VLANs -- Controlling wired and wireless traffic

Wired VLANs

VLANs break a physical LAN into several logical broadcast domains. Each LAN station hears traffic sent by its own VLAN but receives nothing from stations in other VLANs -- not even from those physically connected to the same Ethernet switch.

VLANs also group stations together, independent of network topology. When stations in a VLAN are cabled to different Ethernet switches, traffic is relayed over inter-switch trunks in order to reach all stations participating in that VLAN.

VLAN membership can be statically configured into Ethernet hosts and switches, based on MAC address or port number, or membership can be determined dynamically by inspecting each Ethernet frame's VLAN Identifier (VID). These IEEE 802.1Q "tags" let upstream network devices apply different policies to each VLAN, from IP address assignment and quality of service to broadcast forwarding and network access control.

For example, Figure 1 illustrates a network composed of four distributed Ethernet edge switches and two logical VLANs: Engineering (VID #3) or Sales (VID #6). Each VLAN has its own IP subnet and can reach associated workgroup servers. Although they share infrastructure and work from different locations, each VLAN operates as though its members were connected to their own independent LAN.

Figure 1. Wired VLAN

Wireless VLANs

Now, suppose that one office decides to upgrade to Wi-Fi. How can we extend these existing VLANs to incorporate wireless stations, giving those workers exactly the same network access rights and limitations previously experienced over Ethernet?

In a small network, we might configure each wireless Access Point (AP) with Extended Service Set Identifiers (SSIDs) that map to each VLAN. Using business APs capable of supporting multiple SSIDs, we would configure two SSIDs, binding each to one existing Ethernet VID, as shown in Figure 2. Now, when Jack associates with the "EngNet" SSID, the AP tags all of his frames with VID #3. Others participating in the Engineering VLAN can now talk to Jack, and he will be able to reach the Engineering servers.

Figure 2. Mapping SSIDs to VLANs

Mapping a few SSIDs can be easy, but this method doesn't scale well. As the number of APs and VLANs grows, so does the administrative chore of maintaining static mappings. The likelihood that a user will end up on the wrong VLANs grows -- and not just as a result of administrator error. Rather, we have done nothing here to prevent Jack from associating to the "SalesNet" SSID, thereby placing himself into the Sales VLAN, where he will have access to the Sales servers.

We can defeat this "VLAN hopping" problem by using 802.1X Port Access Control to control SSID usage. An office concerned about wireless security should be using WPA (or WPA2) Enterprise to encrypt over-the-air traffic. Using WPA-Enterprise, whenever Jack tries to associate with the "SalesNet" SSID, the AP sends a RADIUS Access-Request to an 802.1X Authentication Server. That Server verifies Jack's identity and credentials before deciding whether to permit LAN access. To prevent Jack from hopping onto the Sales VLAN, we could configure the Server to return his authorized SSID ("EngNet") as a RADIUS attribute (see Figure 3). If the requested and permitted SSIDs do not match, the AP will disassociate Jack, denying access to unauthorized VLANs.

Figure 3. Using 802.1X to control SSID usage

So far so good; but what if we had tens or hundreds of VLANs? It would be terribly inefficient -- perhaps even impossible -- to map each VID onto its own unique SSID. In a large network, we need an altogether different approach. Instead of static SSID/VLAN mappings, we could use 802.1X RADIUS attributes to supply dynamic VLAN bindings whenever wireless users authenticate. Now, when Jack associates with the "CorpNet" SSID, the Server returns his authorized VID (#3), which the AP uses to tag all of his traffic. When Jill associates with that same "CorpNet" SSID, the Server returns her authorized VID (#6), which the AP uses to tag her traffic. With this method, authenticated users are mapped onto VLANs, independent of access medium.

Figure 4. Using 802.1X to supply VLAN tags

The bottom line

Using 802.1X to supply VLAN tags is flexible, scalable and secure. Because the wireless network does not need to be segmented to match VLAN topology, SSIDs can be used for other purposes, such as separating wireless voice and data traffic, isolating wireless guests or quarantined hosts, or migrating from legacy devices to next-generation Wi-Fi. Those other SSIDs can be mapped to their own VIDs to keep traffic segregated as it moves through the network -- for stations that don't speak 802.1X, for example.

In fact, the same 802.1X Authentication Server can be used to dynamically supply VLAN tags to wired Ethernet stations, if all Ethernet switches and hosts are 802.1X-capable. Administrators would no longer need to configure every AP and edge Ethernet switch with VLAN mappings. Instead, VLAN tags would be configured into individual or group authorization policies, stored in just one place: the user database consulted by the 802.1X Authentication Server.

About the author: Lisa A. Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for over 20 years and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.