VLANs. Application Note

Transcription

1 VLANs Application Note

2 Table of Contents Background... 3 Benefits... 3 Theory of Operation... 4 IEEE 802.1Q Packet... 4 Frame Size... 5 Supported VLAN Modes... 5 Bridged Mode... 5 Static SSID to Static VLAN Mode... 6 Static SSID to Dynamic VLAN Mode... 7 User Groups to VLAN Mode... 8 Management VLANs... 8 Configuration WMI (Web Management Interface) Method Bridged Mode Static SSID to Static VLAN Mode Static SSID to Dynamic VLAN Mode Management VLANs CLI Method Bridged Mode Static SSID to VLAN Mode Static SSID to Dynamic VLAN Mode Management VLAN Rev

3 Background The purpose of this application note is to develop an understanding of the implementation and configuration options for virtual LANs (VLANs) available on the Xirrus Wi-Fi Array. VLAN s are utilized in networks today to control traffic according to the specific requirements of an organization. These requirements may include broadcast domain containment, collision domain containment, end user isolation, segmentation, security and more. In wireless networking, VLAN s are generally implemented to isolate and secure the injection of wireless users onto networks. Network designs may vary widely some users may wish to inject wireless traffic directly into the network onto a specific network address or VLAN, while others might place WLAN users behind a firewall, ACL or limited access network with direct connection to the Internet and no access to the corporate network. Xirrus supports multiple VLAN options to allow users to meet their custom requirements. The Xirrus Wi-Fi Array supports the IEEE standard for 802.1Q tagged VLANs. The Array supports all three modes of operation per the 802.1Q standard: (1) all Tagged, (2) all Untagged and (3) Hybrid links. Hybrid links contain a mixture of tagged and untagged frames running on the same interface. Legacy switches may not have full support for the Hybrid link type. In these situations, management frames will be forced onto a VLAN and the management option will need to be enabled on the VLAN. The Array supports both static and dynamic VLAN assignments. In the dynamic case, the VLAN ID is obtained via RADIUS-based authentication criteria. Dynamic VLANs may be utilized as in Network Access Control (NAC) or Network Access Protection (NAP) implementations. Benefits The Xirrus Wi-Fi Array supports many different types of network designs, with or without the use of VLANs. The Array supports solutions for Layer 2 (L2) and Layer 3 (L3) tunneling mechanisms to get traffic to a targeted destination network. These L2 and L3 tunnels allow the Array to interoperate with other Wi-Fi infrastructure vendors while offering wire rate encryption/decryption at the edge of the network. The Array also support wireless and wired QoS (Quality of Service) mechanisms to ensure sensitive traffic is carried matching network policies. VLANs in general can be used to isolate SSID/VLAN pairs as in separating traffic between a guest access SSID and a corporate SSID. VLANs can easily handle such traffic isolation by assigning unique VLANs to each SSID. Once the VLAN to SSID mappings are complete, the L3 network policy can enforce security policies through ACLs (Access Control Lists). The Array supports 802.1Q VLAN tags together with 802.1p settings, which notify the network port of the QoS setting. This Layer 2 QoS is sometimes called CoS (Class of Service). Rev

4 Theory of Operation IEEE 802.1Q Packet When VLANs are created on the Array, an 802.1Q tag is added to data packets upon egress from the Array. VLAN tags are removed on the ingress when packets reach the Array s Gig1/2 interface. Tags consist of 4 bytes added to the packet header that include several defined fields as described below. Tags are not sent through the network end-to-end but are inserted and stripped on each Layer 2 link in the network path. Figure Q Tag TPID The Tag Protocol Identifier is a 16-bit field generally set to 8100 to indicate 802.1Q-tagged frames. Double tagging is used in some applications to tunnel traffic over L2 networks, in which case the TPID may have other values including 9100, 9200, 9300, or 88a8 (802.3ad). Priority Packet priority is defined by IEEE 802.1p and is a 3-bit field in the 802.1Q header. The field indicates 1 of 8 user priority levels. A value of 0 is the default and 7 is the highest priority. The following chart shows the mapping between 802.1p priority and a Xirrus Array. Figure 2 Array 802.1P Mapping Rev

5 End user stations can set the VLAN equal to zero or Null to enable 802.1P priority packets into the network. These are covered below in the reserved VID values chart. CFI Canonical Format Indicator is a 1-bit field. CFI=1 means that the MAC address will be in noncanonical format and CFI=0 means that the MAC address is canonical format. VID VLAN Identifier is a 12-bit field. The VLAN field allows the network device to determine which VLAN to send the destination frames. Supported VLAN values would fall between 0 and 4095 for a total of 4096 values supported. Note that not all bridges support the entire range to be enabled at a single point in the network. Frame Size Figure 3 VID Field Options 802.1Q packets change the minimum and maximum values for Ethernet frame sizes. Normally frame sizes are between 64 and 1518 bytes. Tagging increases these values by 4 bytes, to increase the range from 68 to 1522 bytes. Supported VLAN Modes The Xirrus Wi-Fi Array supports the following VLAN modes. The first four represent the options available for joining end user traffic coming off the wireless side ingress to the wired side of the Array egress. The modes are described in the subsequent sections. Bridged Mode Static SSID to Static VLAN Mode Static SSID to Dynamic VLAN Mode User Groups to VLAN Mode Management VLANs Bridged Mode Simply creating an SSID without a VLAN sets up bridged Mode on the Array. Traffic will flow natively as shown in the diagram below from the ingress SSID to the egress Gig1/2 interface untagged. When creating multiple SSIDs, it is generally not recommended to use Bridged Mode, as there will be no isolation on the wired network. Utilizing VLANs provides isolation security on the wire. In Bridged Rev

6 Mode, the SSID can be of any security type (Open, WPA-PSK, WPA x, etc.) to ensure security on the wireless connection. An additional issue with simple Bridged Mode is that end user traffic is on the same network as management traffic, thus creating another potential security issue. Figure 4 SSID Bridged Mode Diagram Static SSID to Static VLAN Mode In this mode, the Array has from 1 up to 16 SSID/VLAN pairs configured with a direct one-to-one mapping between each pair. For example SSID Guest configured to egress Array on VLAN 100, SSID Students configured to egress Array on VLAN 200, etc. The Array dynamically inserts tags for the appropriate VLAN onto each packet upon egress from the Gig1/2 port, but it is a static mapping of SSID to VLAN. In the reverse direction, the Array removes the tagged information coming from the switched network then passes the untagged packets onto the appropriate SSID to go out on the wireless network. The traffic between Guest and Students in our example is isolated from each other on the Gig1/2 interface via the VLAN tags. To communicate between VLAN 100 and 200 on the wired network, the traffic would need to pass through a router. The router is where the filters, ACL and policies can be applied to prevent users or types of traffic from passing from one VLAN to another. Rev

7 Figure 5 Static VLAN to SSID assignments Static SSID to Dynamic VLAN Mode This mode enables single SSIDs to be mapped to multiple VLANs dynamically allocated via Radius based on user credentials. As an example, an office with Guest, Secure, and Voice user types could be supported on a single SSID but with isolated and unique policies on the wired network per VLAN to protect certain network resources from Guest users. In the example below, there are 4 VLANs on the trunk port that the Array is directly connected. The Array has 4 VLANs configured, but only has a single SSID. Since each SSID is advertised over the air via wireless management traffic, multiple SSIDs will increase the management traffic overhead, potentially impacting the overall bandwidth available for client traffic. Therefore it is always desirable to keep the number of active SSIDs in a wireless to a minimum. With Dynamic VLANs, the Radius server assigns the egress VLAN ID for traffic based on client authentication. Clients will be mapped dynamically to the appropriate VLAN based on their profile as configured on the Radius server. The destination VLAN is assigned via the Radius server to the Array using RADIUS attributes 64, 65 and 81. The Array supports a mixture of VLAN modes with both Static and Dynamic assignments configured at the same time with the requirement that all traffic is tagged. Rev

8 Figure 6 Dynamic VLAN to SSID assignments User Groups to VLAN Mode The Array supports a User Group mode to ease configuration when multiple user classification types are required. User Groups can be utilized for assigning a number of different profile parameters to each user, including Radius Filter-ID, VLANs, QoS levels, Fast Roaming Type, DHCP Pools, Filter Lists, Station Limit, Traffic Limit, Traffic/Station Limit, Time on, Time Off, Days On, and Web Page Redirect settings. The Radius settings are specific per SSID or globally set. Please refer to the User Group Application Note at for more details on User Groups. Management VLANs The Array supports management traffic (to control and configure the Array) via the Eth0 (out-of-band), Gig1/2 (in-band), and wireless interfaces. Each of these options has specific requirements and some have limitations. The Array is a bridging device and therefore supports a single default gateway for all interfaces. Utilizing the Eth0 interface for management requires overriding the Array s default gateway, which by default is the Gig1/2 interface. If Radius authentication packets are not desired on the management network, it is recommended to use Gig1/2 interface with a management VLAN. The IP address assigned to the Gig1/2 port to use for management is by default untagged. To make it VLAN tagged, a VLAN must first be created, the Gig1/2 IP Address configured to be on the VLAN, and then management enabled for the VLAN. Management over a Gig1/2 VLAN also supports an untagged mode called Native. When this option is enabled, the 4-byte tag is removed and packets are bridged directly to the wire. This is the same way the Array operates on the Gig1/2 interface by default. If the configuration warrants a Native type design, simply assign an IP address to the Gig1/2 interface. Generally the Array would only be configured for management over a VLAN if the tagged option were required to communicate with bridges that do not support Hybrid Links. Rev

9 The Xirrus Array has an optional setting for Default Route. The Default Route option sets the Array to utilize the selected output VLAN as the Default Route for all management traffic (SNMP, Web, Radius, etc.) coming from the Array. The diagrams below demonstrate the concepts discussed. Figure 7 Management-VLAN Native Figure 8 Management-VLAN tagged Rev

10 Figure 9 VLAN Management enabled untagged Configuration WMI (Web Management Interface) Method Bridged Mode 1. Create the SSID using the WMI. Type Guest in the field next to Create and then click the Create button. 2. Once this is done the browser will notify that the SSID was created but that it is still disabled. Acknowledge this message to view the SSID Management area of the WMI. 3. Now enable the Guest by clicking on the check box under the Enabled area of the WMI. Then finally click on the Apply and Save buttons to accept and keep the changes made. You may delete/disable the xirrus SSID. Rev

11 4. Once this is done remember to enable the IAP s. This is done via Configuration path IAPs/Global Settings/IAP Status Enable all IAPs. 5. Clients should now be able to see the Guest being broadcast into the air. Clients should also be obtaining and IP Address on the /24 network similar to that of the Array. 6. Array Ethernet information as seen via the WMI. Rev

12 7. Client information can be viewed within the WMI as well via the path Stations. Static SSID to Static VLAN Mode 1. Create VLANs and then assign to SSIDs. Go to VLAN VLAN Management on the WMI. To do this simply type the VLAN Name and VLAN Identifier then click the Create button. These are done one at a time so repeat this step until complete. 2. Now create the SSIDs and bind the VLANs to the unique SSIDs. This is a two step process in the WMI as the SSID needs to be created first then edited to bind the VLANs. Step 1 Step 2 3. In this example, VLANs are defined as shown below. SSID VLAN Network Mask Gateway Guest / Student / Staff / A client machine should now be able to see all 3 SSIDs being broadcast. Rev

13 5. Client machine_1 associated to Guest should obtain IP Address of /24 on VLAN 100. Client machine_2 associated to Student should obtain IP Address of /24 on VLAN 101. Client machine_3 associated to Staff should obtain IP Address of /24 on VLAN 102. Static SSID to Dynamic VLAN Mode Note: This mode requires use of a Radius Server. Microsoft IAS is used in this example. 1. Configure VLANs 100, 101, 102 and 999 under VLAN section but do not assign these statically to any SSID (except for VLAN 999). The Array will get the VLAN assignments directly from the Radius server to assign the VLAN to the end user specific criteria. Rev

14 2. Configure a new SSID called xirrus from the WMI. Now tie VLAN 999 to the new SSID and click Apply + Save. 3. Configure the Array for External-Radius support. This can be configured on a per-ssid or under Global setting. In the example below, uncheck Global and enter the Radius Server parameters as shown. Rev

15 4. For additional information on installing Active Directory (AD), Internet Authentication Service (IAS) and Certificate Authority (CA) services on Windows 200x Server, refer to the appropriate configuration guide at support.xirrus.com. 5. On the IAS server, configure the Array as a Radius Client. Be sure to note the password as this is case sensitive within Radius-Standard. 6. Create 3 user accounts and configure the following attributes to enable the array to move the user station dynamically from VLAN 999 over to VLAN 100/VLAN 101/VLAN 102. The example shown is only for user account student01. Rev

16 7. Create 3 Groups (Guest, Student, Staff) and configure the following attribute. The example shows creation of Student Group. 8. Right-click on the new Group created and select Properties. Go to Members tab and add members in this Group. 9. On IAS, create access policies for the Groups. Rev

17 10. Click on Edit Profile and add RADIUS attribute 64 (Tunnel-Type), 65 (Tunnel-Medium-Type) and 81 (Tunnel-Pvt-Group-ID). For each Remote Access Policies, ensure that the VLAN-ID is configured to the respective VLAN. Guest Remote Access Policy Student Remote Access Policy Staff Remote Access Policy Rev

18 11. In this example, the VLANs are defined as shown below. Depending on which user is authenticating to the RADIUS server, the VID will be returned via RADIUS attribute 81. SSID User VLAN(VID) Network Mask Gateway xirrus guest / xirrus student / xirrus staff / Management VLANs 1. To change the management interface from Gig1/2 to VLAN 999, follow the steps below. The assumption is that VLAN 999 is already created from previous steps. Once complete, set the Default Route for the Array to exit via VLAN 999 interface. 2. Select Apply + Save when finished. CLI Method Bridged Mode 1. Create an SSID on the Array. 2. Disable the default SSID called xirrus. 3. Enable radios on the Array and the SSID called Guest should now be visible. Client side should now show the Guest beacons being received. Rev

19 4. Once the Array to client association has occurred the client should pickup DHCP on the same network as the Gig1/2 interface which in this case is the /24 network. Remember that this is what was configured earlier. The requirement was to have the client side wireless traffic egress the Array on the same network as the Gig1/2 interfaces. 5. Array address and client address. 6. The client should now show up in the associated-stations table as shown below. Static SSID to VLAN Mode 1. Create several VLANs on the Array and then bind them to unique SSIDs. In the example below there are three VLANs: 100, 101, 102 and they are bound to Guest, Student and Staff. Rev

20 2. The Xirrus SSID has already been disabled from previous steps but if not then please disable/delete it. 3. Now to check for connectivity on each vlan by associating client machines to each SSID/VLAN to ensure proper connectivity. In this example, the VLANs are defined as shown below. SSID VLAN Network Mask Gateway Guest / Student / Staff / Static SSID to Dynamic VLAN Mode 1. Create new VLANs 100,101,102 and 999 but do not assign these statically to any SSID except for VLAN 999. Rev

21 2. Configure SSID called xirrus using WPA2 with unique security settings specific to this SSID. Then assign the SSID or bind it to VLAN 999 as shown below. 3. Please refer to the IAS configuration in the WMI section. End users will be assigned to their respective VLANs upon authentication to the IAS server. Management VLAN Configure VLAN 999 as the management interface. To enable management on a particular VLAN instead of using the Gig1/2 interface, simply set the Management option and then assign either native (untagged) or default (tagged). This will allow all management traffic to now traverse VLAN 999 instead of what was previously configured. Currently the Array is configured to receive management traffic on the Gig1/2 interface as shown below. The original interface for this Array was on /24 network and was untagged. If tagging is required on the management interface, then follow the steps below to enable tagging on management interface. Rev

22 1. To move the management interface, configure VLAN 999 and enable Management. This change will result in all management traffic from the Array going out on VLAN 999 (tagged). Once the Management option has been enabled, assign an IP address to the VLAN 999 to make it an IP reachable interface. This example utilizes /24 with gateway Rev

23 2. Once the IP interface is complete configure the VLAN 999 interface to be the default-route for the Array through VLAN 999 interface. Rev