Cannot delete vlan1 in AP group settings

Hi all,
I have a problem with configuration of network settings.
By default, when creating new AP group, it is set to get IP address via DHCP on vlan1.
When I add new vlan, I cannot delete vlan1, I can add new vlans and delete those, but I cannot remove vlan1. This started to happen since we upgraded cnMaestro on-premise to version 5.
If I clone existing AP group where I don’t have vlan1, then it takes whatever vlan is configured there and I cannot delete that vlan, I also can just add and delete new vlans.
Does anyone know how can I remove vlan1? I know that I can not allow id on the trunk port, but I still want to remove it from network settings.
Thanks

2 Likes

Same problem. I wonder why they don’t allow admins to delete that unnecessary VLAN in first place.

  • All other VLANs except VLAN 1 Layer 3 interface can be created and deleted.

  • To overcome any security issue, please do not allow VLAN1 in ethernet.

This is Untrue…

I am trying to figure out how, but our clients controller has only Management vlan (for arguments sake lets say vlan 500) under VLANs in AP Groups. It is Uncahgeable, like vlan1 normally is. There is NO vlan1

Our controller, I have to add the Management vlan separately, and cannot disable ip addressing on vlan1. For me, I could give two shits if vlan1 has to be listed, but the fact I cannot exclude it from ip addressing is a disgrace (there appears to only be dhcp and static as options).

If you could kindly answer OP’s original question - that’d be grand (as it can be done, I can see it)

OK, I have yet to confirm with the customer that has this in their controller - But I have found 2 ways to do this.

NEITHER WAY IS RECOMMENDED - BOTH ARE HACKS - I DO NOT accept any responsibility for you duffing your config/APs if you do any of this.

OBVIOUSLY - Take Backups before attempting any of this - AP Groups, Ap’s, etc.

Method 1

Is NOT recommended for a live network as changes will be pushed and if you remove something that needs to be there - you may lose access to your APs.

Before you attempt - 2 things

  1. ENSURE that you have set your uplink port to “Trunk Multiple Vlans” and have allowed the vlan you are moving to (or all vlans) on the ethernet ports - just common sense (but will likely brick access if you have not).
  2. ENSURE YOU HAVE 2 VLANs under your AP Group, Network, Vlans. Should be vlan1 and your management vlan. Management vlan should be 2nd in the list.

From here - use your web browser inspection tool to inspect the box that surrounds the edit button of the vlan1 network (will highlight the whole box from the ipv6 Section).

If you “edit as HTML” in this section, you should see an “ng-hide” in the last “class” that if you remove and click to another section, will then show the remove button. IF it has not, you are likely in the wrong section - re-load your page and ensure it’s the whole box at the end highlighted when inspecting.

If you delete with this method - it will delete vlan1 and promote the 2nd vlan to “un-editable”.

Once you hit save - this will push the settings as they show to ALL adopted APs. IF IT IS INCORRECT YOU WILL LOSE YOUR APS.

If you mess up and remove the wrong vlans - it’s on you. If you forget to add vlans to the ethernet ports before pushing the config and get vlan blocked - IT’S ON YOU.

Despite all my warnings, this worked for me first try and I had no issues, but I do not recommend this - I am just informing those who want to know how this can be done.

The second option is easier, but likely more involved as it means building an AP Group and I presume then migrating the APs into it - I have yet to test the entire sequence.

I HAVE NOT MIGRATED ANYTHING MYSELF AT THIS TIME - but the presented AP group does appear to be correctly configured.

Also, this option does seem like a “legitimate” way of doing this, as it uses the Import/Export function.

Unfortunately, I have not tried all the options and possible outcomes for this way - just on a Base AP Group - But it appears to have worked well. AGAIN, I have yet to import an AP for testing.

First - have your desired AP group made - but DO NOT add your management vlan.

Export this Group to the .json file

Open the .json file and find this section…


"src":{"vlan":{"interface_vlan":[{"id":"1","nat":"disable","ip_addr":"${VLAN_1_IP=}","ip_mode":"${VLAN_1_MODE=dhcp}","ip6_addr":"${VLAN_1_IP6=0::0}","ip6_mode":"${VLAN_1_MODE6=disabled}","remote-id":"no","zero_conf":"enable","circuit-id":"no","prefix_len6":"${VLAN_1_PREFIX6=/0}","subnet_mask":"${VLAN_1_MASK=}",

From there change all the “1”s to your management [vlan-id] and you are gold.

Import the edit as a new AP Group and you’ll have an AP group with your management vlan, and NO vlan1 - except on the “Native VLAN” of the ethernet port (presuming you left it there). Again, TBC - but this should mean that if you have a network on “vlan1 Wi-Fi”, it should continue to function as normal (I will do a couple of tests soon, as I have a site build coming up).

From there - presuming your configs are correct, you should be able to pull in APs and have them come up with the new AP Group’s settings.

AGAIN, ENSURE that you have set your uplink port to “Trunk Multiple Vlans” and have allowed the vlan you are moving to (or all vlans) on the ethernet ports - just common sense (but will likely brick access if you have not).- otherwise when you move AP’s/Adopt APs, you’ll likely lose them very quickly.

AGAIN - I TAKE NO RESPONSABILITY FOR ANYTHING THAT YOU ATTEMPT AND YOU FOLLOW THESE GUIDES AT YOUR OWN RISK

I also will not be updating methods if Cambium somehow blocks them… With the inspect hack - that is possible, but with the Import hack - is unlikely (again, this way feels legit).

Hopefully you now have a little more insight as to how these things are… makes no sense as to why it’s this hard - but hey… it is what it is.
I’ll Try to put a note in when I have tested my imports and confirmed they are or not working and go from there.

Good Luck to all.

Hi Zac,

Thank you so much for time and effort for this reply. I have tried the second method that you shared and can confirm that it is working.

Just as you described, I have created new AP group, have not configured management vlan, exported, changed and imported .json file and vlan1 is no more.

Again thank you very much for your help and hopefully Cambium will change that in one of the next updates.

Cheers