6.1 VLAN Feature Question

I have been reading some of the posts regarding the VLAN feature that is new to the 6.1 firmware. I have noticed that many of you, including the specs in the 6.1 PDF, say that most VLAN implementations using the Canopy system will require a seperate VLAN capable switch.

I have general background knowledge of what a VLAN is, as well as its benefits. I guess my question is specific to the Canopy equipment that we use, and whether or not a VLAN enabled switch would be required for this hypothetical setup.

In an all non-advantage network with all modules running 6.1, is it possible to add customers to the network who want lan-capability only along with existing internet-only customers without the need for a VLAN capable switch?

Perhaps an example would clear things up.

Customer 1 wants to link two or three buildings together for lan extentions only (I am assuming they would get their own VLAN ID?)

Customer 2 wants to do the same as Customer 1 (another VLAN ID?)

The rest of the customers are existing internet-only customers and will remain the same.

I am thinking more along the lines of the configurations of the APs and SM’'s for a situation like this. If Customer 1 has three locations, and all three of those locations connect to different AP’s, how would you setup the VLAN configs so those customers can communicate between locations, as well as have the existing internet-only customers connected to those APs do their normal everyday browsing.

The purpose of all of this is to prevent layer-2 broadcast traffic generated from one customer to be seen by another customer.

This sounds easy enough. You wshould be able to set the SMs at each customer location to tag incoming, non-tagged ports with their respective VIDs. The all you have to do is add the VIDs to the APs “members” list. Unless you leave dynamic learning turned on and then the APs will add the VID as they “see” them.

The problem comes when the LAN extension guys want internet acces through you too. This is where the VLAN aware switch comes in. I haven’tplayed with enough (yet, in the next fews days) to see if the AP will distiguish between the destination addresses and do multiple VID tagging (tag this packet going here with this VID and that packet going there with that VID).

I could be wrong.


Thanks for the response. Since my last post I have setup a bench test using some 5.2 stuff running 6.1 firmware to try to get a better feel for the functionality of VLANs. I have also sent some questions into canopy tech support via e-mail. I would like to post what I think would be a potential setup and see if anyone has any further comments or suggestions.

To refresh, all units on the network are 5.7 and running 6.1 firmware and non-advantage. There are 6 APs, and one backhaul link back to the NOC. The NOC consists of a Layer-2 D-Link Managed Switch, two Linux boxes, and a Cisco router. The switch is a VLAN capable switch, but is currently set to factory defaults. According to the documentation of the switch, the default settings place all 24 ports onto a default VLAN with a VID of 1. So, this means that the ports in use are on VID 1. These ports have the following units terminated in them. The backhaul slave, the two Linux boxes, and a CAT5 which goes to a FE interface on the Cisco.

Assume my previous hypothetical setup, where I have a mix of internet-only customers, and some customers who use our system simply for LAN-connectivity and extentions only. I want to place the internet-only customers on their own VLAN, and each LAN-only customer on their own VLAN.

We will put the internet-only customers on VLAN 1, one corporate customer on VLAN 2 for LAN extentions, and another corporate customer on for LAN extentions on VLAN 3.

I understand how to configure the SMs to tag packets generated/arriving at the Ethernet interfaces with their respective VLAN IDs. This makes perfect sense to me in terms of the LAN-only customers. SM’s on VID-2 will only be able to communicate with other SMs on VID-2. Same goes for VID-3. I also understand that the only way to get to the web interfaces of these VLANs would be through AP LUIDS when leaving the Management ID on the SMs defaulted to 1, unless I temporarily terminate the SM into a VLAN-capable Ethernet card on a laptop, and configure that Ethernet card to the VID of the SM.

What confuses me is setting up the internet-only customers. From research, one of the theoretical characteristics of VLANs is that when a node sends out a broadcast packet, this broadcast is only broadcasted and seen by other nodes on the VLAN in which it was generated from.

So lets suppose that an internet-only customer on VID-1 with a static routable IP address has a router which needs to send a Layer-2 broadcast to discover the MAC address of the edge router feeding the network. Since this SM is on VID-1, this broadcast should only be seen by all other nodes on VID-1, which in my proposed setup would be the internet-only customers. Since the edge router resides on the slave side of the Backhaul link, and backhauls aren’t on VID1, will this broadcast packet be forwarded down the backhaul to the NOC? Canopy tech support says it WILL since the backhaul is simply a Layer-2 bridge like the rest of the Canopy infrastructure. Is this indeed true?

Assuming that it is true, when the broadcast gets down the backhaul link to the NOC, I am guessing that the broadcast will continue to go out on VID-1 at the switch level on VID-1, which is what all ports on the Managed switch are defaulted to. This is what I want, since after all this, the ultimate destination of the broadcast is the MAC of the edge router.

After this long description, I guess the ultimate question I am asking is the following:

With all the ports on the switch being a default-member of VID-1, and all the internet-only SMs being on VID-1, will the internet-customers be able to get to the internet, or will further VLAN configurations at the Canopy-level or the switch be needed?

Hey, it sounds a lot like you are doing the same thing I am. What described is exactly how it works. You seem to have good grasp on your project.

What are th Linux boxes you are using? Routers? I am using a FreeBSD box running m0n0wall, it’s fantastic, and open source too (does VLAN tagging by itself without the need for a 802.1q aware NIC) Multiple VIDs on one interface too!! I love it!!! :smiley: :smiley: Also, bandwidth mamagment and you can set up rules to allow only the IP’s you specify to access the internet. Who needs BAM?! :smiley: (except for managing SM’s connecting to AP’s, so what if they can connect, if you set up your network right, they won’t be able to do anything after that) I just can’t tell you how much I love m0nowall!!

I feel like I’m selling it, but it’s free!! http://m0n0.ch/wall/index.php


What D-Link switch are you using? I am using a lot of DES-3625’s around my network. they are great as well. If you need help configuring your let me know, I have played around with mine a lot.

So far it sounds like you know what you’re doing.


DES-3226 is the switch model number. The Linux boxes are running Red Hat 9.

So if I leave the switch defaulted to having all its ports on VID-1, and I place the internet customers on VID-1, then they should be able to get to the net? I know I should probably try it, but I didn’t want to run into a case like I did when I learned that the only way to access the web interfaces was with a node with the same management ID as the module. I think Moto should have placed that in the specs somewhere.

That is correct. It should work no problem for you.


Thanks Aaron, you’ve been a great help.

we also have more or less similar type of requirement.we just want to keep some customer in vlan1 and one of our customer in vlan2.following is the details of the benchtop test we conducted.

a 5.2 GHz canopy AP (version 6.1) is connected to port 5 of cisco2900 switch.port 5 is the member of vlan 2 created in cisco switch.we have also created vlan1 and vlan2 in canopy AP keeping management vid as 1.

A cisco router is connected to port 9 of cisco2900.port 9 is a member of vlan 1 with trunking enabled .in the cisco router connected to the same switch we have created 2 subinterfaces in ethernet interface keeping eth0/0.1 in vlan 1 and eth0/0.2 in vlan2.native vlan is vlan 1.ip address assigned to vlan1 is and for vlan2 it is

A canopy SM is connected to a PC with ip address SM has vlan management id as 2.we can ping to from PC( when trunk is not enabled on the port 5(switch port the AP is connected to).when we enabled trunk on port 5 we are not able to ping.It means that when PCs(as well as SMs) with different vlans is connected to AP we are not able to ping to respective vlans ip on cisco router.

the encapsulation used for both router and switch is dot1q.

Can anybody have any idea how can we use different vlans for different customers?

thanks in advance

I have read the manual about Vlans, which is very vague. Whoever wrote the manual is obviously an RF person, because the RF sections are very detailed. Anyway, enough of my ranting.
I am still confused about how to implement Vlans with canopy. Reading the other posts, it sounds like people are plugging the AP’s directly into their switches and are not using a CMM. Am I correct with this statement?
Has anyone implemented Vlan’s using a CMM? Reading the manual, I do not see how.
I have a 6-sector cluster connected to a CMM Micro. The CMM is connected to a Cisco 3550. I would like to have each sector on it’s own Vlan. Something like the layout below.

Mgt CMM-

I have setup the Vlans on my switch, that was the easy part. But how do I get the switch to route traffic to the CMM?


we are running parallel routers, one serving dhcp 10.20’s and another using static private ip’s 192.168… we hagve several customers using different subnets of private ip’s. I thought this was a vlan. We are doing this without (and before) 6.1. What is the advantage of using the vlan feature