How can I implement VLANs across WLAN links?
Virtual LANs (VLANs) are used to subdivide one local area network into several logically isolated broadcast domains, independent of physical topology. The LAN being subdivided into logical pieces can be any type of LAN -- including Ethernet or Wi-Fi.
Port-based VLANs rely on switch or AP configuration to enforce VLAN membership. For example, a switch can be configured to put ports 1 through 8 into VLAN #1 and ports 9 through 16 into VLAN #2. Every station in VLAN #1 will hear the same LAN broadcasts, but nobody in VLAN #2 will be able to do so. Similarly, a wireless AP can be configured to relay traffic to and from VLAN #1 onto a named network (SSID) while relaying traffic to and from VLAN #2 onto a different SSID. That technique is commonly used to segregate guest wireless traffic from other (private) wireless traffic on the wired network.
Alternatively, 802.1Q uses tags (VLAN IDs) carried inside LAN frames to segregate traffic and keep it separated. VLAN tags let 802.1Q-capable devices like switches, APs, routers, and firewalls enforce VLAN segregation along the packet's entire path.
As described above, a wireless AP can be configured to apply a specific VLAN tag to each frame from a particular SSID. Or, wireless APs can receive VLAN tag assignments for each station during 802.1X authentication, supplied by a RADIUS server using RFC 3580. This technique can put individual users into the right VLAN, based on authenticated identity instead of the SSID they connect to.
VLANs can be extended all the way across an enterprise network, from branch office, across the WAN, to headquarters. A VLAN tag does not traverse this entire route because VLANs only apply to local area networks. However, routers and firewalls along the way can be configured to map VLAN tags onto network sub-interfaces.
For example, traffic from VLAN #1 might be routed onto VPN tunnel A as it traverses the Internet, while traffic from VLAN #2 would be routed through VPN tunnel B, etc. Traffic through both VPN tunnels would probably be transmitted over the same WAN link in between locations. In other words, VPN tunnels can keep layer 3 traffic segregated over IP networks, just like VLANs keep layer 2 traffic segregated over LANs.
Dig Deeper on Wireless LAN (WLAN)
Related Q&A from Lisa Phifer
As the remote workforce increases, network managers and users might opt to set up two concurrent VPN connections from the same remote device. But ... Continue Reading
Is there a difference between a wireless access point vs. a router? Yes -- while the two wireless devices are related, they meet different needs in a... Continue Reading
Learn the differences between site-to-site VPNs vs. remote-access VPNs and find out about the protocols, benefits and the data security methods used ... Continue Reading