veloc1ty · ʎʇƖɔolǝʌ

Links:

Each icon is taken from the providers trademark page.

Content licensed under CC BY-SA 4.0 - Powered by Hugo and a customized Hyde-X template

UniFi access point, Cisco switch and native VLAN

Sunday, November 11 2018 · Lesezeit: 4 Minuten · 725 Wörter · Tags: Unifi Achtung! Dieser Artikel ist älter als ein Jahr. Der Inhalt ist möglicherweise nicht mehr aktuell!

Today I’ve thrown out my Dlink managed switch and replaced it with a Cisco SG350 I’ve bought “cheap” on Amazon. I’m now able to properly configure VLANs. Thankfully my UniFi AP AC Lite can map each WLAN to a VLAN. However I struggled a bit with traffic not flowing as I wanted.
The setup I wanted:

For using VLANs within an UniFi access point requiress the switchport to be in trunk mode. But not every frame on this access point is tagged automatically. For example the traffic from the access point (management, etc) is always untagged. The Cisco switch has to assign a tag to every untagged frame coming in on the trunk port. This is done by the native vlan.

Setup

I’ve configured the WLAN Networks in UniFi like this:

And the switchport traffic is:

interface GigabitEthernet5
 description "-- Link to access point"
 switchport mode trunk
 switchport trunk native vlan 3
 switchport trunk allowed vlan add 3,5,6

To tag untagged frames from the access point itself I’ve set the native VLAN to 3.

Observations:

The frames were lost either by the switch or access point. I read article over article what the native VLAN should and should not do but was not able to find a problem. It hasn’t made any sense to me. And - no joke - while showering thinking about frames and VLANS it hit me hard.

Solution

The solution is pretty simple: The switch config is fine. To be honest it’s also very simple: When a switch attaches something to a frame on ingress then it’s very likely removed on egress. This also applies to the native VLAN. When a frame matching the native VLAN is going out on that trunk it’s removed.
Applied to my setup the DHCP OFFER is sent to the access point and the VLAN tag 3 is removed. Now the access point doesn’t now what to do with it since the VLAN tag is not present. The OFFER is moved to /dev/zero.

The solution is to remove the VLAN association from the WLAN “Wu-Tang Lan”. Since the IP space of the WLAN and the device managent address overlaps on the Layer 2 and 3 the traffic should be treated untagged by the access point itself. So I configured my wireless LANs like this:

Proper setup

In a proper setup the IP and VLAN space would not be shared. There should be a dedicated IP and VLAN for management traffic which is by default untagged. Then I would assign a different IP + VLAN space to the wireless lans. My problem is that I shared tagged and untagged traffic on two different “interfaces”.

Example:

IP Space VLAN Used for
192.168.10.0/24 10 Access point management traffic
10.20.0.0/16 20 WLAN 1
10.21.0.0/16 21 WLAN 2
10.22.0.0/16 22 WLAN 3

The switch config for every port connected to an access point should then look like this:

interface GigabitEthernetX
 description "-- Link to access point X"
 switchport mode trunk
 switchport trunk native vlan 10
 switchport trunk allowed vlan add 20,21,22

Ingress untagged frames are tagged with vlan 10. This should only be the case for traffic originated from the access point itself.
Tagged ingress frames are untouched forwarded.


Du hast einen Kommentar, einen Wunsch oder eine Verbesserung? Schreib mir doch eine E-Mail! Die Infos dazu stehen hier.

🖇️ = Link zu anderer Webseite
🔐 = Webseite nutzt HTTPS (verschlüsselter Transportweg) Zurück