I'm deploying Wireless Access Points with two SSIDs: employee (VLAN 45) and guests (VLAN 46). I'm confused how I should configure the Ethernet port on the APs and switch.
My preference would be to configure the switch port as an access port, so that the WiFi end points are locked down. That's what I'd do if there was no guest WLAN. However, I don't think that will work: Since there will be two VLANs, I believe I need to configure the switch port as trunked. My concern, though, is that making it a trunked switch port opens it up to all VLANs. Even if I restrict the VLANs to 45 and 46 on the switch port, it still means that anyone who, for example, disconnects the AP and plugs in has access to a trunked port.
How can I lock down the Wireless AP switch ports while still supporting two SSIDs and VLANs?
Best Answer
Supporting multiple VLANs on a switch interface means you will have a trunk with tags to separate frames for each VLAN on the trunk, except the native VLAN (if any). On your Cisco 350 switch, you can restrict which VLANs are allowed on a trunk:
For example, assume the user VLAN is 45, the guest VLAN is 46, and the trunk interface to the WAP is port 48:
Most end-devices do not understand VLAN tags, and they will drop tagged frames as giants. If you are concerned about someone making unauthorized connections to your switch interfaces, then you need to use 802.1X, but that will require some work to set up the infrastructure. That switch model supports 802.1X