M and MSM Series

MSM720, MSM430: dynamic VLAN for wireless users. Sniffing, VLAN hopping, traffic capture

Occasional Contributor

MSM720, MSM430: dynamic VLAN for wireless users. Sniffing, VLAN hopping, traffic capture



could you please help me to find appropriate way to archieve the following:

Secure corporate traffic when dynamic VLANs are implemented.


I have the following configuration on one of the ports:

description "Wireless AP-01"
spanning-tree portfast
switchport trunk allowed vlan add 150,140
switchport trunk native vlan 20


The problem:

On VLAN140 (Guest VLAN, Tried )  employee non-business devices (VLAN150) and even on  I can see (using Wireshark) VLAN20 traffic.  IP addresses, ARP, DNS queries and etc. Firewall doesn’t allow communication, but that’s L3 limitation. How I can block L2 (they are mainly broadcasts, but STP,CDP information is transmitted as well!!!)

Currently MSM720 acts as DHCP relay, I get proper addresses (according to the VLAN properties RADIUS passes to it). I have tried using msm720 as DHCP server for Guests VLAN, got less VLAN20 traffic though, but still was able to see some, like IP addressing , macs and etc.


APs are discovered using internet ports of MSM720. Which has appropriate settings btw.


In general everything works, I just want to limit traffic that non-business and guest devices can see.


The best approach so far I can see is to put APs to the VLAN that is not used for any data (well that’s what Cisco recommends, right ?), and assign VLAN membership via RADIUS. Employee business devices: tag 20, Employee non-business tag 150 and etc.


The problem/confusion I ‘m experiencing is: if I put APs to the VLAN that is not used/not allowed to travers, how MSM720 will manage them? How to assign IP addresses?


One “crazy” idea is to use dot1.x port authentication for AP itself (management traffic), the question is, doesn’t it have EAP supplicant feature for this.

Or maybe I’m trying to invent bicycle here and people do have solution for this. Quite sure I’m not the first who needs to separate guest and business traffic.


Topology is a simplified version of the network, but it should give you an overall insight of the corporate network. Dynamic VLANs allow to use the same SSID for employee business and employee non business users. Guest network has different SSID.