when using a cisco aironet 1300 or so...

how exactly does the SSID & VLAN work?

when a user checks for wireless networks, do they see lots of them, and then pick one, which then corresponds to a VLAN?

or can you set one SSID, to correspond to Multiple VLANs, like a VLAN pool almost?


Reply to
Loading thread data ...

Yes. If you had 3 ssids assigned to 3 different vlans they would see all 3 unless of course you were not broadcasting all 3 SSIDs Now, if there were no authenication involved for the vlans they could connect to any of them but that defeats the purpose of the vlan. Vlan 1 with SSID

1 might require radius authentication , Vlan 2 with SSID 2 might use WPA-PSK or WEP for authentication. Vlan 3 with SSID 3 may be open for the public to use. Each VLAN has a tag, consider 3 cars with different car tags, specific car tags can only drive on certain highways and therefore only have access to the things on that highway. You need an AP that supports VLAN tagging and multiple SSIDs or Virtual APs as some refer to them. You can have as many VLANs as you can the number of SSIDs the AP supports (if the switch supports that many)

I dont thinks so, its one VLAN per SSID, not to say that a particular user or users could not be defined to use multiple VLANS, but if it was set up this way for everybody there would be no reason to have a VLAN

Reply to

i'm setting this up for a hotel, and for hotel guests. i've already got all the rooms hardwired and tagged with a VLAN...240 of them. I need to just separate the wireless traffic so that they can't network neighborhood browse, or even ping another computer.

is there a way to setup 50 SSIDs, all broadcasting, that allow only 1 user at a time connected to each? that way we could have 50 SSIDs with no authentication, and just tell a user to pick one. i'm guessing the only problem with that, is finding an open SSID. could i set it up someway stop broadcasting that SSID once a user is connected?

there has to be some kind of hardware that can do this, with all the wifi coffee shops and wifi hotspots going around. how are they making them secure?


Reply to


If you're using Cisco Aironet access points, then you will want to turn on the PSFP (Public Secure Packet Forwarding) feature ... this keeps one wireless client from (directly) accessing another.

formatting link

Reply to
Aaron Leonard


What are you using to configure 240 Vlans Most APs that handle VLANS will only handle 16 so 240 vlans is alot of APs, also the max SSIDs I have seen are 16 per AP. The only other option may be an expensive wireless gateway controller.

someway stop

The hardware/firmware is not available to do this

If you are looking for client isolation, there are several products that do this without Vlan. Client Isolation is the keyword. If you need a list of products that support client isolation send me an email. I think you need to re-think your plan here.......

Reply to

"Airhead" wrote in news:422fc226$0$22515 $ snipped-for-privacy@news.cablerocket.com:

right now we're using a cisco 3600 series router with 240 address pools, and 240 VLANs provided to that switch via 6 Dell PowerConnect 3348s.

We don't need all 240 on the wireless side, we just need to be able to separate, via PSFP (Public Secure Packet Forwarding) feature, the clients connected to the wireless AP. the PSFP idea was provided by Aaron in this thread.

I was first thinking we'd need a bunch of VLANs all mapped to an SSID, but after ready Aaron's post, i found that some commercial APs will support this PSFP or Client Isolation as you called it.

We're about to EVALUATE a NA500 from IP3Networks.com. We get it free for

90 days (confirmed with a CC#), and if we dont send it back within the timeframe, we don't pay a dime.

It's a "Business Gateway" as they referred to it, which provides DHCP (many many pools capable of supporting 500 VLANs), a web server, mail server, the list goes on. It also is a wireless gateway controller, but i'm supposed to find out more about this feature tomorrow. Do you know much about it? Is this capable of hooking antenna's via Cat5 straight to the gateway, instead of using APs?

I'd like a list of products, but could you post it here, so everyone else can read also?


Reply to




server, the

about it?


No, you will need APs, the NA500 looks OK, it is basically an Access Controller. One nice feature is the Zero configuration for clients. If their browsers are using a proxy or if they are set for a staic IP,, this takes care of it. A couple more to look at might be the Colubris and the Nomadix


The reason I was going to email them is because when I cut and paste them out of the database they loose all the formatting versus a report. Not a big deal just hard to read.. But just to narrow down the list, are you going to use multiple SSIDs to coincide with separate vlans. No reason to use a vlan unless you are tring to segment wireless public users from wireless staff on the wireless side. If this is not the case then I think I would use one vlan and one ssid for all hotel guest and then separate vlans for the wired side. Is this system going to tie in with their PMS system or is it just a free service. Using an ap that supports multiple SSIDs and Vlan tagging and client isolation cuts down the product selection and ups the price quite a bit.

Reply to

"Airhead" wrote in news:42307214$0$22520 $ snipped-for-privacy@news.cablerocket.com:

That's exactly why we need it, the zero configuration stuff. 100% of our problems so far have been related to dhcp and addressing.

The wireless service will most definately be free, and hooking SSIDs to VLANs is pretty much out of the picture with the PSPF feature / Client Isolation Feature. The staff and guests are completely separated, so they won't be together on ANY piece of hardware in the whole building.

It also WILL NOT tie into the PMS system, which makes it even easier.

I think as of now I just have to install the NA500, configure it, and then connect some Aironet 1300s to it (using client isoaltion), and voila.

I'll look into those other products, but we've already signed up for the EVAL program on the NA500. Wish me luck...lol


Reply to







Here is a list of the least expensive devices that support client isolation. Prices are approx. Linksys WRT54G $65.00 Linksys WRT54GS $80.00 Buffalo WHR3-G54 $90.00 Buffalo WBR2-G54S $80.00 Buffalo WBR2-G54 $75.00 Buffalo WBR2-B11 $60.00 Zyxel B-3000 $140.00 Zyxel B-1000 $85.00

Good Luck and let us know how it goes.

Reply to

"Airhead" wrote in news:4230d755$0$22519 $ snipped-for-privacy@news.cablerocket.com:

IRIE...i'm stoked it shouldn't be a problem.

Im thinking commercial though man...this is for 2 holiday and 2 Quality Inns. I'm going with Cisco Aironet equipment.

Reply to

Smowk wrote in news:Xns9615BCAA7C2F8SmowkieBandit@

by the way...AP isolation is supported on the AP i have now...and it works great....can't even ping a mac address

Reply to



Good choice, cant go wrong there.

Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.