Open as PDF
88 CHAPTER 5: CONFIGURING AND MANAGING PORTS AND VLANS
VLANs are not configured on MAP access ports or wired authentication
ports, because the VLAN membership of these types of ports is
determined dynamically through the authentication and authorization
process. Users who require authentication connect through WX switch
ports that are configured for MAPs or wired authentication access. Users
are assigned to VLANs automatically through authentication and
authorization mechanisms such as 802.1X.
By default, none of a WX switch’s ports are in VLANs. A switch cannot
forward traffic on the network until you configure VLANs and add
network ports to those VLANs.
A wireless client cannot join a VLAN if the physical network ports on the
WX switch in the VLAN are down. However, a wireless client that is
already in a VLAN whose physical network ports go down remains in the
VLAN even though the VLAN is down.
VLANs, IP Subnets, and IP Addressing
Generally, VLANs are equivalent to IP subnets. If a WX switch is
connected to the network by only one IP subnet, the switch must have at
least one VLAN configured. Optionally, each VLAN can have its own IP
address. However, no two IP addresses on the switch can belong to the
same IP subnet.
You must assign the system IP address to one of the VLANs, for
communications between WX switches and for unsolicited
communications such as SNMP traps and RADIUS accounting messages.
Any IP address configured on a WX switch can be used for management
access unless explicitly restricted. (For more information about the system
IP address, see Chapter 6, “Configuring and Managing IP Interfaces and
Services,” on page 103.)
Users and VLANs
When a user successfully authenticates to the network, the user is
assigned to a specific VLAN. A user remains associated with the same
VLAN throughout the user’s session on the network, even when roaming
from one WX switch to another within the Mobility Domain.