From what I can tell, there are two ways to go with this:
PLAN A
[u:30fwl5hv]AP:[/u:30fwl5hv]
VLAN = Enabled
Dynamic Learning = Enabled
Allow Frame Types = Tagged Only
VLAN Aging Timeout = 500 Minutes
Management VID = 1 (Leave Default)
All Local SM Management = Enabled
[u:30fwl5hv]SM:[/u:30fwl5hv]
Dynamic Learning = Disable
Allow Frame Types = UnTagged Frames Only
VLAN Ageing Timeout = 500 Minutes
Untagged Ingress VID = Same as Parent AP
Management VID = 1
Local SM Management = Enable
[u:30fwl5hv]Root Switch[/u:30fwl5hv]
Root Switch Router Port is configured as the Trunk Port
Q: Do I need to do anything to the switch port that the BH is connected to?
Q: I have servers on the same switch. I assume the traffic hits the router and then goes back to the switch and then to the requested server?
[u:30fwl5hv]BH’s[/u:30fwl5hv]
BH’s get no configuration, they just trunk the traffic to the root switch
[u:30fwl5hv]CMMmicro[/u:30fwl5hv]
CMM’s need no configuration, they just trunk traffic to the BH’s
[u:30fwl5hv]Router[/u:30fwl5hv]
Router does not need to be VLAN aware. The root switch takes care of removing VLAN tags and forwarding untagged frames to the router.
Advantages of PLAN A:
Allows SM to SM VLAN membership allowing traffic to flow within the network without having to go to the router.
SM’s can move from one AP to another and still be accessible as the AP is set for Dynamic Learning. So if a tech moves a radio, a Network Manager can still get to it an change it’s VLAN membership.
PLAN B
Disable SM to SM communication
Enable Port Based VLANs in the CMMmicro
Advantages of PLAN B:
No configuration of the SM necessary
No Management of VLANs necessary
Eliminates broadcast storms as any broadcast packets are forwarded to the router and killed.
Disadvantages of PLAN B:
Drives all traffic to the router
SM to SM communication needs to be via VPN
Anything I am missing?
SM Isolation,
For sm to sm communication you can also put static route into the client pc/router.
exemple:
Client A: 127.222.0.2
Client B: 127.222.0.3
Router: 127.222.0.1
On client B router add a route like this:
ip route 127.222.0.2 255.255.255.255 127.222.0.1
On client A router add a route like this:
ip route 127.222.0.3 255.255.255.255 127.222.0.1
This will force the traffic to be redirected to your router!
You need to have a vlan aware router if you want your vlan to be routed.
The switch won’t remove the vlan tag, it’s the router.
Every vlan needs to have his own subnet, your router will have as many sub-interface as you have vlan.
On a cisco router it would look like this:
interface FastEthernet0/1.150
description VLAN 150
encapsulation dot1Q 150
ip address 45.45.45.1 255.255.255.240
if your using cisco switch like the Catalyst 29xx don’t forget to add your vlan the the switch database.
#vlan database
(vlan)#vlan xxx
(vlan)#apply
(vlan)#exit
#write mem
AP, BH, SM the port must be in trunk mode.
#switchport mode trunk
#switchport trunk encapsulation dot1q
I suggest using this setting on your BH and AP.
Allow Frame Types = All Frames
Is there any advantage of using 500 minutes for vlan aging timeout ?
Voila.
Jerry,
On the back end, there is a lot more configurations necessary to implement VLANs as the previous post indicated. The routed choice, as mentioned, requires a bit of subnetting, possibly some static routes, and most likely will require customer re-addressing unless taken care of through static DHCP.
The part of VLANs with respect to Canopy that always confused me was “what to do with the traffic as it comes BACK into your router from the Internet, and needs to get to your customer”. Those packets will have destination IP addresses. If your Canopy equipment is set to forward frames based on the VLAN ID in the Layer-2 Frame, where is it going to get that VLAN from as it comes back into your network?
That’s where the sub-interfaces and subnetting on the Cisco comes into play. Your edge router will check the IP header at Layer-3 of the packet to extract the destination IP address. It will then query it’s routing table to determine what to do with the packet. If you have no VLAN configuration done on your router or switch, the Canopy devices will not bridge the frames, as they have no VLAN ID’s in them. If, as mentioned previously, you setup sub-interfaces associated with particular IP subnets, for each subnet you can make sure the router inserts the VLAN ID into the frame BEFORE it routes it to your FastEthernet Interface. You must assign an IP address to each sub-interface, and this new IP address becomes the default gateway address for your customers’ CPE routers.
The other question that I always had was almost exactly like one that you posed. You have servers connected directly to your edge switch. The ports that these servers are on MUST be configured so that each VLAN on your network can speak to them. My question always was, if I implement 50 VLANs, how do I make those ports members of ALL 50, so they can fufill service requests?
I am no VLAN expert by far, as I have never implemented them on a Canopy network. I have only done them in a controlled lab environment with Cisco routers and switches. The forum member who posted previous to this seems to know what they are talking about, in detail, with regards to configuration. If I made any errors that anyone noticed here, please correct them.
FYI - another forum member with a lot of VLAN experience on his Canopy network is acherman.
I am very much interested in this topic especially the SM Isolation :), as I am also planning the same.
On the back end, there is a lot more configurations necessary to implement VLANs as the previous post indicated. The routed choice, as mentioned, requires a bit of subnetting, possibly some static routes, and most likely will require customer re-addressing unless taken care of through static DHCP.
We have over 1200SM in single L2 network and due to exact same reason mentioned above, I left out the idea of VLAN. If someone is planning to implement it in small or fresh new network then it can be deployed without any hassles. Also correct me if I am wrong once you enable VLAN you cannot even access the SM interface from Local unless you PC is sending vlan tagged framed…i am confused…
The other question that I always had was almost exactly like one that you posed. You have servers connected directly to your edge switch. The ports that these servers are on MUST be configured so that each VLAN on your network can speak to them. My question always was, if I implement 50 VLANs, how do I make those ports members of ALL 50, so they can fulfill service requests?
There is one feature in older Catalyst like 2900XL which have feature and concept called Multi-VLAN. But its useless if you had trunk ports in same switch, which means ultimately can be used only in single switch. But I have been deploying multi vlan deployed in our metro ethernet backhauled over SM
. Regarding pointing /32 specific route which towards gateway which charles mentioned, works only if you have routers which can have specific customized routes. You can’t If your customers are using cheap broadband routers like linksys,dlink,smc etc where you can specify only default gw .
But if someone running Canopy network or separate cluster like we do, where you allow only Pppoe connection then you can easily deploy the either VLAN of SM to SM isolation. In server you need to run separate instance of pppoe daemon for every VLAN interface. So, far I am successful in our metro Ethernet backhauled over fiber since last 2 year.
Now planning to deploy the same in canopy network.
Does SM isolation work on in singal AP or across the multiple APs as well?
Jerry please keep posting and list updated …
Is there another thread before this, I can’t figure out what you are trying to do…
however if you are planning to do vlan stuff and then need gateways to be sitting on that VLAN (hence in the post talks about a router) you are better of using a L3 switch, we use 3550 with enhanced immage, that way you don’t need a router, unless you want to do VRF as sameat stated in a different post.
3550 will only support 1000 vlans they don’t like the 1006-4096, although I belive the 3700 series does, also the 3750 can do VRF as they are MPLS switches (VRF is MPLS-lite).
going back what is it that you are thrying to do, I may be able to advice, we have 2000+ customers on a single L2, we run VLANS, multisite WANS, voip, public IP, DMZ, internal services, etc…
Sameat at 1200 (depending on how quick you are growing and how many WAN or nat disabled customers you have) you may soon to start maxing out the bridge tables and hence will start having to go routed like us, the best way to do this will be MPLS, but thats another topic
My original question more of a “will this work”.
We are not having problems with broadcast storms as we block multicast packets at the SM either by turning on the filters or using NAT.
The reason we are looking at adding VLANs is for security. For customers requiring additional security for HIPPA compliance, etc we give them a radio link with DES, and also their own VLAN. They would also implement whatever type of strong encryption they need at each end of their connection.
We are also likely to get our first city wireless network, and they use it for public safety. They have VLAN’s running now so we will need to be able to support them. As we grow, we will add more cities, meaning more VLANs so I am trying to get prepared now.
I am not very knowledgeable when it comes to VLAN’s so I am starting to figure this out. I know how to configure the radios, it’s the root switch and/or router I need help with.
What I am looking to do is assign VLANs on a case by case basis. VLAN ID’s would be put into the SM or VLAN capable CPE router, and then removed at the (layer 3) root switch or router. If I have a customer that just wants to connect three locations, they would be assigned a VLAN at each SM. SM’s on that VLAN would be able to communicate, but other customers on the network would not be able to intercept the traffic.
I was also thinking about implementing SM to SM isolation at the AP, and port based VLAN at the CMM. The only problem I see is that ALL traffic has to go through the layer 2 switch or router. This may not be a big deal as we have plenty of BH capacity now.
Thoughts? Comments?
How about instead using builtin switch of CMM use a Cisco switch and configure every port in which you terminate the AP as a Protected Port rather putting in on different VLAN.
Thanks for the reply.
The CMM’s are on top of a mountain. I really don’t want to put a Cisco switch up there in those conditions. The switch in the CMM is pretty hardened.
I am exploring if I can remove the switch inside CMM and fit this one inside the CMM box.
http://www.cisco.com/en/US/products/hw/ … 3a436.html
I like it!
ok… now I understand, you are in a similar predicament to us… VLANs operate at L2 and the VLAN technology was never designed to operate on a mass across cities like you and I are using it. Hence it is not scalable,
bridgetables and number of vlans will limit your scalability and also will compromise your design.
Now once you stick in a router and strip away vlans, then you loose the vlan simplicity we are accustomed to.
We are also looking at wifi mesh and MEA product. However to design a scalable network and retain the L2 functionality you need to look into MPLS. MPLS has been designed to give L2 vlan scalability. As service providers you will be required to offer MPLS capability in the very near future, especially as the multiuse of brodband takes off and people start requesting QoS.
MPLS is big and complex topic but you should look into it. It could save you alot of time in the future. I have spoken to Moto senior engineers regarding our plans and engineering and they agree that MPLS is the way to go to support say 20,000 customers and provide additional services.
Also Sameat suggestion of putting a router is a very good idea, if you don’t want to put it on top of the mountain, the second best solution would be to put it at the BH that is at the other end connectiong to the mountain.
vj,
When you say maxing out Bridge tables, in your network in which device it maxed out SM, AP, BH or switch?
I maxed out Mac table in my border switch catalyst 2900xl , 6months back which is quite obvious …therefore I replaced all my switches with 2950 with EI.
But I dought will the AP and BH both’s bridge table maxed out? unless you have a bogus mac dos kind of thing or ethernet loop.
canopy kit… you are allowed 4096 MAC entries in the bridgetables…
the problem comes when we create a WAN for a customer, in which case the relevant RF kit ends up learning the MAC addresses of the customers internal network…
Aaha…this means you allow your customer’s internal LAN/L2 network Bridge through your canopy network, doing VLAN…
In our network we don’t do that…we don’t allow any of our customers to connect the Ethernet of SM directly into their LAN switch unless SM is doing NAT. For private data communications we compulsory use VPN.
But this scenario might change once I start VLAN or SM isolations. But ultimately you are right VLAN will not scale…that is why i am looking for alternatives like combinations of SM isolations, VLAN …Protected ports etc…
we do enough to protect our network so that if a customer messes up on their side, it will not affect our network or anyother customer.
security we leave to the customer… if they want to encrypt thats upto them… most dont bother…
Putting in a device at the end of the SM doesn’t really give me any benefit, as the customer can always unplug the SM out of the device and jack it into anything they want.
We lock down the SM through VLAN (both IVID and MVID) this ensures us security/protection, using BAM/PRISM we can ensure that even if the customer decides to default the SM as soon as they register we would reconfigure it.
If a customer is running inside their own network which they want propergated across the WAN we work with them and allocated them reserved vlans for that purpose and add them in on their SM’s.
On a business model, putting in a VPN device would increase our investment and thus increase the ROI period.
Putting in a device at the end of the SM doesn't really give me any benefit, as the customer can always unplug the SM out of the device and jack it into anything they want.
Before we give connectivity to any of our customer we clearly mention them about our policy and do and don'ts. If any customer unplug the SM our from the installed router and plug in on any other device we instantly get notification and shut the SM Ethernet port automatically.
If a customer is running inside their own network which they want propergated across the WAN we work with them and allocated them reserved vlans for that purpose and add them in on their SM's.
I am not comfortable with this..had we done this i am sure we would have run out or bridge table a years back. But we took different approach and didn't deployed VLAN rather we make our customer to purchase vpn router and it cost around 50$ only. :)
But it all depends upon own business policy.
[/quote]
Hi guys,
It’s scary how little people on here know about how to use VLANs.
First of all, there’s no reason, as Jerry writes in the first post on this thread…There’s no reason to keep the management VID as 1 unless you don’t actually have a VLAN capable router. If you do, you can enable MPLS, setup a private network on VID 2 or some other VID that you can only access from your work network that you naturally couple into your MPLS network. Linux based routers are starting to get MPLS-like features (well, separate routing tables is a start, anyways). But in a large network, the management VID is very nice because it allows you to separate out “control” and go virtually “out of band” with your management. Virtual out-of-band is as good as it gets, these days.
Second, there’s no reason, as again Jerry first suggests, to use the same VLAN ID for all your local egress ports. This is completely retarded, and defeats the whole point of using the untagged VLAN feature at all, unless all you were trying to do was move all your customers from one big broadcast network to another.
The right way to use VLANs is to setup your filtering as Jerry suggests for the AP and SM, but to use a real Management VID that’s separate from any customer traffic, and use real vlans for your customers who need more traditional networks (business customers, home static IP customers who don’t need to share someone else’s broadcast crap, etc)
Now I’m also a fan of putting home users on one broadcast subnet with SM isolation turned on. That’s not a bad feature at all… But it does break customer<->customer communication unless you also trick customers into somehow sending all their traffic, even traffic destined for the local LAN, to the mac address of the router. (Perhaps by assigning each machine its own subnet with DHCP? But that sucks if you are using real IPs) So it’s really only a decent option for residential customers.
Pretty much any free/open source and any commercial router out there outside of the Linksys class of crap will do 802.1Q VLANs. Even Linksys-class crap with OpenWRT flashed on it can support VLAN tagging/untagging. You need a router that can do this to use VLANs, otherwise you should leave VLANs alone.
If you try a nice Cisco catalyst 2950 switch with 802.1Q tagging and a vlan-capable router, you can set up a separate subnet on each port, just like you can on each SM’s ethernet port.
Lots of manageable switches support 802.1Q VLANs, but Ciscos do it rather nicely,
and the 2950 has much better ethernet capability than the 2900. (Not all 10/100 PHY
are created equal)
Wow! Your VLAN and networking skills are excellent. Time to start working on your Diplomacy skills…
Thanks for pointing out my mistake regarding tagged only, that was supposed to be untagged only.
I would like to add my 2 cents to this thread,
We use vlans extensively over our network,
We are migrating all our pops to a Cisco 2950T + Mikrotik Router Appliance Combo, this provide us the ability to have SM - SM isolation on the APs, AP - AP isolation on the Switch, and routable Vlans on the Mikrotik.
We used to provide L2 Vlans services to Corporate clients using end to end l2 Vlan configurations across all our network but we are migrating those to a EOIP+Vlans Tunnels cause we are migrating our network to L3
so far so good