In a VLAN environment, the central network administration generally assigns a unique VLAN ID to each virtual network. Which VLAN a client belongs to is mostly decided by the physical connection between the client and the network.
The central instance that manages the network (e. g. a VLAN-capable switch) internally assigns its ports to certain VLAN IDs. A data packet arriving at a port is internally passed on only to the ports with the corresponding VLAN IDs. Packets are not sent to the other network nodes that are connected to ports with different (or no) VLAN IDs.
In the case of multiple VLANs that offer various service levels, data communications are channeled through different logical wireless LANs (SSIDs). For example, employees receive access to the corporate network and the Internet via a specific SSID. Guests receive a different SSID that offers access limited to the Internet.
LANCOM access points also maintain VLAN network tables, which control the assignment of wireless LAN clients to individual VLANs. In large network environments, a RADIUS server usually handles the rights management and the assignment of clients to the VLANs. After successful authentication, the RADIUS server returns the data to the corresponding access point. For the duration of the client association, this data is stored in the AP's VLAN network table.
If necessary, the different WLAN clients associated with the same access point obtain different VLAN IDs. This is handled by the dynamic VLAN network tables in the access points. VLAN-internal communication is protected by a session key negotiated when logging onto the access point. This ensures that data communications by clients in different VLANs remain isolated from each other even though the various clients are using the same logical wireless LAN (SSID) to communicate with the access point.
A client associating with an access point in a wireless LAN is also assigned with a group key for the reception of broadcast or multicast messages.
Broadcast and multicast messages do not support VLAN tagging. This is why wireless LAN clients that are located in an isolated VLAN cannot be excluded from receiving these messages. In the ideal case, the wireless clients ignore broadcast and multicast messages from outside the VLAN.
Since these messages are increasingly being used for network configuration, the following problems arise:
- Network protocols such as "UPnP" and "Bonjour" use these messages to announce new services in the network. Theoretically, wireless LAN clients could set up access to servers that they have no access to at all.
- The Internet standard IPv6 uses multicast broadcasting to transmit router information to the clients. There is a risk that wireless LAN clients from outside the VLAN can use this information to evade access to the VLAN for which they are actually registered.
The widespread use of IPv6 will lead to an increase in this type of client problem.
To avoid these problems, the access point can assign a separate group key to each VLAN, instead of one that applies to all wireless LAN clients. Thus the access point sends its broadcast and multicast transmissions not to all existing wireless clients, but solely to a specific VLAN and the clients registered there. The wireless LAN clients in other VLANs therefore cannot decrypt these broadcasts.
Thus in principle a maximum of 3 separate VLANs can be managed with their own group keys. Each group key is either managed automatically by the access point or manually by the network administrator. When the wireless LAN client logs on to the network, the access point sends it the corresponding VLAN group key to decrypt the broadcast and multicast transmissions for that VLAN.
This results in 2 possible scenarios:
- No more than 3 VLANs are set up in the area of an access point: These VLANs are securely separated from each other by the 3 VLAN group keys.
- More than 3 VLANs exist within range of an access point: In this case, at least two VLANs share a group key. The administrator must find the optimal distribution of the shared group keys between the VLANs.
VLAN group keys are managed in 2 tables:
- The configuration table in which the assignment is carried out manually by the administrator.
- The status table in which the automatic group key assignment by the access point can be viewed.
