Overlay network: Separating networks for access points without using VLAN

In many cases, networks in a shared physical infrastructure are separated by using VLANs. However, this method assumes that the switches operated in the network are VLAN-capable and that these are configured for VLAN operations. Consequently, the administrator has to rollout the VLAN configuration for the whole network.

WLAN controllers enable you to separate the networks while minimizing the use of VLANs. The access points use a CAPWAP data tunnel to direct the payload from the WLAN clients straight to the controller, which then assigns the data to the corresponding VLANs. In this situation, VLAN configuration is only required for the controller and a single, central switch. All of the other switches in this example work without a VLAN configuration.

Note: With this configuration, you reduce the VLAN to the core of the network structure (illustrated with a blue background). What's more, only 3 of the switch ports in use require a VLAN configuration.

Example application: Overlay network

The diagram shows a sample application with the following components:

The network consists of two segments, each with its own (not necessarily VLAN-capable) switch.
Each segment contains several access points, each of which is connected to one of the switches.
Each access point provides two SSIDs for the WLAN clients in two different user groups, shown in the diagram in green and orange.
Each user group has access to its own dedicated server that is separated from other user group. The servers can only be accessed via the corresponding VLANs, i.e. through the access ports configured on the switch.
A single WLAN controller manages all of the access points in the network.
A central, VLAN-capable switch connects the switches in each segment, the servers for each group, and the WLAN controller.

The aim of the configuration: A WLAN client that associates with an SSID is to have access to its "own" server, regardless of which access point is being used and regardless of the segment in which the client is located.

Note: The following description assumes a working basic configuration of the WLAN controller. The configuration of the VLAN switch is not part of this description.

Configuring the WLAN settings

For each SSID, create an entry in the list of logical networks. This entry requires a suitable name and the corresponding SSID.Connect the SSID to a WLC tunnel, for example the first SSID to "WLC-TUNNEL-1" and the second to "WLC-TUNNEL-2 '. Set the VLAN mode to 'tagged', set the VLAN ID '10' for the first logical network and the VLAN ID '20' for the second logical network. In LANconfig you find these settings under Configuration > WLAN Controller > Profiles > Logical WLAN networks (SSIDs).

Logical WLAN networks for overlay networks
Create an entry in the list of physical WLAN parameters with the appropriate settings for your access points, such as the country 'Europe' with the channels 1, 6 and 11 in 802.11b/g/n and 802.11a/n in mixed mode. For this profile in the physical WLAN parameters, enable the option to turn on the VLAN module on the access points. Set the operating mode for the management VLAN in the access points to 'Untagged'. In LANconfig you find these settings under Configuration > WLAN Controller > Profiles > Physical WLAN parameters.

Physical WLAN parameters for overlay networks
Create a WLAN profile and give it a suitable name. Then assign the logical WLAN networks and the physical WLAN parameters created previously to this WLAN profile. In LANconfig you find these settings under Configuration > WLAN Controller > Profiles > WLAN profiles.

WLAN profiles for overlay networks
For each managed access point, create an entry in the access point table with a suitable name and the associated MAC address. Assign the WLAN profile created previously to this access point. In LANconfig you find these settings under Configuration > WLAN Controller > AP config. > Access point table.

Access point table for overlay networks

Configuring the interfaces on the WLC

Assign a separate logical LAN interface, e.g. 'LAN-1', to each physical Ethernet port. Make sure that the other Ethernet ports are not assigned to the same LAN interface. In LANconfig you find these settings under Configuration > Interfaces > LAN > Ethernet ports.

Ethernet setting for overlay networks
Assign the logical LAN interface 'LAN-1' and the WLC tunnels 'WLC-tunnel-1' and 'WLC-tunnel-2' to the bridge-group 'BRG-1'. Make sure that the other LAN ports are not assigned to the same bridge group. In LANconfig you find these settings under Configuration > Interfaces > LAN > Port table.

Port settings for overlay networks

Note: By default, the LAN interfaces and WLC tunnels do not belong to a bridge group. By assigning the LAN interface 'LAN-1' and the two WLC tunnels 'WLC-Tunnel-1' and 'WLC-Tunnel-2' to the bridge group 'BRG-1', the device transmits all data packets between LAN-1 and the WLC tunnels via the bridge.
The WLAN controller can optionally act as a DHCP server for the access points. To set this up, activate the DHCP server for the 'INTRANET'. In LANconfig you find these settings under Configuration > TCP/IP > DHCP > DHCP networks.

DHCP settings for overlay networks