Announcement

Collapse
No announcement yet.

Questions about VLANs and Cisco Hardware

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Questions about VLANs and Cisco Hardware

    Does anyone have any experience with Cisco hardware, specifically WLCs, Wireless APs, and VLANs?

    I took the CCNA courses, but it was a very long time ago. We didn't go over wireless technologies in the course because back then, I believe wireless was fairly new in the business sector.

    To start with, I'm having some trouble understanding VLANs. I realize on Cisco hardware at least that a VLAN ID is layer 2, a VLAN interface is layer 3. I am a bit confused with VLAN tagging though.

    I have a setup like this:
    Code:
    Cisco Router
    --------------
    Interface GigabitEthernet 0/0/1 <-- access port, Public Static IPv4 address
    
    Interface Wlan-GigabitEthernet0/1/8
     Description: Internal switch interface connecting to the embedded AP
     switchport trunk native vlan 999
     switchport trunk allowed vlan 10,20,40
     switchport mode trunk
    end
    
    VLAN ID 10
    VLAN ID 20
    VLAN ID 40
    
    Interface VLAN 10 <-- Network Address 10.0.0.0 / 24, IP address 10.0.0.1
    Interface VLAN 20 <-- Network Address 10.0.20.0 / 24, IP address 10.0.20.1
    Interface VLAN 40 <-- Network Address 10.0.40.0 / 24, IP address 10.0.40.1
    
    WLC
    -----
    Interface management <-- Untagged, IP address 10.0.0.2
    Interface vlan_employees <-- Tagged VLAN 20, IP address 10.0.20.2
    From the built-in WLC, I have trouble pinging the router. I read the management interface needs to be left untagged. But if it's left untagged, how does it work? The packet leaves the WLC, untagged, enters the WLan-GigabitEthernet 0/1/8 interface, and then gets tagged with VLAN 10? Or does the packet reach the GigabitEthernet 0/1/8 interface, sees that it doesn't belong to a VLAN, and the interface drop the packet?

    My understanding about the native VLAN is if the packet coming into the interface is tagged with the same VLAN that is set as the native VLAN, the interface will remove the tag and forward the packet to it's destination, untagged. Is that correct?

    Thanks!
    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

    #2
    Re: Questions about VLANs and Cisco Hardware

    im not sure.... but had you tried encapsulation dot1q on the router interface?

    Comment


      #3
      Re: Questions about VLANs and Cisco Hardware

      I have tried, but I do not think I have done it right. I need a better understanding of VLANs and how the packets look when traveling from various networks to other networks.

      For example, what happens and what does it look like if a packet is coming interface 1 on a wireless LAN controller, with an IP of 10.0.0.3, untagged, passing through interface 1 on the router (just as an example) which has IP address of 10.0.0.2? What happens to the packet if it's untagged when it leaves the wireless LAN controller? What happens if on the router, it's a VLAN interface? What happens if it's tagged when it leaves the wireless LAN controller?

      I see many tutorials that show how to setup the dot1q on the router's interface, but that command just isn't there for my router. It's a little bit different.
      -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

      Comment


        #4
        Re: Questions about VLANs and Cisco Hardware

        Originally posted by Spork Schivago View Post
        Does anyone have any experience with Cisco hardware, specifically WLCs, Wireless APs, and VLANs?

        I took the CCNA courses, but it was a very long time ago. We didn't go over wireless technologies in the course because back then, I believe wireless was fairly new in the business sector.

        To start with, I'm having some trouble understanding VLANs. I realize on Cisco hardware at least that a VLAN ID is layer 2, a VLAN interface is layer 3. I am a bit confused with VLAN tagging though.

        I have a setup like this:
        Code:
        Cisco Router
        --------------
        Interface GigabitEthernet 0/0/1 <-- access port, Public Static IPv4 address
        
        Interface Wlan-GigabitEthernet0/1/8
         Description: Internal switch interface connecting to the embedded AP
         switchport trunk native vlan 999
         switchport trunk allowed vlan 10,20,40
         switchport mode trunk
        end
        
        VLAN ID 10
        VLAN ID 20
        VLAN ID 40
        
        Interface VLAN 10 <-- Network Address 10.0.0.0 / 24, IP address 10.0.0.1
        Interface VLAN 20 <-- Network Address 10.0.20.0 / 24, IP address 10.0.20.1
        Interface VLAN 40 <-- Network Address 10.0.40.0 / 24, IP address 10.0.40.1
        
        WLC
        -----
        Interface management <-- Untagged, IP address 10.0.0.2
        Interface vlan_employees <-- Tagged VLAN 20, IP address 10.0.20.2
        From the built-in WLC, I have trouble pinging the router. I read the management interface needs to be left untagged. But if it's left untagged, how does it work? The packet leaves the WLC, untagged, enters the WLan-GigabitEthernet 0/1/8 interface, and then gets tagged with VLAN 10? Or does the packet reach the GigabitEthernet 0/1/8 interface, sees that it doesn't belong to a VLAN, and the interface drop the packet?

        My understanding about the native VLAN is if the packet coming into the interface is tagged with the same VLAN that is set as the native VLAN, the interface will remove the tag and forward the packet to it's destination, untagged. Is that correct?

        Thanks!
        You should set the WLC to tagged, VLAN 10 and then 10.0.0.1 and 10.0.0.2 should be able to ping each other.

        From the WLC command line:
        config interfacevlan management 10

        Comment


          #5
          Re: Questions about VLANs and Cisco Hardware

          So, when you mark an interface as untagged as a member of a vlan, it means that the vlan tags themselve (headers that say, "this data is for vlan 25!") won't be passed by that interface but that the port will just act like any normal switch port. It would just be a switch port on that vlan. So say you have management on vlan 30 and you set interface 0/0/1 as untagged on vlan 30, then it would make port 0/0/1 only pass data for vlan 10 and would strip all the vlan tags from being passed. The vlan tag encasulates the data, so when it is stripped you are left with the 'normal' network data observed by computers most of the time. This is not the same thing as a port having no membership to a vlan.

          Take this example below.

          Company X has two switches for two floors in their building. They want the phones to be on a separate vlan from the data. They do not want the devices that are getting plugged into the network to have to read vlan tags and place themselves on a specific vlan. Instead, they just want it to look like two completely separate network. (There should be no vlan Tags presented to the devices, just the data.)

          vlan 10 = Data Network.
          vlan 20 = Phone Network.
          vlan 30 = managment

          Both switches and and be will be configured like this.
          Ports -- vlan -- tagged/untagged/neither -- Notes
          0 -- 10,20 -- tagged -- This is a trunk port. It is tagged because it needs to pass the vlan data AND the tags to the next switch so the switches can keep things separate.
          1 -- 10 -- untagged -- This port is a part of vlan 10 but doesn't pass any tags, just the data on vlan 10.
          2 -- 10 -- untagged -- This is like port 1. Devices on this port and port 1 can talk fine, like the other vlans don't exist. It can also talk to things on the other switch that are on vlan 10.
          3 -- 20 -- untagged -- This port is like port 2, except that it only sees the data on vlan 20 instead of 10. It doesn't see any tags.
          4 -- 20 -- untagged -- This port is just like port 3.
          5 -- 30 -- untagged -- This port is the only port on the switch that is a member of vlan 30. The management interface has been assigned to this vlan and, as such, no other interfaces have access to this management interface. Since the Trunk Port doesn't have vlan 30 tagged, it won't pass this vlan over to the other switch. Each switch would need to be plugged into individually to access the management network.

          This can be useful in more high-security installations or in small installations where there are only a few switches. There is no reason why you can't have "vlan 30" tagged at the trunk ports so that you can manage all your switches from a single switch port. The important thing is just keeping management interfaces away from the normal user network.

          I hope that explains the difference between tagged and untagged. A note is that, a machine that is on a port that has been tagged on a vlan may look pretty much like one with an untagged port. That is only because the vlan tag is getting discarded though. The tag is actually getting sent to the machine, but the machine isn't doing anything with it unless it is told to use it. It is generally cleaner to mark things like workstations as Untagged on their designated network so that they don't have to deal with tags for no reason. Some devices don't like dealing with tags. If a machine is getting a tag, it kind of should have a reason for it, such as with esxi hosts where you want to tag multiple vlans for use on that host. Ports tagged on multiple vlans should have that machines nic configured to handle the vlans/act as two distinct networks.
          Last edited by Retro-Hipster; 05-10-2019, 03:03 PM.


          “Men always seem to think about their
          past before they die, as though they were
          frantically searching for proof that they
          truly lived.”
          – Jet (Cowboy Bebop) -

          Comment


            #6
            Re: Questions about VLANs and Cisco Hardware

            [QUOTE]... as untagged on vlan 30, then it would make port 0/0/1 only pass data for vlan 10 and would strip all the vlan tags from being passed[\QUOTE]

            AH! I'm sorry, I meant to say "vlan 30" in both cases there. I wrote the first part, then came up with the example after. Then, when I went back to change vlan 10 to vlan 30 so that it matched all the examples, I forgot to fix that sentence. ^^;;


            “Men always seem to think about their
            past before they die, as though they were
            frantically searching for proof that they
            truly lived.”
            – Jet (Cowboy Bebop) -

            Comment

            Working...
            X