Hello, I’m managing a small ISP, and currently we have a canopy advantage AP with tree SM.
We want to isolate the traffic of two SM (so they can see each other and nothing else), becouse they are used to interconnect two private offices. Those office doesnt need to access any resources at the AP's network.<br><br>I tried to configure a dedicated vlan between the two SM, but they doesn't seem to take the configuration.<br>Here is what I did:<br><br>AP:<br><pre> VLAN : Enabled<br> Dynamic Learning : Enabled<br> Allow Frame Types : All<br> VLAN Aging Timeout : 25<br> Management VID : 1<br> SM Management VID Pass-through : Enable<br> VLAN Membership:<br> 1 Permanent 0<br> 100 Static 0</pre><br><br>SM:<br><pre> Dynamic Learning : Disabled<br> Allow Frame Types : All<br> VLAN Aging Timeout : 25<br> Untagged Ingress VID : 100<br> Management VID : 1<br> SM Management VID Pass-through : Enable<br> VLAN Membership:<br> 1 Permanent 0<br> 100 Static 0</pre><br><br>The problem is that the SM's doesn't use VLAN100. In the vlan active configuration info, I get:<br><pre> Untagged Ingress VID : 1<br> Management VID : 1<br> SM Management VID Passthrough : Enabled<br> Dynamic Ageing Timeout : 5<br> Allow Learning : No<br> Allow Frame Type : All Frame Types<br> <br> Current VID Member Set:<br> VID Number Type Age<br> --------------------------<br> 1 Static 0<br> 100 Static 0<br></pre><br><br>I did search in this forum, and someone suggest to disable "SM Management VID Pass-through" in the SM. I tried that with the same results.<br>Im using Software version 8.2.2 .
Is there a way to activate vlans in this scenario? Is thera another solution to this problem?
Thanks!
If all you are doing is connecting 2 SM’s on an isolated L2 circuit you will find that it is easier to set the untagged ingress VID, the difference being statically adding allows the SM to know about that vlan where as setting the ingress tells it to put any traffic incoming from the Ethernet into a specific vlan.
setup the 2 SMs with the following info
SMs
Dynamic Learning : Disabled
Allow Frame Types : All
VLAN Aging Timeout : 500
Untagged Ingress VID : 100
Management VID : 1
SM Management VID Pass-through : Enable
VLAM Membership : 10
AP
VLAN : Enabled
Dynamic Learning : Disabled
Allow Frame Types : All
VLAN Aging Timeout : 500
Management VID : 1
SM Management VID Pass-through : Enable
VLAN Membership: 10
Once the two SMs share the same untagged ingress VID, they will only communicate with each other. From my tests and experience, the untagged ingress VID is the primary setting that affect VLAN when implementing VLAN using canopy gears.
mm, that’s what I did (or I think I did).
If you check SM’s configuration, I set de Ingress VID to 100, but in the vlan status, it shows that is using vlan1, why??
Ahh yes your right I missed that, in that case it should work I have a number of similar setups and the procedure is always add the vlan into the network (AP/switches) add untagged ingress on the SM’s and reboot as required which you seem to have covered already.
Out of interest are the 2 offices using vlans of their own? if they have a switch that is tagging the frames to something other that 100 that may be causing the issue… If it was me I would test just straight with a laptop into each canopy unit and go from there just to be 100% if its a problem with the canopy settings or something with their network… that may have already been mentioned but its late here so possibly less awake than I could be
The offices connected via SM’s have unmanaged switchs, so they are not tagging frames.
I only want to isolate the traffic of those offices.
My AP is connected to an unmanaged switch also, becouse I don’t need to receive frames from vlan 100.
Is it mandatory to use an 802.1q switch so as to be able to configure vlans between SM’s?
arigatox wrote: Is it mandatory to use an 802.1q switch so as to be able to configure vlans between SM's?
I think so.
As far as I know, if the switch is not VLAN-aware, it will possibly strip the tags.
http://cisco.com/en/US/docs/ios/12_1t/12_1t3/feature/guide/dtbridge.html
As far as I know, if the switch is not VLAN-aware, it will possibly strip the tags.
But I don't want to interconnect vlan100 with my core network!
The point (I think) is that my SM's does not take the vlan configuration.
I have set the Untagged Vlan ingress ID=100, but in the status it shows Untagged Ingress VID : 1
you’re right.
You haven’t any switch on the path SM - AP - SM, so it should work.
Sorry, I don’t know why it doesn’t :?
Here is a simple schema of my topology:
PC1 — SM1~~~~~'
PC2 — SM2~~~~~ AP ---- switch (unmanaged) — Router
PC3 — SM3~~~~~/
References:
— ethernet cable
~~ wireless link
I want PC1 and PC2 to be isolated from the rest of the network. PC3 have to access the router.
How can this be accomplished?
vlan´s didn´t work for me… maybe i have misconfigured something or is it a common problem?
[/code]
what AP are you using, the version ? 8.xx ?
Use version 8.2.7
In the AP:
Configuration --> VLAN
- VLAN: Enabled
- Dynamic Learning: Enabled
- Allow Frame Types: All Frames
- VLAN Aging Timeout: 500 (doesn’t really matter)
- Management VID: 1
- SM Management VID Pass-through: Enable
Configuration --> Bridge Configuration
- SM Isolation: Disable SM Isolation
In the SM:
Configuration --> VLAN
- Dynamic Learning: diabled
- Allow Frame Types: All Frames
- VLAN Aging Timeout: 500 (doesn’t really matter)
- Untagged Ingress VID: 100- Management VID: 1
- SM Management VID Pass-through: Enable
This should work.
The only other potential issue is that you may need to replace your unmanaged switch with a VLAN aware switch that can provide an upstream bridge table entry for VLAN100 (this may be the problem).
Cisco 2924’s can be had for dirt cheap and they are as reliable as it gets. I think there is a new HP ProCurve 8 port switch for under $100.
There are SO many reasons to have a managed switch:
- Remote ARP clearing
- Viewable Bridge Tables
- Remote Reboot
- VLAN tagging - allows many options for additional services.
- More memory
- Typically more PPS
- Application of QoS rules including storm control
- Per-port monitoring of traffic, PPS, errors.
I clearly understand the reasons to acquire a managed switch, but it is not my decission.
It seems that I have managed to convince my boss and we are going to buy one.
In the mean time, I unplugged SM3 and replace it with an other equipment.
As soon as I receive the switch, I´ll be back to the vlans.
Thanks.
EDIT: BTW, I’m using version 8.2.2
FWIW 8.2.2 is pretty buggy.
8.2.7 is the stable version.
TOmorrow I will update to the latest version and try without the switch.
If it works, I´m not going to tell my boss, or I won´t have the switch :lol:
Jerry Richardson wrote: The only other potential issue is that you may need to replace your unmanaged switch with a VLAN aware switch that can provide an upstream bridge table entry for VLAN100 (this may be the problem).
Jerry,
how can this be a problem? The switch is completely external to the communication between the two SM on VLANs, isn't it?
You could even disconnect it, it shouldn't affect tha VLAN, right?
The only reason I thought it might be an issue is if the ap forwards vlan packets to the ethernet interface.
if that is the case then without a vlan aware switch there would be nothing for the ap to forward to and the packet would be dropped.
Would the packet truly be dropped, or would it simply “not be forwarded” because there is no VLAN mapping table?
I would think if the AP passed on a VLAN-tagged packed out its Ethernet interface, that Ethernet frame would still be tagged with a VID of 100.
Do you have SM isolation turned on? If it is enabled and the dest MAC and source MAC are on the same AP it will certainly drop it. If it’s turned off, the AP should never send that frame down the ethernet port anyway and switch it to the other SM internally.
Sorry if you already answered this question - couldn’t find any mention of this in your post.
No, I don’t have isolation enabled. I still didn’t update the version.
I have to make a short trip to update the equipment, I’m at 50 km now and don’t want to do it remotely.