VLAN Config - Yay!

See my next post

what happens if you trunk port 24? Also set the SM to accept all frame types.

OK it works. Trunked Port 23, removed filters from the SM.

So here is the working configuration:

AP Active Configuration:
Untagged Ingress VID : 1
Management VID : 1
SM Management VID Passthrough : Enabled
Dynamic Ageing Timeout : 500
Allow Learning : Yes
Allow Frame Type : All Frame Types

Current VID Member Set:
VID Number Type Age
1 Permanent 0
100 Static 0

SM Active Configuration
Untagged Ingress VID : 100
Management VID : 1
SM Management VID Passthrough : Enabled
Dynamic Ageing Timeout : 500
Allow Learning : No
Allow Frame Type : All Frame Types

Current VID Member Set:
VID Number Type Age
1 Permanent 0
100 Permanent 0

Root Switch Configuration at head end
Port 23 - Trunk Port (Backhaul)
Port 18 - VLAN 100 (AAA Gateway Subscriber)
Port 17 - VLAN1 (AAA Gateway WAN)
Port 1 - VLAN1 (Router)

Connected the laptop to the SM directly, and it pulled an IP. Opened the browser and hit the login page. Logged in and got the redirect to our Webpage. Browsing just fine.

Next is to figure out the framed browser and/or advertising solution.

Why is your backhaul on a trunkport while the router is on an access port?

That doesn’t really make sense unless you actually want to transport all your vlan access (outside of the tagged port) to a different router.

(The advantage of using the local router to terminate vlan traffic being the ability to use a dynamic IP routing protocol on top of your radio links for redundancy with quick convergence times)

Not sure I understand what you mean. You have a tendency to talk over people’s heads.

All I need is for VLAN100 to be redirected to the AAA Gateway Subscriber port. This worked. If there is a better way that does not involve configuring the router or buying a Layer 3 Switch, I’d love to hear it.

After reading your post, I realized that if you could answer my questions, you would have been able to answer your own quesitons. I think explaining this stuff in detail would be quite a large post for this forum. So I’ll try to summarize some key points. Also if you want to talk on the phone, I’d be happy to try and explain in more detail anything that you don’t quite grok yet.

First, it sounds like you want to make vlan 100 appear at an SM’s ethernet port and also at switch port 18 ? Setting the untagged ingress VID to 100 and the switchport to vlan 100 should work. If not, make sure Canopy SM/AP/BH/etc equipment along the way is set to pass/learn new VLANs. Also make sure that any Cisco or other managed switches in between are told to pass vlan 100. Most managed switches will drop traffic for unidentified vlans.

Second, and more generally, in an Internet/IP based environment, VLANs are typically used with separate IP subnets on each VLAN. vlan 100 gets, vlan 101 gets, etc… Each VLAN looks like a separate interface to a router or server that is connected to a trunk port on a managed switch. So, to talk between VLANs, you have to talk through a router. (You could bridge two VLANs together but of course that defeats the point of using VLANs to begin with.) I use OpenBSD and a few Cisco routers, typically on hardware that can handle 50,000 or 100,000 packets per second with no sweat. OpenBSD comes with a really robust BGP and OSPF and firewall/NAT implementation, with a lot of great features, it’s very stable, and it’s free.

So my cisco switches look like this:

int f0/24
switchport mode trunk

and then the router has:

interface vlan0
vlan 44 bge0
interface vlan1
vlan 45 bge0

And I can put a separate customer on each VLAN or whatever I like. It gets around using motorola NAT, at least. And the OpenBSD router has OSPF links to multiple other routers that ride over multiple RF links. So there’s redundancy on the RF point to point links with quick “convergence” time, or time for OSPF to fix routing across the network when links die. Convergence could also be the time to add a new route across the network.

The routing and networking can get a lot more complicated from here, but generally a well setup network is only complicated to design, and becomes easy and much less combersome to run. Seriously.

That’s good info, thanks. In this case, I don’t need the router to even know about the VLAN.

The only requirement was for WiFi Authentication to be separated from our Fixed-Point users.

So the process is such:
WiFi HotSpot --> SM [VLAN100] --> AP [VLAN1, 100] --> CMM --> BH --> 2924 Port23 [Trunked] --> 2924 Port 18 [VLAN100] --> WiFi Gateway (Subscriber)+WiFi Gateway (WAN) --> 2924 Port 17 [VLAN1] --> 2924 Port 1 [VLAN1] --> Edge Router --> Internet

I tried making Port 23 a Multi-VLAN 1, 100 however that would not work. I had to make port 23 a trunk before VLAN100 would get directed to Port 18 on the switch. Seems to me Multi-VLAN should work.

However now it works flawlessly. The process is:
The WiFi user connects and and is directed to the WiFi Gateway. The Gateway gives them aprivate IP range or masquerades an IP. The user authenticates and then is passed through the Gateway WAN to the router.

Our non-WiFi users are all assigned static IP addresses and run across VLAN1 directly to the edge router.

The AP’s we will be using for the Muni WiFi will have VLAN tagging per SSID. This will allow us to have two gateways, one for “Free” Wifi with a private IP, and one for “Paid” Wifi with a public IP.

Nah, multi-vlan is a useless setting that cisco dropped in newer software and hardware versions. The basic problem is this-how does the switch know which VLAN ID to tag the packet with?

Anyways, by setting it to a trunk port, you get vlan 1 traffic passed untagged and vlan 100 traffic passed with a tag. So you have to untag the traffic at the SM or whatever.

If the APs are going to tag and untag based on SSID then they need to be plugged into trunk ports. And the authentication server that needs to listen to requests from both VLANs needs to either talk to the router as a default gateway, with the router having interfaces on BOTH VLANs, or you need to plug the authentication server into a trunk port, and setup two virtual 802.1Q VLAN interfaces on the authentication server itself so it will tag and untag packets properly.

If the authentication server is expected to be on the SAME LAN as the subscribers then it needs to talk as a trunk port. IIRC, you have the authentication server plugged into an SM?? So, set the SM to untagged ingress VID 1, and pass through all VLANs instead of filtering. Then setup a tagged interface on your authenticatoin server with vid 100 and setup the IP address on the untagged (main ethernet) interface to the IP for the range on VLAN 1 (the untagged or native “vlan” that the rest of your switches are handling untagged)

I think we are not communicating. Maybe I’m missing something important so let me try to clarify:

The Router, and the Gateway LAN/WAN, and Backhaul are on the same switch.
Port 23 Trunked - Backhaul to our Canopy Network
Port 18 VLAN100 - Gateway LAN port
Port 17 - VLAN1 - Gateway WAN Port with IP from our block

The WiFi hotspot is on the other side of an SM, say at a coffee shop or other public location. The SM tags all incoming packets with VLAN100. That VLAN100 traffic arrives at the switch port 23.

VLAN100 is directed to port 18 which is the subscriber gateway (LAN Port). Once authenticated, the traffic passed out the WAN port of the gateway (which has a public IP from our IP Block) into switch port 17 as VLAN1 traffic and to the router.

What is not correct? It’s working.

I see. So the switch does all the tagging/untagging, and the authentication gateway just acts as a router between two switch ports that are effectively different networks. That sounds decent enough! You could use only one switch port and only one ethernet port on the gateway if you wanted, but this seems fine as well.

Learned a little something about ISL and dot1q encapsulation tonight.

We have several customers whose networks connect to ours through Cisco and other switches. When enabling the trunk on our root switch one of these customers would lose connectivity.

Turns out this particular customer’s Cisco 2924 switches do not have enterprise IOS and as such does not support dot1q. After ALOT of Googling (and head banging), I figured it out and swapped out the switch. Bingo!

So just a heads up that if you are implementing VLANs make sure your switches support dot1q encapsulation. More here: http://www.ciscopress.com/articles/arti … 3&seqNum=3

hi all,
explain my problem …
i’ve read all the post but i’ve understanded very very low
i’m searching to make working an hotspot controller .
i’ve installed it in our NOC on the same switch where our customers are using to navigate …
installing a wireless ap (2.4) behind a canopy all works fine with nat disabled because if i enable nat the access controller authenticate just one time the mac address of canopy and all navigate free without authentication …
so i disable nat and receive dhcp address from access controller and all works fine (apparently) but the problem is that if i change my ip address in another class (customer class 10.1.x.x ) i navigate free …
the question is :
how can i isolate traffic of ap controller from customer class with vlan …
in our noc we have two (inside and dmz) managed switch procurve 2626
net diagram is like this

switch inside
pix firewall and internet for canopy user ---- port 11 (
access controller (lan port) — port 1
switch dmz
access controller (wan port) ----- port 1
pix firewall (dmz) and internet ---- port 2
radius and other server – other ports

i’ve tried to make a vlan id 100 and insert in port 1 of switch inside and make port 23 trunked on our procurve 2626 but configuring on the canopy (without nat) vlan 100 nothing change and i can arrive to cisco pix interface inside …

anyone can help me ?
thank you thousand and excuse me for the confusion and my poor english !
attach vlan config for sm test

Switch Config:
Port1 Router - VLAN1
Port10 Access Controller WAN - VLAN1
Port11 Access Controller LAN - VLAN100
BH to your network - Trunk 802.1q

AP Config:
VLAN Enable
Dynamic Learning Enable
Allow Frame Types: All Frames
VLAN Ageing Timeout: Any
All Local SM Management: Enable

SM Config:
Dynamic Learning: Disable
VLAN Ageing Timeout: Any
Untagged Ingress VID: 100
Management VID: 1
Local SM Management: Enable

When untagged traffic enters the SM it will be tagged VLAN100 and will traverse your network to your root switch Trunk Port (assuming you do not have any VLAN-aware switches between the SM and the root switch - CMMmicro is [u:tbxcg07y]not[/u:tbxcg07y] VLAN aware).

The switch will put that traffic on Port 11 where it can enter your AAA controller.

I recommend testing the configuration at the switch by configuring port 12 for VLAN100 and connecting a laptop to it. When the switch is configured correctly you will see the login screen for the access controller, authenticate, and access the Internet.

thank you i will try tomorrow and i will post the results …
now i’ve not vlan in my network … a time i will make this config must i change all my sm configuration (that with nat not that for the hotspot) …
thank you again

spokke wrote:
thank you i will try tomorrow and i will post the results ...
now i've not vlan in my network ... a time i will make this config must i change all my sm configuration (that with nat not that for the hotspot) ...
thank you again

seem's to work very well now ...
thank you jerry ! :P
thank you all.