Practical VLAN implementation

Thought I’d share this little tidbit that I discovered. Perhaps it will be useful to anyone deploying VLANs with these things.

In Canopy-land we’re used to configuring radios with a management VLAN and an untagged VLAN for the subscriber ethernet port. Since the VLAN setting was pushed by BAM at link time, this wasn’t really an issue. If an SM was linked, techs can use a VPN or the office can change settings. If it was not linked, there was no VLAN set up, and the tech can just access the SM directly.

Apparently the management VLAN is in some sort of separate universe from both the ethernet port AND the WiMAX link in the PMP320 SM. This is NOT clearly documented in the manual.

Assuming a management VID of 10 and data VLAN of 20, I tried the following combinations:

Network switchport to AP: tag VIDs 10 and 20
SM Management VID: 10
Data VID: 10
Result: Over the air management works. Tech PPPoE works untagged. Tech must set 802.1q VLAN on laptop to 10 to get to SM interface. Other radios would tag packets from ethernet port as VID10 which would be able to get to SM management. Setting VID10 on the laptop the tech was able to ping other APs and SMs which presents a security risk.

Network switchport to AP: tag VIDs 10 and 20
SM Management VID: untagged
Data VID: 10
Result: Over the air management does NOT work. Tech PPPoE works untagged. Tech can get to SM interface untagged. Thought that PVID was applied as frames were hitting the WiMAX interface and management was actually connected to the ethernet port… nope not true.

Network switchport to AP: tag VID 20, use VID 10 as PVID and send untagged
SM Management VID: untagged
Data VID: 20
Result: Over the air management works, tech PPPoE works, tech can access SM untagged, tech CANNOT access AP, other APs, or other SMs. Tech’s laptop does not appear on any VLANs on the switch aside from the data VLAN.

This behavior is quite odd and I’ve never seen another other product act quite like this. I’m used to a management interface being analogous to an SVI, and the relationship between wireless and wired ethernet interfaces looking like a normal switch.

In this setup, the tech can always get to the SM without having to use proper drivers or a managed switch. Security is maintained and actually seems superior to the approach of using tagged VLANs for everything.

When operating the SM’s management interface in DHCP I’ve noted that it will return to after a powercycle. Web UI initiated resets and reboots seem to let it remember the old DHCP IP. Something to be aware of if you have techs going out to troubleshoot these radios.

Hope this helps someone…

wow thanks I have been looking for a solution to this for months and it seems that the last option works great after bricking a sm with older firmware but seems to work great with v8. Finally I won’t have to deal with the pile of SMs that the installers have piled up because they cant get back into them after they take them off the network.

Glad this helped someone - incidentally looks like the latest firmware has something in it that deals with the management VLAN on the SMs. Don’t know if it will correct the behaviour I saw, probably won’t fix your bricked SMs lol

BTW this also applies if you’re trying to use the CPE reset tool