Having never configured VLANs on the Canopy system before, and after reading the many knowledge-filled posts about VLAN configs on the Canopy system, I believe I have come to a basic conclusion and understanding that I was hoping someone could clarify or correct.
Assuming the following:
1. I terminate a Canopy AP or SM to a port on a 802.1q-capable Ethernet switch
2. I have the Canopy unit configured such that “Dynamic Learning” is enabled
Isn’t the Canopy module more-or-less acting as if it is the equivalent to Cisco’s “switchport mode trunk”, and by having “Dynamic Learning” enabled, “switchport trunk allowed VLAN all”? I am thinking in terms of a Cisco config where both ports that encompass a dot1q trunk need to have matching configurations.
Or, what happens if the Canopy AP or SM is connected to an access port on an Ethernet switch?
Also, after referencing the Canopy manual and reading about the “Untagged Ingress VID” VID feature of the Canopy SM, the manual states that whatever value is entered in the “Untagged Ingress VID” text field is the numeric value that will be added to all frames that the Canopy SM sees that arrive at the Canopy SM in an untagged state. My confusion is with the term “arrive”. Does that mean any frames that enter the Canopy SM from the radio interface will be tagged, does it mean that any frames that enter the Canopy SM via the Ethernet port will be tagged, or does it mean both?
Thanks,
Matt
msmith wrote: Isn't the Canopy module more-or-less acting as if it is the equivalent to Cisco's "switchport mode trunk", and by having "Dynamic Learning" enabled, "switchport trunk allowed VLAN all"?
Yep. If you disable Dynamic Learning you must specify the VLAN memberships manually. Note that the management and untagged VIDs are automatically added.
msmith wrote: Or, what happens if the Canopy AP or SM is connected to an access port on an Ethernet switch?
Never tried this, but I expect all tagged frames would be dropped or reported as oversized and throw errors.
msmith wrote: Does that mean any frames that enter the Canopy SM from the radio interface will be tagged, does it mean that any frames that enter the Canopy SM via the Ethernet port will be tagged, or does it mean both?
I agree that it's a bit disorienting - the setting is the functional equivalent to "switchport trunk native vlan X". In a VLAN-enabled SM assume that anything going out the uplink is tagged, though I am not entirely certain how the Canopy stuff handles VLAN1 traffic. On my deployments I set Tagged Frames Only on the APs to combat crap like STP, CDP, VTP etc being blasted about.
Here's a rough conversion guide that may help:
SM with no VLANs:
interface vlan 1
ip address 169.254.1.1 255.255.0.0
interface wireless 0
switchport mode access
switchport access vlan 1
interface ethernet 0
switchport mode access
switchport access vlan 1
SM with split management/data VLANs, dynamic learning
interface vlan 40
ip address 10.192.168.1 255.255.255.0
interface wireless 0
switchport mode trunk
switchport trunk allowed vlan all
interface ethernet 0
switchport mode trunk
switchport trunk native vlan 101
switchport trunk allowed vlan all
SM with split management/data VLANs, no dynamic learning
interface vlan 40
ip address 10.192.168.1 255.255.255.0
interface wireless 0
switchport mode trunk
switchport trunk allowed vlan 40,101
interface ethernet 0
switchport mode trunk
switchport trunk native vlan 101
switchport trunk allowed vlan 40, 101
SM with split management/data VLANs, no dynamic learning, do not accept MVID from ethernet
interface vlan 40
ip address 10.192.168.1 255.255.255.0
interface wireless 0
switchport mode trunk
switchport trunk allowed vlan 40,101
interface ethernet 0
switchport mode trunk
switchport trunk native vlan 101
switchport trunk allowed vlan 101
SM with split management/data VLANs, no dynamic learning, no MVID from ethernet, extra VLAN 123 added to membership
interface vlan 40
ip address 10.192.168.1 255.255.255.0
interface wireless 0
switchport mode trunk
switchport trunk allowed vlan 40,101,123
interface ethernet 0
switchport mode trunk
switchport trunk native vlan 101
switchport trunk allowed vlan 101,123
Hope that helps somewhat
Cheers
Thank you. Yes, that does help.
I agree that it’s a bit disorienting - the setting is the functional equivalent to “switchport trunk native vlan X”. In a VLAN-enabled SM assume that anything going out the uplink is tagged, though I am not entirely certain how the Canopy stuff handles VLAN1 traffic. On my deployments I set Tagged Frames Only on the APs to combat crap like STP, CDP, VTP etc being blasted about.
I thought that the “switchport trunk native vlan X” command make sure that whatever parameters is specified for “X” remains “untagged” as it passes through a port? If that is indeed the case, I am still a little foggy as to how the “Untagged Ingress VID” is synonymous with “switchport trunk native vlan X”.
Perhaps my understanding of “switchport trunk native vlan X” is backwards…
Thanks,
Matt
“switchport trunk native vlan X” is basically the same as setting a port up as an access port. In fact on earlier CatOS the way to set the native VLAN on a trunked port was the same command as setting an access port.
In Cisco world it is important to remember that all packets are tagged internally and port configuration determines how that VLAN traverses that port. So in our case the SM will always tag anything with “untagged ingress VID” for transmission out the wireless side - otherwise the setting would be irrelevant 
Got it, many thanks for the help.
Matt