or even ping another computer.


What are you using to configure 240 Vlans
Most APs that handle VLANS will only handle 16 so 240 vlans is alot of
APs,
also the max SSIDs I have seen are 16 per AP. The only other option
may be an expensive wireless gateway controller.

>
> is there a way to setup 50 SSIDs, all broadcasting, that allow only
1 user
> at a time connected to each? that way we could have 50 SSIDs with
no
> authentication, and just tell a user to pick one. i'm guessing the
only
> problem with that, is finding an open SSID. could i set it up
someway stop
> broadcasting that SSID once a user is connected?

The hardware/firmware is not available to do this
>
> there has to be some kind of hardware that can do this, with all the
wifi
> coffee shops and wifi hotspots going around. how are they making
them
> secure?

If you are looking for client isolation, there are several products
that do this
without Vlan. Client Isolation is the keyword. If you need a list of
products
that support client isolation send me an email. I think you need to
re-think your plan here.......

"Airhead" <(E-Mail Removed)> wrote in news:422fc226$0$22515
$(E-Mail Removed):

> What are you using to configure 240 Vlans

right now we're using a cisco 3600 series router with 240 address pools,
and 240 VLANs provided to that switch via 6 Dell PowerConnect 3348s.


> Most APs that handle VLANS will only handle 16 so 240 vlans is alot of
> APs, also the max SSIDs I have seen are 16 per AP.

We don't need all 240 on the wireless side, we just need to be able to
separate, via PSFP (Public Secure Packet Forwarding) feature, the clients
connected to the wireless AP. the PSFP idea was provided by Aaron in this
thread.

I was first thinking we'd need a bunch of VLANs all mapped to an SSID, but
after ready Aaron's post, i found that some commercial APs will support
this PSFP or Client Isolation as you called it.


> The only other option may be an expensive wireless gateway controller.

We're about to EVALUATE a NA500 from IP3Networks.com. We get it free for
90 days (confirmed with a CC#), and if we dont send it back within the
timeframe, we don't pay a dime.

It's a "Business Gateway" as they referred to it, which provides DHCP (many
many pools capable of supporting 500 VLANs), a web server, mail server, the
list goes on. It also is a wireless gateway controller, but i'm supposed
to find out more about this feature tomorrow. Do you know much about it?
Is this capable of hooking antenna's via Cat5 straight to the gateway,
instead of using APs?


> If you are looking for client isolation, there are several products
> that do this
> without Vlan. Client Isolation is the keyword. If you need a list of
> products
> that support client isolation send me an email. I think you need to
> re-think your plan here.......

I'd like a list of products, but could you post it here, so everyone else
can read also?

Smowk

"Smowk" <(E-Mail Removed)> wrote in message
news:Xns9614ED649A14BSmowkieBandit@216.196.97.131. ..
> "Airhead" <(E-Mail Removed)> wrote in
news:422fc226$0$22515
> $(E-Mail Removed):
>
> > What are you using to configure 240 Vlans
>
> right now we're using a cisco 3600 series router with 240 address
pools,
> and 240 VLANs provided to that switch via 6 Dell PowerConnect 3348s.
>
>
> > Most APs that handle VLANS will only handle 16 so 240 vlans is
alot of
> > APs, also the max SSIDs I have seen are 16 per AP.
>
> We don't need all 240 on the wireless side, we just need to be able
to
> separate, via PSFP (Public Secure Packet Forwarding) feature, the
clients
> connected to the wireless AP. the PSFP idea was provided by Aaron
in this
> thread.
>
> I was first thinking we'd need a bunch of VLANs all mapped to an
SSID, but
> after ready Aaron's post, i found that some commercial APs will
support
> this PSFP or Client Isolation as you called it.
>
>
> > The only other option may be an expensive wireless gateway
controller.
>
> We're about to EVALUATE a NA500 from IP3Networks.com. We get it
free for
> 90 days (confirmed with a CC#), and if we dont send it back within
the
> timeframe, we don't pay a dime.
>
> It's a "Business Gateway" as they referred to it, which provides
DHCP (many
> many pools capable of supporting 500 VLANs), a web server, mail
server, the
> list goes on. It also is a wireless gateway controller, but i'm
supposed
> to find out more about this feature tomorrow. Do you know much
about it?
> Is this capable of hooking antenna's via Cat5 straight to the
gateway,
> instead of using APs?

No, you will need APs, the NA500 looks OK, it is basically an Access
Controller.
One nice feature is the Zero configuration for clients. If their
browsers are using a proxy
or if they are set for a staic IP,, this takes care of it. A couple
more to look at might be
the Colubris and the Nomadix



> > If you are looking for client isolation, there are several
products
> > that do this
> > without Vlan. Client Isolation is the keyword. If you need a list
of
> > products
> > that support client isolation send me an email. I think you need
to
> > re-think your plan here.......
>
> I'd like a list of products, but could you post it here, so everyone
else
> can read also?

The reason I was going to email them is because when I cut and paste
them
out of the database they loose all the formatting versus a report. Not
a big deal just
hard to read.. But just to narrow down the list, are you going to use
multiple SSIDs
to coincide with separate vlans. No reason to use a vlan unless you
are
tring to segment wireless public users from wireless staff on the
wireless side. If
this is not the case then I think I would use one vlan and one ssid
for all hotel guest
and then separate vlans for the wired side. Is this system going to
tie in with their PMS system
or is it just a free service. Using an ap that supports multiple SSIDs
and Vlan tagging and
client isolation cuts down the product selection and ups the price
quite a bit.

"Airhead" <(E-Mail Removed)> wrote in news:42307214$0$22520
$(E-Mail Removed):

> No, you will need APs, the NA500 looks OK, it is basically an Access
> Controller.
> One nice feature is the Zero configuration for clients. If their
> browsers are using a proxy
> or if they are set for a staic IP,, this takes care of it. A couple
> more to look at might be
> the Colubris and the Nomadix

That's exactly why we need it, the zero configuration stuff. 100% of our
problems so far have been related to dhcp and addressing.

> The reason I was going to email them is because when I cut and paste
> them
> out of the database they loose all the formatting versus a report. Not
> a big deal just
> hard to read.. But just to narrow down the list, are you going to use
> multiple SSIDs
> to coincide with separate vlans. No reason to use a vlan unless you
> are
> tring to segment wireless public users from wireless staff on the
> wireless side. If
> this is not the case then I think I would use one vlan and one ssid
> for all hotel guest
> and then separate vlans for the wired side. Is this system going to
> tie in with their PMS system
> or is it just a free service. Using an ap that supports multiple SSIDs
> and Vlan tagging and
> client isolation cuts down the product selection and ups the price
> quite a bit.

The wireless service will most definately be free, and hooking SSIDs to
VLANs is pretty much out of the picture with the PSPF feature / Client
Isolation Feature. The staff and guests are completely separated, so they
won't be together on ANY piece of hardware in the whole building.

It also WILL NOT tie into the PMS system, which makes it even easier.

I think as of now I just have to install the NA500, configure it, and then
connect some Aironet 1300s to it (using client isoaltion), and voila.

I'll look into those other products, but we've already signed up for the
EVAL program on the NA500. Wish me luck...lol

Smowk

"Smowk" <(E-Mail Removed)> wrote in message
news:Xns96159F4BDFDF2SmowkieBandit@216.196.97.131. ..
> "Airhead" <(E-Mail Removed)> wrote in
news:42307214$0$22520
> $(E-Mail Removed):
>
> > No, you will need APs, the NA500 looks OK, it is basically an
Access
> > Controller.
> > One nice feature is the Zero configuration for clients. If their
> > browsers are using a proxy
> > or if they are set for a staic IP,, this takes care of it. A
couple
> > more to look at might be
> > the Colubris and the Nomadix
>
> That's exactly why we need it, the zero configuration stuff. 100%
of our
> problems so far have been related to dhcp and addressing.
>
> > The reason I was going to email them is because when I cut and
paste
> > them
> > out of the database they loose all the formatting versus a report.
Not
> > a big deal just
> > hard to read.. But just to narrow down the list, are you going to
use
> > multiple SSIDs
> > to coincide with separate vlans. No reason to use a vlan unless
you
> > are
> > tring to segment wireless public users from wireless staff on the
> > wireless side. If
> > this is not the case then I think I would use one vlan and one
ssid
> > for all hotel guest
> > and then separate vlans for the wired side. Is this system going
to
> > tie in with their PMS system
> > or is it just a free service. Using an ap that supports multiple
SSIDs
> > and Vlan tagging and
> > client isolation cuts down the product selection and ups the price
> > quite a bit.
>
> The wireless service will most definately be free, and hooking SSIDs
to
> VLANs is pretty much out of the picture with the PSPF feature /
Client
> Isolation Feature. The staff and guests are completely separated,
so they
> won't be together on ANY piece of hardware in the whole building.
>
> It also WILL NOT tie into the PMS system, which makes it even
easier.
>
> I think as of now I just have to install the NA500, configure it,
and then
> connect some Aironet 1300s to it (using client isoaltion), and
voila.
>
> I'll look into those other products, but we've already signed up for
the
> EVAL program on the NA500. Wish me luck...lol
>
> Smowk


Here is a list of the least expensive devices that support client
isolation.
Prices are approx.
Linksys WRT54G $65.00
Linksys WRT54GS $80.00
Buffalo WHR3-G54 $90.00
Buffalo WBR2-G54S $80.00
Buffalo WBR2-G54 $75.00
Buffalo WBR2-B11 $60.00
Zyxel B-3000 $140.00
Zyxel B-1000 $85.00

Good Luck and let us know how it goes.

"Airhead" <(E-Mail Removed)> wrote in news:4230d755$0$22519
$(E-Mail Removed):


> Here is a list of the least expensive devices that support client
> isolation.
> Prices are approx.
> Linksys WRT54G $65.00
> Linksys WRT54GS $80.00
> Buffalo WHR3-G54 $90.00
> Buffalo WBR2-G54S $80.00
> Buffalo WBR2-G54 $75.00
> Buffalo WBR2-B11 $60.00
> Zyxel B-3000 $140.00
> Zyxel B-1000 $85.00
>
> Good Luck and let us know how it goes.
>
>

IRIE...i'm stoked it shouldn't be a problem.

Im thinking commercial though man...this is for 2 holiday and 2 Quality
Inns. I'm going with Cisco Aironet equipment.