How to compartmentalize WiFi traffic with a VLAN
Virtual LANs have long been used within enterprise networks to create logical workgroups, independent of physical location or LAN topology. This tip describes how to use these same VLAN capabilities, found in both wired and wireless devices, to tag and compartmentalize Wi-Fi traffic, supporting your company's security and traffic management policies.
Wireless Security Lunchtime Learning
- LESSON 2: HOW TO BUILD A SECURE WIRELESS INFRASTRUCTURE
- VIDEO: CREATING A SECURE WIRELESS INFRASTRUCTURE
- TIP: THE ROLE OF VPN
- TIP: WIRELESS AP PLACEMENT
- LESSON 2 QUIZ
Virtual LANs have long been used within enterprise networks to create logical workgroups, independent of physical location or LAN topology. This tip describes how to use these same VLAN capabilities, found in both wired and wireless devices, to tag and compartmentalize Wi-Fi traffic, supporting your company's security and traffic management policies.
Going virtual
In Ethernet LANs, stations connected to the same physical switch are members of a "broadcast domain." Broadcast packets sent by each station are received by every other station in that domain. But contention and overhead grow along with domain size; eventually, the LAN gets congested and bogged down by collisions.
This can be prevented by decomposing one physical LAN into several smaller logical broadcast domains, or virtual LANs (VLANs). Stations in VLANs may share the same physical media, but traffic is segregated into isolated broadcast domains. Stations participating in a given VLAN receive packets sent by all other stations in that VLAN, but not stations in other VLANs.
To create a VLAN, an Ethernet switch can be configured to group ports into numbered VLANs. For example, when packets arrive on port #9 (VLAN #1), the switch can push those packets through all other ports belonging to VLAN #1, and only those ports. This simple, static approach is known as port-based VLAN.
Or the switch can inspect arriving packets for embedded "tags," pushing packets through all ports in the identified VLAN. IEEE 802.1Q describes how to add a VLAN identifier (1-4096) and priority (1-7) to each packet's header. Tagging lets 802.1Q-capable devices like Layer 2 and Layer 3 switches, routers and firewalls enforce VLAN segregation along the packet's entire path.
For example, edge switch A may receive a packet through port #9, apply tag #1, and then push that packet to all ports in VLAN #1 and to core switch B through a VLAN trunk. Switch B inspects the packet's tag before pushing it to all edge switches in VLAN #1, and through its trunk to an upstream router. That router uses the packet's ingress interface, VLAN tag, and source/destination IP/port to apply Access Control Lists (ACLs) that permit/deny further forwarding.
VLANs let you create LAN workgroups that are independent of physical location. Stations participating in a given VLAN can be distributed across different floors, buildings or even cities. Workgroup members can be added or removed and ACLs can be changed through centrally-managed device configurations. In addition to reducing broadcast overhead, VLAN tags can be used to give one workgroup's traffic priority over another, and to permit members to hear traffic and reach network resources that should be accessible to them but not to others.
Extending VLANs to wireless
Now that we understand how VLANs work in wired Ethernet LANs, let's consider why and how we can extend them to wireless 802.11 LANs.
Many companies can benefit from prioritizing wireless traffic and controlling where that traffic is permitted to flow. Over the air, 802.11 data packets may be prioritized using 802.11e Quality of Service (QoS) -- also known as Wi-Fi Multi Media (WMM). And, although we can't control access to the air, we can permit/deny wireless access point (AP) use with 802.1X port access controls. VLAN tags can tie these wireless security and performance measures to your wired network.
For example, all wireless APs could be grouped into a single VLAN, assigned an identifier not used by any Ethernet workgroup. Edge switches could apply the wireless VLAN's tag to packets received from any AP. Upstream switches could funnel all wireless VLAN traffic towards an Internet access router, and network layer ACLs could prevent wireless VLAN traffic from reaching other destinations inside your company network.
Isolating traffic arriving over wireless this way may be appropriate for networks that only use 802.11 to provide guest Internet access. Wireless traffic might also be assigned lower priority, so that switches and routers service other traffic first. A wireless VLAN can also be used to group APs and stations into one IP subnet, independent of location. That way, when wireless stations roam between APs, they can renew the same IP, avoiding TCP session and VPN tunnel disruption.
Ultimately, this single VLAN approach suffers the same problem facing physical LANs: as the size of the wireless network grows, the VLAN becomes congested. And, as the wireless network becomes more diverse, breaking that single VLAN apart into separate workgroups (several VLANs) can be helpful.
Wireless VLAN tagging
Fortunately, 802.1Q tagging also gives us the foundation needed to map wireless traffic to multiple VLANs, based on defined criteria.
When traffic from wireless APs is concentrated through an 802.1Q-capable wireless switch or gateway, that device can tag packets before forwarding them. For example, a wireless gateway can sit between APs and a protected network, authenticating stations, and then place them into roles. Roles can define ACLs and VLAN tags to be applied to any packet that is permitted to pass through the gateway. Stations in the "guest" role could receive VLAN tag #1 while stations in the "employee" role could receive VLAN tag #2, etc.
Alternatively, an 802.1Q-capable AP can tag packets arriving over 802.11 before bridging those packets onto a distribution network (e.g., Ethernet). In other words, that AP can behave like an edge switch, tagging packets before pushing them over a VLAN trunk to any upstream switch, gateway or router. Instead of basing those tags on ingress switch port, the AP may base tags on ingress WLAN (e.g., radio interface or service set identifier). For example, all stations connected to SSID "guest" could receive VLAN tag #1 while all stations connected to SSID "employee" could receive VLAN tag #2.
Either method could be used to segregate wireless traffic into many VLANs as needed to satisfy network objectives. For example, VLANs could be used to isolate wireless voice from data, giving RTP priority over the air (with 802.1e) and Ethernet (with 802.1P). VLANs can also be used to isolate management traffic from end user traffic, reducing risk of administrative compromise. Finally, WLANs can use RADIUS to map VLAN tags to traffic streams -- see our companion tip, Combining 802.1X and VLANs for WLAN authorization.
VLAN best practices
VLANs can help compartmentalize traffic for any number of reasons in both wired and wireless networks. However, VLANs must be configured with care to avoid mistakes that inhibit correct operation or compromise security. For example, the Certified Wireless Security Professional (CWSP) Study Guide recommends that:
- Traffic pushed over trunks between APs and switches should be filtered to allow only packets belonging to active wireless VLANs.
- To avoid dynamic VLAN reconfiguration, APs should not use the Generic VLAN Registration Protocol (GVRP).
- Broadcast and multicast traffic to the AP should be filtered, for example by using Internet Group Management Protocol (IGMP) snooping.
- ACLs should be used to map wireless security to wired infrastructure.
- ACLs should be used to prevent end user access to the AP's default VLAN.
>> Read the next tip: The role of VPN in an enterprise wireless network