Filter
Top Products
104 Configuring and managing ports and VLANs
NN47250-500 (320657-F Version 02.01)
VLANs, IP subnets, and IP addressing
Generally, VLANs are equivalent to IP subnets. If a WSS is connected to the network by only one IP subnet, the switch
must have at least one VLAN configured. Optionally, each VLAN can have its own IP address. However, no two IP
addresses on the switch can belong to the same IP subnet.
You must assign the system IP address to one of the VLANs, for communications between WSSs and for unsolicited
communications such as SNMP traps and RADIUS accounting messages. Any IP address configured on a WSS can be
used for management access unless explicitly restricted. (For more information about the system IP address, see
“Configuring and managing IP interfaces and services” (page 121).)
Users and VLANs
When a user successfully authenticates to the network, the user is assigned to a specific VLAN. A user remains associ-
ated with the same VLAN throughout the user’s session on the network, even when roaming from one WSS to another
within the Mobility Domain.
You assign a user to a VLAN by setting one of the following attributes on the RADIUS servers or in the local user
database:
• Tunnel-Private-Group-ID—This attribute is described in RFC 2868, RADIUS Attributes for Tunnel Protocol
Support.
• VLAN-Name—This attribute is a Nortel vendor-specific attribute (VSA).
Specify the VLAN name, not the VLAN number. The examples in this chapter assume the VLAN is assigned on a
RADIUS server with either of the valid attributes. (For more information, see “Configuring AAA for network users”
(page 467).)
VLAN names
To create a VLAN, you must assign a name to it. VLAN names must be globally unique across a Mobility Domain to
ensure the intended user connectivity as determined through authentication and authorization.
Every VLAN on a WSS has both a VLAN name, used for authorization purposes, and a VLAN number. VLAN numbers
can vary uniquely for each WSS and are not related to 802.1Q tag values.
You cannot use a number as the first character in a VLAN name.
Roaming and VLANs
WSSs in a Mobility Domain contain a user’s traffic within the VLAN that the user is assigned to. For example, if you
assign a user to VLAN red, the WSSs in the Mobility Domain contain the user’s traffic within VLAN red configured on
the switches.
The WSS through which a user is authenticated is not required to be a member of the VLAN the user is assigned to. You
are not required to configure the VLAN on all WSSs in the Mobility Domain. When a user roams to a switch that is not
a member of the VLAN the user is assigned to, the switch can tunnel traffic for the user through another switch that is a
Note. You cannot configure the Tunnel-Private-Group-ID attribute in the local user
database.