In a Bridged mode WLAN the traffic is bridged onto the local switch.

The switch must be

configured with the VLAN setup in the WLAN.
For tunneled mode the traffic is sent down the GRE tunnel to the gateway. The AP can be
connected to a switch access port. The WLAN are setup to use the VLANs on the Gateway.
A Mixed mode WLAN is a combination of both bridge and tunnel. VLAN rules are used to
determine is a user is tunneled or Bridged.
When you want to create a new WLAN you must first select the Group then go to device
configurations. Here you can add in an SSID. In the first window you add the name of the
SSID. You then will select the VLAN options, the Authentication type and what access you will
allow.
A WLAN wizard is an easy way to configure the SSIDs you need for an IAP cluster. The
wizard requires four stages to complete your setup.

| First, you name the SSID. Then you need to select the type of SSID you want to configure. If
you select a Employee and Voice SSID the wizard will direct you to 802.1X and PSK
authentication. The Guest SSID option leads you to the Captive Portal authentication.

| Next, you need to select which VLAN and IP address that your users will receive.

| The security stage depends on your WLAN setting selections. Enterprise will give you 802.1X
selections while Personal will includes PSK or WEP selections. If you select Guest then you
will receive Captive Portal options.

| In the last stage you will configure the firewall settings with the user rights.
If you select Client VLAN Assignment-Native VLAN, the corporate network will provide the
client with an IP address on the same subnet as the AP.

In this example, the corporate DHCP server provides the AP the 10.1.10.49 address. The user
associates to the AP and receives the 10.1.10.57 address which is in the same subnet as the
AP.

This option is only available for Bridged mode WLANs.

If you select Client VLAN Assignment-Static, you can statically set which VLANs the users will
fall into based on the SSID. The AP is in its own subnet. The administrator configures the
SSID with a specific VLAN(s). If the WLAN is in Bridge mode then the VLANs are defined on
the local switch. If the WLAN in in Tunneled mode then the VLANs are defined on the
gateway. Static is only available for Bridged and Tunneled mode.

In this example, the AP is in VLAN 10. The users associating to the Teachers SSID have been
configured to fall into VLAN 5 and the users associating to the Student SSID have been
configured to fall into a VLAN POOL of 16,17 or 18. In this case, the clients are randomly
assigned a VLAN from the configured pool. For this to work, you must configure the switch or
gateway with the same VLANs.
If you select Client VLAN Assignment-Dynamic, the VLAN is derived and the AP is in its own
subnet. The administrator will set up the VLAN Derivation Rules on the AP.

In this example, a user associating to the school SSID will fall into a VLAN based on the Rules
the administrator configures on the AP and what the server returns after authentication. You
can set a default VLAN if the server does not return a value.

Dynamic VLAN assignment is available for Bridge and Tunneled mode. For Mixed mode
Dynamic is the only option.
There are three main types of WLAN Access Rules; Unrestricted, Network-based and Role-
Based.

| An Unrestricted-WLAN is the same as “any any any permit.” All devices associated with this
SSID can pass traffic unrestricted by the firewall.

| Network-based WLAN has rules that are imposed on all devices associated to this specific
WLAN. For example, if there a rule blocks pings, then all devices on the SSID would be
denied ping traffic.

| The Role-based WLAN assigns roles to various devices on the SSID. Roles are derived on a
user/device basis. If you have not assigned a role, then the AP will use the default role. For
example, you may have one user receive the employee role, but the other users receive the IT
role. In this situation both users are in the same subnet, but have different access rights.
• No AP clustering, all APs are independent
• Majority of communication happen between Cloud and Aps
• Aps in a roaming domain communicate with each other in peer capacity
• No AP master concept
• DHCP server function on AP is only available for L3 VPN scenario

Telemetry info:
• AP name, MAC, serial number, model, CPU usage, uptime, mesh mode, LED status,
channel, tx power, radio band, radio number, noise floor, SNR, ESSID, dot11h, 11r, 11k
For bridge mode the AP will be connected to a port defined as a trunk.
AP's management VLAN (VLAN 10) should always be the native VLAN, otherwise ZTP will not
work. AP's management VLAN interface is used to communicate with Central and is also the
IPsec tunnel and GRE tunnel end point for tunnel and mixed mode SSIDs. All the APs in this
example the are in VLAN 10.
A WLAN wizard is an easy way to configure the SSIDs. The wizard requires four stages to
complete your setup. A fifth stage is for verification that you are satisfied with your
configuration.

First, you name the SSID. If you select a Employee

For AP only you select the forwarding mode Bridge and then which method will be used to
assign a VLAN and IP address that your users. All three methods of VLAN Assignment are
valid for a Bridged SSID.

The security stage Enterprise will give you 802.1X selections while Personal will includes PSK
selections and Captive Portal will give you guest options. Open is no authentication. To all the
authentication types you can select MAC authentication as a precursor to you authentication
type.

In the last stage you will configure the firewall settings with the user rights.
The bridge user will fall into the VLAN you have selected. Native will be the same subnet as
the AP. Static allows you to manually specify the VLANs you require. Dynamic will assign
VLANs based on rules. The VLANs, and need to be allowed on the switch ports that are
connected to APs
Sites are more for actual sites. You can use site to select devices you want to monitor or
manage.
All sites you create will appear in the Install Manager. Sites will also appear on the Network
Health map.
Labels are tags you can use to filter devices for monitoring, managing, and reporting
purposes. A device can have multiple labels. Labels also help you determine the ownership,
departments, and functions of the devices.
For example, you may have several buildings in a city all with their own devices. Therefore,
you create label BLD-1-FLR-1, and all the devices in building 1, floor 1 associate to that label.
If you select the label, you will only see the devices attached to it, but you can create other
labels for additional devices/locations or types.
| In this example, the BLD-1-FLR-2 label has been created for devices on the second floor and
label BLD-2 for devices in building 2.
| You can create a Building 1 label if you want to only see all the devices there.
| If you want to see all the devices in your city, then create a label that includes all the devices
in the city.
| You can also get more granular. For example, here is a label created to see all the devices in
the conference rooms. If you select this label, then Central will only display these devices.
| The noted AP associates with four labels: conference rooms, city ABC, building 1, and BLD-
1-FLR-1