4-16CHAPTER 4: S YSTEM CONFIGURATIONVLANThe access point can employ VLAN tagging support to control access to networkresources and increase security. VLANs separate traffic passing between theaccess point, associated clients, and the wired network. There can be a VLANassigned to each associated client, a default VLAN for each VAP (Virtual AccessPoint) interface, and a management VLAN for the access point.Note the following points about the access point’s VLAN support: The management VLAN is for managing the access point through remotemanagement tools, such as the web interface, SSH, SNMP, or Telnet. Theaccess point only accepts management traffic that is tagged with the specifiedmanagement VLAN ID. All wireless clients associated to the access point are assigned to a VLAN. If IEEE802.1X is being used to authenticate wireless clients, specific VLAN IDs can beconfigured on the RADIUS server to be assigned to each client. If a client is notassigned to a specific VLAN or if 802.1X is not used, the client is assigned tothe default VLAN for the VAP interface with which it is associated. The accesspoint only allows traffic tagged with assigned VLAN IDs or default VLAN IDs toaccess clients associated on each VAP interface. When VLAN support is enabled on the access point, traffic passed to the wirednetwork is tagged with the appropriate VLAN ID, either an assigned clientVLAN ID, default VLAN ID, or the management VLAN ID. Traffic received fromthe wired network must also be tagged with one of these known VLAN IDs.Received traffic that has an unknown VLAN ID or no VLAN tag is dropped. When VLAN support is disabled, the access point does not tag traffic passed tothe wired network and ignores the VLAN tags on any received frames.Using IEEE 802.1X and a central RADIUS server, up to 64 VLAN IDs can bemapped to specific wireless clients, allowing users to remain within the sameVLAN as they move around a campus site. This feature can also be used to controlaccess to network resources from clients, thereby improving security.NOTE: Before enabling VLAN tagging on the access point, be sure to configure theattached network switch port to support tagged VLAN frames from the accesspoint’s management VLAN ID, default VLAN IDs, and other client VLAN IDs.Otherwise, connectivity to the access point will be lost when you enable the VLANfeature.