Configuring and Managing Ports and VLANs 89
Nortel WLAN Security Switch 2300 Series Configuration Guide
Understanding VLANs in Nortel WSS Software
A virtual LAN (VLAN) is a Layer 2 broadcast domain that can span multiple wired or wireless LAN segments. Each
VLAN is a separate logical network and, if you configure IP interfaces on the VLANs, WSS Software treats each VLAN
as a separate IP subnet.
Only network ports can be preconfigured to be members of one or more VLANs. You configure VLANs on a WSS’s
network ports by configuring them on the switch itself. You configure a VLAN by assigning a name and network ports
to the VLAN. Optionally, you can assign VLAN tag values on individual network ports. You can configure multiple
VLANs on a WSS’s network ports. Optionally, each VLAN can have an IP address.
VLANs are not configured on AP access ports or wired authentication ports, because the VLAN membership of these
types of ports is determined dynamically through the authentication and authorization process. Users who require
authentication connect through WSS switch ports that are configured for AP access ports or wired authentication access.
Users are assigned to VLANs automatically through authentication and authorization mechanisms such as 802.1X.
By default, none of an WSS switch’s ports are in VLANs. A switch cannot forward traffic on the network until you
configure VLANs and add network ports to those VLANs.
VLANs, IP Subnets, and IP Addressing
Generally, VLANs are equivalent to IP subnets. If a WSS is connected to the network by only one IP subnet, the switch
must have at least one VLAN configured. Optionally, each VLAN can have its own IP address. However, no two IP
addresses on the switch can belong to the same IP subnet.
You must assign the system IP address to one of the VLANs, for communications between WSSs and for unsolicited
communications such as SNMP traps and RADIUS accounting messages. Any IP address configured on a WSS can be
used for management access unless explicitly restricted. (For more information about the system IP address, see
“Configuring and Managing IP Interfaces and Services,” on page 107.)
Users and VLANs
When a user successfully authenticates to the network, the user is assigned to a specific VLAN. A user remains associ-
ated with the same VLAN throughout the user’s session on the network, even when roaming from one WSS to another
within the Mobility Domain.
You assign a user to a VLAN by setting one of the following attributes on the RADIUS servers or in the local user
database:
• Tunnel-Private-Group-ID—This attribute is described in RFC 2868, RADIUS Attributes for Tunnel Protocol
Support.
Note. A wireless client cannot join a VLAN if the physical network ports on the WSS
switch in the VLAN are down. However, a wireless client that is already in a VLAN whose
physical network ports go down remains in the VLAN even though the VLAN is down.
