VLAN configuration on cnPilot: where and why

There are three different places where VLANs are configured on cnPilot access points. This post explains their function in each of the locations (& why they are all in different places)

1. VLAN in WLAN Configuration

When configuring an SSID there is an option to specify a VLAN. This indicates the VLAN where all the traffic from this SSID is bridged to.

When a packet is received from the wireless client on the air, it is marked/tagged with this VLAN and sent to the bridge for forwarding. Based on the configuration this VLAN could be bridged out of the AP as-is, or routed or NATed by the AP. That configuration is a secondary step and setup independently. At this point in the config all we are saying is every packet on this SSID is mapped to this VLAN.

Note that an AP is NOT required to have an IP address on the VLAN where it is bridging traffic. So there could be 16 different VLANs, each mapped to its own SSID, but the AP could be having only one IP address on one of the VLANs.

2. VLAN in Network Interface Configuration

VLANs can also be created as network interfaces on the AP. These are interfaces for VLANs where you would like the AP to have an IP address. It need not be on every VLAN that the AP is bridging frames for. In fact the only reasons for the AP to have an IP address on a VLAN (hence to have a correpsonding network interface) are:

  • the AP will be managed on that IP address
  • the AP will use that IP address to talk to an external server (AAA, Syslog, cnMaestro)
  • the AP will carry out captive portal page redirection for guest access
  • the AP is setup as a DHCP server and will serve out IP addresses from that interface

this configuration in the GUI is in the network section:

3. VLAN in Switchport configuration of the Ethernet Port

A third location where VLAN configuration shows up is when configuring the Ethernet port. By default the port is in access mode with a single vlan (1), but it can also be configured to trunk mode when multiple VLANs are supported and packets with 802.1q VLAN tags are to be bridged out by the AP.

In trunk mode all these VLANs that are to be bridged can be configured. Note that this configuration MUST match the corresponding port config on the switch where the AP is plugged into for packets to be bridged properly.

Since all this configuration specifies is which VLANs are valid for that port to be bridge (in or out of the AP) this config resides in the ethernet port section. A VLAN will typically correspond to the VLAN in a SSID config, but it need not (Eg: if the AP is using NAT for wireless traffic).

To summarize:

  • The vlans in WLAN config map an SSID to a VLAN within the AP. This packet could then either be bridged out if the VLAN is part of the switchport config of an ethernet port, or it could be NATed within the AP and be sent out as a packet on a different VLAN on the wired side.
  • Network Interface VLANs are to be defined only if the AP is required to have an IP address on that VLAN, otherwise they are optional. Every SSID VLAN need not (& typically wont) have a corresponding network interface VLAN.

2 posts were split to a new topic: Help configuring VLANs on R195