Vlan Tagging..

Steph · October 26, 2015, 12:59pm

Hi There,

I'm having a little difficulty in getting my Vlans to work propperly.... very likely a lack of understanding :)

Anyway , I've split my network in two Vlans ... or that's the idea at least.

Vlan : 20 is used for magement , setting a seperate Vlan to Manage Acces points , Subscriber Modules , CMM , backhauls etc etc. . This was rather simple to configure and also the only thing I've managed to get working :)

Vlan 120: I'm planning on moving all my Data from the default Vlan 1, to 120 and the only way I can see this working is if I'm able to "re-tag" the data between the router and the SM units and if possible to only tag frames from a specific MAC address ?

The idea is if a customer plugs his Canopy into a switch with a few other devices that the Canopy only re-tags traffic from a specific mac and that everything else will be ignored to prevent default Vlan traffic from leaking into my network.

Now looking at the Vlan config I'm presuming one would set the Default Port VID to 120 , configure the MAC address under "Port VID Mac address mapping" , add Vlan 120 under the membership table and then use Vlan Remarking changing source Vlan 1 to Vlan 120 ?

Anyway , some help would be greatly appreciated.

-steph

DTL · October 26, 2015, 2:32pm

First. I assume that your question is related to PMP 100-450 series.

ePMP VLANs settings are different.

Second, I assume that you have turned on VLANs in the AP. There is only a global "On" setting per AP. Also, that you are using the default settings on the AP and SM's (Dynamic learning and Allow all VLAN types)

Third. VLAN 1 is always on and can't be disabled. It's automatically in the membership table.

It's used during registration etc so general rule, don't use VLAN 1 for any of your management, user data etc.

Settings

Again, if you are using the default settings, you don't need to do anything with the Membership Table as "Dynamic Learning" does that for you. If you turn this off, then you will need to add VLAN 20 & 120 on any device where you have turned if off.

You have used VLAN 20 for management and that is pretty straight forward. Just set the management VLAN in each device. Seems that you already have that up and running.

Data VLAN

The "Default Port VID" on an SM is for all un-tagged data that is entering the ethernet port on the SM.

If you need specific tagging, then you use the Port VID MAC address" to tag specific machines. You can also use a MAC address Mask to tag all Vendors devices to a VID. ie. 64-16-7F-FF-FF-FF would tag all Polycom phones.

If the customer below the SM is already tagging with their own switch etc, then thats where retagging comes into play. For example, if customer data comes into the SM with VLAN 200 and you want to change it to 120, then you would put in a rule. Going out of the SM, the rule is applied in reverse.

As to your question about remarking VLAN 1, I don't think that is possible as it is used by the AP and SM. I will let others comment on that.

Hope that helps

Martin

Steph · October 26, 2015, 3:28pm

Yes , PMP100 and PMP430 and PMP450. Al l the Access points and Clusters and switches downstream is configured correctly to accept the Vlan tags. I guess if these were wrong I won't be able to access my management Vlans on the Access points and SM modules

Ok , this is most likely where my understanding of Vlans end :) .. I assumed default / untagged traffic will always use Vlan 1.. So what I meant by re-tagging Vlan 1 , I was talking about when a customer has no Vlan capable devices on his end and I want to remark traffic from a certain device on his network to my Data Vlan which is 120.

So in short , any traffic leaving the customers router should be tagged as Vlan 120 , but only when it matches the MAC address configured

DTL · October 26, 2015, 4:34pm

If you set the "Default Port VID" to anything other then 1, then all un-tagged data from the customer will get tagged to that VLAN.

So in your case, if you left the Default Port VID as 1 and set a specific MAC address rule for a device to 120, then only that device would go out as 120.

Steph · October 27, 2015, 5:25am

What should Vlan Port type be configured as ? Leave it on "Q" or change it to "QinQ" and set Accept QinQ Frames to enable ?

Steph · October 27, 2015, 11:56am

I finally figured out where I went wrong. The major issue was that I forgot to configure my CMM4 to include Vlan 120 on the correct ports. Everything started to work the moment I added the tag.

Thanks for all the help , without your pointers I would have still figured that my configurations on the SM are wrong.

Much appreciated.

-steph

Steph · October 27, 2015, 12:06pm

Now for the tricky part , is it possible to set the Port VID address mapping with snmpset or pass it through Radius when the SM authenticates with the AP ?

I wrote a pearl script to harvest the MAC address from the Canopy SM bridge table and then compare it with what's in my stock room so I'm like 98% sure that I'll be able to match the correct router with it's Canopy... It's just to pass it back now to configure the VID mapping correctly. I have over 4K subscribers so doing each manually won't be a workable option :)

Thanks again for all the help.

-steph

salad · November 26, 2015, 5:06pm

Are you still working on this? I am curious as to why you'd want to roll out so many static MAC-to-VLAN mappings with only a single data VLAN.

Steph · December 21, 2015, 12:28pm

Hi There,

Got it working but haven't fully deployed it on the network yet. The main reason is to ensure that the Canopy will only pass / remark traffic for known devices ... especially for customerthat plugs the Canopy into a switch. I had an insidant not to long ago where a customer had a second connection from us and decided to plug both links into his local network switch ... :)

-steph