Hi guys,
I need some clarifications on how VLAN works APs and SMs. We are an ISP in West Africa. Some of our clients require WAN connections between their offices, in such a case - we imagined using the VLAN feature on the AP and SM will make us achieve this.
We did some VLAN test on the AP and SMs with VLAN. We put 2 SMs registering to one AP in the same VLAN i.e. VLAN 3 and another SM registering to the another AP in VLAN 5. Ideally, the 3rd SM should not be able to communicate with the other two SMs. However, all SMs could communicate together.
What I noticed was that once you enable VLAN on the AP and SM they automatically have a permanent VLAN ID of 1 which can’t be removed. So, what is the use of VLAN on the AP and SM if I can’t logically separate my network. Perhaps I am doing something wrong, I will appreciate any help. Thanks.
It’s not just a matter of enabling VLAN’s on the SM and the AP. You also need to enable VLAN’s in your router and switches. I would also suggest not testing VLANs on a live network, but rather set it up in a lab.
VLAN1 is the management VLAN. This should be changed to another VLAN# if you want to make your network more secure.
Jerry,
Our WAN clients don’t reach our switch or router, hence we need the VLAN feature on the AP and SM to work. VLAN ID 1 is permanent once you enable VLAN on either the SM or AP and can’t be removed.
VLAN ID 1 had a permanent status even if you don’t add it under the ‘VLAN Membership tag’. So, adding 2 SMs to one VLAN and one SM to another VLAN won’t help because all of them have a default permanent VLAN ID of 1 that can’t be removed.
Search for posts on VLAN’s. I think you will find that your question will be answered.
Search for posts where, on this forum?
I sent an email to moto and I am awaiting their reply. If I don’t get any - I will call them.
Yes, this forum.
Moto said that I can’t achieve the VLAN settings I want expect I put in a 3rd party switch. This is what they said.
"First you have to have a third party equipment(Switch) to put you in
wherever VLAN you want to be and then you will configure the AP an the SMs
according to the "Canopy Release 8 User Guide"
Thank you"
I thought the whole canopy network was one big switch, hmmmm.
What you want can be done.
On the SMs that you want on the same VLAN:
VLAN Config > Dynamic Leaning OFF . Untagged Ingress VID (Put the VLAN number that you want. All SMs pertaining to the client that needs this WAN must have the same VLAN number)
On the APs just make sure that VLANs are enabled.
That will allow you client to establish a WAN over your network. His own IP addressing scheme will work and will be transparent to your other users.
If this client also needs to have internet access the you will need a VLAN capable switch and a sub interface on your router. Or else, just give him another SM with your normal VLAN.
vanilla,
Dynamic learning should be turned off only at the SM or both at the SM and AP.
Secondly, do I need to assigned an VLAN membership ID for the SMs or I should just use the same Untagged Ingress VID for all SMs I want in the WAN service?
Another good question is how are your APs connected? Are they at the same physical location or different sites?
To answer your last questions, it is a good idea to disable dynamic learning on both the APs and the SMs.
Aaron
acherman,
My APs are on different sites. Will that pose a problem?
Nope it can still be done quite easily. How are the connected? Can you provide a detailed description of what devices are used? (ie. AP -> CMM -> BHM - - - - BHS -> CMM -> AP or if there are any othe switches in place, etc.)
Aaron
My devices are connected this way:
SM -> AP -> CMM -> BHM -> BHS -> CMM -> AP -> SM ( For clients not using the Internet, WAN clients.
SM -> AP -> CMM -> BHM -> BHS -> CMM -> Switch -> Bandwidth Manager -> Firewall -> Router -> Internet ( For Internet Clients)
I want to be able to put WAN clients in different VLANS for security purposes without using my switch. Secondly, we have a Wireless DHCP server connected to the switch that gives IP to clients in bridged mode. All our other clients are NATTED. We will like to place those wireless clients in separate VLANs as well.
Okay, that looks good. Since your WAN clients are only going through the Canopy gear and not your other switch this is easy.
As others said, you need to configure the Untagged Ingress VID on the SMs to whatever you want their private VLAN to be. For the Management VID you have a choice - you can set it the same as the Untagged Ingress to give you local config abilities, or you can set it to a management VID for remote config needs.
Once you get the VIDs in the SMs, you will need to add those VIDs to the VLAN Membership list in the APs. As long as your VLAN config in your CMMs are default you shouldn’t have to do anything there, or in the your backhauls (both CMMs and BHs will pass all VIDs).
Aaron
What about the Dynamic learning, should I turn it off when doing this?
Sorry, I mentioned that a few posts up.
For security reasons I would leave Dynamic Learning off. That way if someone is bored and decides to connect a switch/device that is VLAN aware they will still only be able to reach the single VID configured in the SM.
Aaron
Let me try this in a lab, I will give you guys the result.
acherman wrote: Okay, that looks good. Since your WAN clients are only going through the Canopy gear and not your other switch this is easy.
As others said, you need to configure the Untagged Ingress VID on the SMs to whatever you want their private VLAN to be. For the Management VID you have a choice - you can set it the same as the Untagged Ingress to give you local config abilities, or you can set it to a management VID for remote config needs.
Once you get the VIDs in the SMs, you will need to add those VIDs to the VLAN Membership list in the APs. As long as your VLAN config in your CMMs are default you shouldn't have to do anything there, or in the your backhauls (both CMMs and BHs will pass all VIDs).
Aaron
All of this is correct, I have been running a multi-VLAN configuration for over a year now. Key point to remember when configuring switchports for 802.1q trunking to the AP or SM is that the switchport native VLAN will always be 1 regardless.
In my configuration, I use a management VLAN ID of 400, and on the AP have passthru enabled to get to all the remote SMs. Under VLAN Membership I have added all the VLANs I want to propagate downstream, and on all the remote SMs, have the management VID configured to 400 as well, and untagged ingress on whatever VLAN that end user should be on.
Everything currently running 8.1.5.1.
VLAN is good in separating networks but test before implementing it over wireless since you might come across overhead and problem.
If you have managed switch e.g Cisco you can do VLAN…so that all your wireless traffic are not broadcasting and talking to each other.
instead they will talk to group of preferred radios which helps in reducing overall congestion.
Try connecting your laptop with Ethereal software to your Radio switch and monitor the traffic first…
alexdehaini wrote: My devices are connected this way:
SM -> AP -> CMM -> BHM -> BHS -> CMM -> AP -> SM ( For clients not using the Internet, WAN clients.
I have another question.
What if instead of using CMM & Moto backhauls, I would use other brand switches and backhauls? Do they have to be VLAN aware in order to work?
In other words, could I connect the AP with common switches or they will have to support VLAN trunk?
Thanks
Massimo