Ive been through various sites and haven’t found much explaining these in great detail… why Im on here. Hoping someone a bit more experienced with canopy than I can either point me in the right direction and/or explain the difference between the provider VID and the default port VID.
I would like to setup the network as follows…send untagged traffic from PC/Router to SM Ethernet Interface, then tag the traffic as VLAN 100 and send it to the AP, CMM and BH pass everything else through to the trunk on my 4506 which has the allowed list of vlans assigned and sends them out to my 7200VXR for routing to the uplink, management, etc. Basic scenario but will be implemented on a much larger scale using about 20 VLANs total.
PC/Router (untagged) – > Ethernet Int SM (untagged /w mngmnt ID 1000 passthrough) --> RF Int SM (tagged vlan 100) – ><-- AP (vlan dynamic learning and forwarded SM iso) --> CMM (port iso) – > BH (trunk vlan 100, 1000) – > 4506 switch (trunk vlan 100, 1000) – > 7200VXR
There will be two types of SM’s - with NAT and Bridged. I would like them to perform the same if possible. Each VLAN contains 1 subnet of /24 (/30 or /29 would be cleaner but not on the current project scope… I actually have plans to do the above when I finally upgrade all the SM’s to 11.x ver and get RADIUS but that’s the next project).
95% of all SM’s are running 10.5 and VLAN tab shows as below, bold are the example settings to see if I’m off target or not.
SM Configuration:
VLAN Port Type : QinQ, or Q (assuming Q is the 802.1Q standard and QinQ is the new standard for multitagging?)
Accept QinQ Frames : Enabled/Disabled
Allow Frame Types : All, tagged, untagged
Dynamic Learning : Enabled/Disabled
VLAN Aging Timeout : 25Minutes (Range : 5 — 1440 Minutes)
Management VID : 1000 (Range : 1 — 4094 - I understand what this is)
SM Management VID Pass-through: Disable/Enable (Mngmt VID passthru so techs with good NIC’s can manage the SM on site)
Default Port VID : 100? (Range : 1 — 4094) (need this explained, heard of this mentioned as the untagged ingress in another article and leads me to believe this is what I’m looking for but really need confirmation)
Provider VID : 1? (Range : 1 — 4094) (need this explained I found very little on it)
AP Configuration:
VLAN : Enabled’Disabled
Always use Local VLAN Config : Enabled’Disabled
Allow Frame Types : All, Tagged, Untagged
Dynamic Learning : Enabled’Disabled
VLAN Aging Timeout : 25 Minutes (Range : 5 — 1440 Minutes)
Management VID : 1000 (Range : 1 — 4094)
SM Management VID Pass-through : Disable’Enable
QinQ EtherType : 0x88a8, 0x8100, 0x9100, 0x9200, 0x9300 (assuming I need 0x8100 for 802.1Q vs 0x88a8 for 802.1ad???)
You are correct - the Default VID is like the native VLAN on your 4506, and the Provider VID is the “outer” tag for 802.1ad. When Q-in-Q is enabled then the Default VID gets used as the Subscriber VLAN, or the “inner” tag. The SM will convert between untagged/tagged (and vice-versa) to whatever VLAN you specify between the wired and wireless interfaces, so all of your untagged subscribers’ broadcast viruses will get punted to VLAN 100.
NAT SMs can behave the same way. I remember when this came out, but these days there is definitely support for management on VID 1000, NAT on VID 100, and an untagged subscriber port. You do end up with two route tables in the unit so make sure you have your IPs in order. Been a while since I played with this 
Also might want to disable dynamic learning on the AP. It’s sure convenient, but if there’s a misconfiguration somewhere you can either end up sending bad VLANs out the AP which could cause congestion or let some undesirable stuff hit the SM and possibly all the way out to the subscriber.
Sounds like you’re good to go!
Actually something just occurred to me - I’m not familiar with the 4500 switches but on other Catalyst gear VLANs 1000-1005 are reserved for FDDI/DECnet/etc. With internal VLANs allocated by switches for other uses I generally block off VLAN 1000 to 1050
Thanks for confirming this for me Salad. I love merging with other WISP’s - great opportunity for personal growth …and a lot of network clean-up
fddi, fdnet, etc start 1002-1005 so I usually mark out VLAN 1001-1025 on our network so I should be ok (been working thus far…lol).
last snippet from sh vlan on 4506
-------------------------------------------------------------------
1000 enet 101000 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
last snippet from sh vlan on 3750
-------------------------------------------------------------------
1000 enet 101000 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
ehh I knew it was somewhere up there. Yes absorbing other WISPs is good times. Map drawn on the back of a radio box helps a lot. Lots of fun tricks one learns on how to track down MAC addresses and how to break weird equipment you’ve never heard of! Also I am an expert at typing in IP addresses 
Someone will probably say “use a script” but that’s not really possible when merging in a new network when there’s next to no documentation and you have to touch all the radios anyway… I think I’ve manually configured 500 or 600ish SMs of different brands lol