Dynamic VLANs: A simple explanation

Dynamic VLANs are a fairly common feature used in large corporate enterprise applications such as hospitals, universities, large corporate offices, and similar.  Dynamic VLANs are fairly unusual in SMB environments, as WPA2 Enterprise is required as a prerequisite, though using WPA2 Enterprise does not necessarily require use of Dynamic VLANs.   Thus, only some access point and switch vendors offer support for Dynamic VLANs. Nonetheless, it is a good option in some circumstances, and is another tool in the toolbox for Wi-Fi and network engineers 

VLAN Description and Background

While VLANs are defined by the IEEE standard 802.1q, there is no IEEE standard for dynamic VLANs.  It is one of those feature enhancements that one AP vendor (probably Cisco, but I don't know for sure) invented several years ago and many other AP vendors copied.

VLANs, or Virtual Local Area Networks, are a method of segmenting users into different groups that are normally isolated from each other.   It allows one physical set of network infrastructure hardware (i.e. router, switches, APs, cabling) to act like they are multiple parallel co-located networks, hence the term "virtual".  In addition to only requiring one physical set of hardware, VLANs are transparent to client devices.  Traffic is "tagged" as it enters the network either wired or wirelessly, traverses the wired network infrastructure with this identifying tag, and then the traffic is "untagged" when it leaves the network, either to another client device on the network or to the WAN / internet. I've given a detailed explanation of VLANs in a prior blog post.

Here is a simple analogy to visualize how VLANs work:  You send a letter in the mail and hand it to a postman, who takes this letter and puts it into a larger colored envelope to send it through the mail system.  The post office routes the envelope through their extensive network infrastructure based on the color, as different colors get handled and routed differently.  The postman on the other end removes the original letter from the colored envelope before delivering it to the intended recipient.

Virtually every enterprise AP vendor implements "static VLANs".  With static VLANs, each SSID is associated with one particular VLAN.  If you connect to the SSID "staff", all of your traffic is tagged to be on the staff VLAN.  Another device next to you connects to the SSID "visitor" on the same AP and is tagged to be on the visitor VLAN, and so forth.  The traffic to/from these devices behave as if they are on completely independent networks, even though they are actually on the same physical network.  Since most enterprise APs can typically support up to 8 SSIDs (per band), up to 8 different groups of users (i.e. VLANs) can be supported wirelessly.

Dynamic VLANs

In contrast, Dynamic VLANs assign users to VLANs based on their WPA2 Enterprise user credentials.  In WPA2 Enterprise, the client device connecting to the Wi-Fi network must be authenticated to an external server via RADIUS before association to the access point is completed.  This authentication process is known as Extensible Authentication Protocol (EAP), and there are several variations of EAP that dictate different types of credentials and encryption required by both the supplicant (i.e. client device) and the authentication server (i.e. external database accessed via RADIUS).  The authenticator (i.e. the access point) acts only as a middleman during the EAP process, and thus doesn't care which EAP process gets used.  Configuring WPA2 Enterprise on an AP is therefore quite simple, as all the AP needs to know is the IP address and port of the RADIUS server, along with a shared secret (i.e. password) for authenticating  communication between the AP and the authentication server over the wired network.  When a client is approved for access to the network by the authentication server, the server passes information to the AP, including the fact that the client device is approved and the seed for generating the unique unicast AES encryption key between the AP and the client device. 

It is possible to set up the authentication server to pass additional information to the AP when a client successfully authenticates.  For Dynamic VLANs, the desired VLAN tag of the client device is passed to the AP.  The AP is then responsible for tagging the traffic from the client device for the VLAN identified by the external authentication server.  Using this approach, multiple client devices can associate to a single VLAN on a single AP, but each be on a different VLAN, based on the information received from the authentication server.  Any arbitrary number of VLANs could be supported on a single SSID (up to 4096, since VLANs are defined by 802.1q as a 12 bit number in the MAC header frame - in practice an AP will runs out of client device capacity long before that).  If a client device is authenticated by the authentication server but for some reason the server does not identify a VLAN for the client device, the AP will use a particular hard-coded default VLAN (i.e. it behaves like a static VLAN).

It must be noted that the switch ports connecting to the APs, along with the backhaul ports interconnecting switches together and linking to the router, must all be configured to allow tagged traffic all of the VLANs that can possibly be assigned to client devices by the authentication server.

The particular VLAN tags themselves must be identified by the IT Administrator of the network for each device / user account in advance, and be part of the the user's database entry in the authentication server when their account is created.

Since dynamic VLANs require a lot of administrative overhead by the network operator,  it is generally only used on very large corporate networks where the IT department issues the client devices to users, or has an established process to register BYOD clients.