Thursday, 8 December 2011

Cisco Mesh - Ethernet VLAN tagging

The following documents the steps required to get Ethernet VLAN tagging working in a Cisco mesh deployment. This allows you to hang either a single wired client or a switch off of a MAP and allow it to communicate with the rest of the network, via the mesh. This is essentially the mesh-based equivalent of a work-group bridge. The configuration documented below is for connection of a switch to the MAP.

The Cisco documentation for this configuration is ridiculously confusing, contradictory and contains numerous mistakes so much of the following was determined by nutting it out. As such, there may be modifications to the configuration below that also work, depending on requirements but the following has been tested and deployed. There is a BugID for the poor state of the documentation - 'nuff said!

Assumptions
  • You have a working knowledge of Cisco mesh deployments
  • Having read through the Cisco documentation on Ethernet VLAN tagging and banged your head against the wall may also help
  • The following configuration is based on this example topology
    • [ACCESS-LAYER SWITCH] --> [MAP] --> [MAP] --> [RAP] --> [CORE SWITCH]

    Configuration

    VLAN Transparent
    • Disable the global parameter VLAN Transparent
      • WLC GUI --> WIRELESS --> Mesh --> Un-tick 'VLAN Transparent'

    Ethernet Bridging
    • Enable Ethernet Bridging on ALL RAPs and MAPs in the mesh network
      • If Ethernet Bridging is not enabled on all MAPs and RAPs and the MAP changes its backhaul path through the network, the MAPs and RAPs in the new path may not be able to dynamically create the required VLANs / sub-interfaces on their radio interfaces
    • WLC GUI --> WIRELESS --> Access Points --> All APs --> <ap-hostname> --> Mesh -> Tick 'Ethernet Bridging'
    • Depending on the number of APs, a quicker way may be to use the WLC CLI command:
      • config ap bridging enable <ap-hostname>

     RAP Wired Ethernet Interface (Configured on the WLC)
    • If not already set, configure ALL RAPs wired Ethernet interfaces (usually GigabitEthernet0 or GigabitEthernet3) to Normal Mode. This is the default so they probably won't need to be changed
    • Contradictions exist in Cisco documentation as to whether Trunk or Normal mode is required. Both work but changing from Normal to Trunk produces a warning that indicates the change hasn't taken place so in effect, the port is still set to Normal, despite being set to Trunk
    • The RAP does actually trunk traffic to the switch but the VLANs / sub-interfaces on the GigabitEthernetX wired Ethernet interface are created automatically using a VLAN registration mechanism.
    • WLC GUI --> WIRELESS --> Access Points --> All APs --> <rap-hostname> --> Mesh --> <GigabitEthernetX> --> Mode --> Normal

    RAP Wired Switchport Interface (Configured on the switch)
    • The switchport(s) on the [CORE SWITCH] that the RAP(s) wired Ethernet interface connects to must be configured as a trunkport.
    • In the switchport configuration example below:
      • VLAN 100 is the Native VLAN and the VLAN that the RAPs and MAPs management IP resides in
      • VLAN 200 is the Management VLAN used by the [ACCESS-LAYER SWITCH](es) attached to the MAPs
      • VLAN 300 is the User-access VLAN used by wired clients that connect to the [ACCESS-LAYER SWITCH]. Multiple User-access VLANs may be used, if required
    • Example switchport configuration:
      • interface GigabitEthernet0/1
      •  description *** Connection to RAP01 ***
      •  switchport trunk encapsulation dot1q
      •  switchport trunk native vlan 100
      •  switchport trunk allowed vlan 100,200,300
      •  switchport mode trunk
    • Assuming the [CORE SWITCH] is the appropriate layer 3 point in the network, SVIs for all three VLANs should be created

    MAP Wired Ethernet Interface (Configured on the WLC)
    • Only the MAP(s) that have an [ACCESS-LAYER SWITCH] connected to them require VLANs configured. All of the other MAPs that act as backhauls for the MAP(s) connected to the [ACCESS-LAYER SWITCH] will automatically pass the VLAN-tagged packets through their radio interfaces.
    • Configure the MAP(s) that have an [ACCESS-LAYER SWITCH] connected, by configuring the wired Ethernet interface (usually GigabitEthernet0).
    • Configure the same native VLAN and additional VLAN IDs as that configured in the RAP Wired Switchport Interface section above
    • These additional VLANs are:
      • Management VLAN used by the [ACCESS-LAYER SWITCH] that attaches to the MAPs
      • User-access VLAN used by wired clients that connect to the [ACCESS-LAYER SWITCH]
    • WLC GUI --> WIRELESS --> Access Points --> All APs --> <map-hostname> --> Mesh --> <GigabitEthernetX> --> Mode --> Trunk
    • WLC GUI --> WIRELESS --> Access Points --> All APs --> <map-hostname> --> Mesh --> <GigabitEthernetX> --> Mode --> Native VLAN Id --> <VLAN100>
    • WLC GUI --> WIRELESS --> Access Points --> All APs --> <map-hostname> --> Mesh --> <GigabitEthernetX> --> Mode --> Trunk VLAN Id --> <VLAN200>
    • WLC GUI --> WIRELESS --> Access Points --> All APs --> <map-hostname> --> Mesh --> <GigabitEthernetX> --> Mode --> Trunk VLAN Id --> <VLAN300>

      MAP Wired Switchport Interface (Configured on the switch)
      • The switchport(s) on the [ACCESS-LAYER SWITCH] that the MAP(s) wired Ethernet interface connects to must be configured as a trunkport.
      • In the switchport configuration example below:
        • VLAN 100 is the native VLAN and the VLAN that the RAPs and MAPs management IP resides in
        • VLAN 200 is the Management VLAN used by the [ACCESS-LAYER SWITCH] currently being configured
        • VLAN 300 is the VLAN used by wired clients that connect to the [ACCESS-LAYER SWITCH] currently being configured
      • Example switchport configuration:
        • interface GigabitEthernet0/48
        •  description *** Connection to MAP01 ***
        •  switchport trunk native vlan 100
        •  switchport trunk allowed vlan 100,200,300
        •  switchport mode trunk
      • An SVI & default gateway for management of the [ACCESS-LAYER SWITCH] should also be configured:
        • interface Vlan200
        •  description ***** [ACCESS-LAYER SWITCH] Management *****
        •  ip address 192.168.1.10 255.255.255.0
        • ip default-gateway 192.168.1.1
      • It is recommended that VTP is set to transparent on this switch

      EOF... almost
      Cisco Mesh Ethernet VLAN Tagging configuration - what could be simpler? :|

        7 comments:

        1. Hi. Thanks for posting this. How do you make the AP interface actually change to "trunk"? I'm assuming that "normal" won't work if the desired native vlan isn't 1.

          ReplyDelete
        2. Hi Bill,

          You can change the AP interface to trunk under the AP --> Mesh tab. Take a look here.. there is a screenshot a few pages down that shows it set to trunk --> http://www.cisco.com/en/US/docs/wireless/technology/mesh/7.0/design/guide/MeshAP_70.html#wp1385965

          It's been quite a while since I did this so I'm not sure regarding setting it to normal... I didn't have the native VLAN as 1 when set as trunk though but from memory, that VLAN was still being passed.

          ReplyDelete
        3. Scott,

          Is the Native VLAN on the link required to be the management VLAN of the RAPs and MAPs? In our case, the MAPs and RAPs share a management VLAN with the switches, and we would like to use a different VLAN as native.

          ReplyDelete
          Replies
          1. James,

            It was that long ago I can't recall. I do remember that I had an issue which I believe was the RAP/MAPs and access switches all using the same VLAN - that is, I couldn't get it working when they were all in the same VLAN; I assume because the communication between RAPs and MAPs uses the native VLAN and not a tagged VLAN. From memory, I had to configure it per the post for it to work.

            I would suggest labbing it up per the post, getting it up and running and then making modifications from there.

            Delete
        4. Scott: amazing doc. I could do it and try it practically but beside being very busy I have no lab and I have to build the devices and connect them from scratch. switches and Mesh APs are distributed among many places :-|
          Thanks for the nice doc. and really the wall is happy now because I'll stop banging my head against it!! Cisco Doc sends you nowhere (it also says 802.11a 'Ethernet' interface!!!!).
          Thanks again :)

          ReplyDelete
        5. This comment has been removed by the author.

          ReplyDelete
        6. Excellent post SCOTT.

          My banck costumer wants the switchports in access Mode ( security rules ). My doubt is if the swtichports in both sides are in ACCESS MODE, Can i forward 2 or more vlans?? Or necessarily in trunk mode??

          Thanks you!!!

          ReplyDelete