VLAN Design


Newcomer to Canopy equipment here… after reading some posts regarding VLANs and the Canopy Manual, I think I have an understanding of VLANs on Canopy gear, but I wanted to run it by the experts. Here is my proposed configuration:

Cisco 3560G
Switchport connected to backhaul: a trunk carrying a management VLAN (100), and several other VLAN’s that may be used by the radio side of an SM.

VLAN: Enabled
Managament VID: 100

It is my understanding that the backhauls do not have a VLAN membership table and that they will transparently pass all traffic that is tagged.

VLAN: Enabled
Dynamic Learning: enabled
Management VID: 100

It is my understanding that with “Dynamic Learning” enabled that if the AP receives a packet that contains a VLAN tag, the VLAN will automatically be added to the membership table, and the AP will continue to pass the packet with it’s VLAN tag in tact.

VLAN: Enabled
Dynamic Learning: enabled
Management VID: 100

Same thing for dynamic learning goes for the SM here… if it receives a tagged frame, it will add the VLAN to the membership table. The wireless side of the SM may be on any of the VLAN’s that is carried across the trunk.

Does this make sense to everyone?


That’s correct - from what you’ve said it seems the only point of control you have is at the uplink to your 3560. You should consider enforcing VLAN membership tables on SMs so that random tags cannot infiltrate your network. (Of particular significance because if you disabled SM isolation for the purpose of a wireless LAN extension a rogue layer 2 domain between SMs could be set up. But I might just be paranoid :slight_smile: ) As well pay special attention to the “allowed frame types” and “untagged ingress” settings on the SMs if you’re doing bulk access where the ethernet drops off into customer-owned equipment like a router or computer.

Hrm, not sure I quite understand the Untagged Ingress VID setting. Are you saying that I should limit the type of frames on the SM?

Yes, very much so! If you are up on your Cisco-ese check out my post in viewtopic.php?f=1&t=6772 which converts SM VLAN settings into their rough IOS equivalents.


Quick question regarding the Management VID. The Management VID will be set to ‘100’ on all of the Canopy equipment. VLAN 100 will be traveling over a trunk port that the backhauls are connected to. I should be able to access the management interface of these devices from a device plugged into my 3560 core on an access port on VLAN 100, correct?

Quick example:

interface GigabitEthernet1/1
description Backhaul connection
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,100

interface GigabitEthernet1/2
description Management Computer used to Manage Canopy Devices
switchport access vlan 100


Yep, that will be fine

Hi Salad,

Another VLAN related question if you are still listening… a little routing here as well.

I have one customer who I will be providing bulk bandwidth and a /29 to. I need to route this to the customer over our existing radio network:

Core 3560 <–> BH <–> AP <—> SM <–> Router managed by me

I carved out a /30 to use as an uplink - VLAN 20. One end of the /30 will be the gateway/VLAN interface on my core, and the other IP of the /30 will be assigned to the router on the customer’s premise. The BH/AP/SM will all be configured to pass VLAN 20.

To give the user the /29, I will just route the /29 over the /30 uplink on my core which should in turn give the CPE router access to use these /29’s.

Does this sound like a feasible configuration? Is there any special configuration I need on the Canopy equipment which be will be carrying VLAN 20 (the /30) to the customer’s router? I’m guessing the SM in this type of configuration would just act like a Layer 2 bridge? Is there a better way to do this?


Sounds fine - all you’d need to do is make sure you’ve got the 802.1q trunking working fine through the Canopy network. The SM would then need to have set an untagged ingress VID of 20:

|--------tagged VLAN 20-----------|–untagged–|
Core 3560 <–> BH <–> AP <—> SM <–> Router

For security dynamic learning should be turned off so that VLAN 20 is not in the membership table of any other SMs.

Thanks for the reply. Does the “Untagged Ingress VID” of each SM always need to be set to the VLAN that the SM is in? Is simply having that VLAN in the SM’s VLAN Membership Table not enough?

Membership table is fine if you have trunk facing the SM from “customer router”. However if you’re using a lower end unit or don’t have the applicable software load (IP Base instead of IP Plus on a 2600, which requires 32 MB flash) you wouldn’t be able to spit out 802.1q frames.


So, now I’m trying to figure out how to best “flip” a flat non-VLAN’ed Canopy network to my new design.

Right now, there are no VLANs in use at all throughout the Canopy Network. The project will involve re-ipin’g the management interface of each Canopy device, as well as provisioning a new Radio IP address and enabling NAT on my SM’s. I’m trying to figure out the easiest way to start pushing 802.1q out to the network without bringing it all down.

I’d really like to prevent rolling a truck out to each customer (there are almost 1000 of them). So, I need to make sure that I can at least retain connectivity to the management interface throughout the entire process. I’m not sure how to do this, because once the I start tagging packets at my core (where the BH is plugged into), the Canopy equipment will start dropping the packets if the VLAN’s aren’t configured. So, do I re-IP the Canopy Equipment, set the management VID, then start sending tags out and just hope that everything works?

I know this is a confusing question… but hopefully you understand at least some of it :slight_smile: Any advice you can give is greatly appreciated.