No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

VLAN Deployment Guide for WLAN

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
VLAN Deployment Guide for WLAN

VLAN Deployment Guide for WLAN

Introduction

When using Huawei WLAN devices, users generally retain the default settings to simplify configuration. For example, the default service and management VLAN IDs of an AP may be both 1. In this case, various problems may occur.

This document describes impact of APs' service VLAN and management VLAN configurations on services in tunnel and direct forwarding modes, recommended configurations, and common VLAN configuration errors. It aims to instruct users to deploy services and reduce such errors.

Understanding VLANs

Management VLAN

A management VLAN transmits packets that are forwarded through CAPWAP tunnels, including management packets and service data packets forwarded through CAPWAP tunnels.

Typically, a management VLAN is the VLAN configured using the capwap source interface command on an AC.

  • Configuration command in V200R005C00 and earlier versions:
    [AC6605] wlan
    [AC6605-wlan-view] wlan ac source interface Vlanif 100
  • Configuration command in V200R005C10 and later versions:
    [AC6605] capwap source interface Vlanif 100

By default, management packets of APs are untagged, and an access switch directly connected to the APs adds VLAN tags to the management packets. In practice, the PVID of the access switch interface to which an AP directly connects needs to be configured as the management VLAN ID.

[Switch] interface GigabitEthernet 0/0/1
[Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100

If no PVID is configured for the access switch to which an AP directly connects, the access switch adds the tag of VLAN 1 to the management packets by default. In this case, VLAN 1 is the management VLAN of the AP.

management-vlan

The management-vlan command is used to configure a management VLAN. In practice, the management VLAN is configured on an access switch directly connected to an AP. If the interface on the access switch directly connected to an AP is in use or has another PVID configured, run the management-vlan command to configure the management VLAN. You only need to configure the access switch connected to the AP to allow packets from the management VLAN to pass through, without the need to configure a PVID on the access switch.

The configuration method is as follows:

[AC6605] wlan 
[AC6605-wlan-view] ap-system-profile name ap-system1
[AC6605-wlan-ap-system-prof-ap-system1] management-vlan 100
Warning: The incorrect management VLAN configuration will cause the AP to go out of management. This operation will make the AP rese t. Continue? [Y/N]:y
NOTE:

After the configuration, restart the AP to make the management VLAN take effect.

Service VLAN

A service VLAN transmits service data packets. The default service VLAN is VLAN 1.

VLAN 1

VLAN 1 is a special VLAN. Use it with caution. Interfaces on a standard Layer 3 switch are added to VLAN 1 by default to run with zero configuration.

If a switch with zero configuration is used, the broadcast domain of VLAN 1 may be large, which may easily cause broadcast flooding. Therefore, it is not recommended that VLAN 1 be used as the management VLAN or service VLAN during WLAN planning.

Analyzing Service VLAN and Management VLAN Configurations

This chapter analyzes impact of different combinations of service and management VLANs in direct and tunnel forwarding modes, and provides configuration recommendations.

Direct Forwarding

Combination of Service and Management VLANs

Impact Analysis

Recommended Configuration

Workaround

The service and management VLANs are different, and the service VLAN ID is 1 (for example, service VLAN 1 and management VLAN 100).

In direct forwarding mode, the service VLAN ID is 1. User packets are tagged with the service VLAN ID 1 by an AP. Due to particularity of VLAN 1, VLAN ID 1 is removed from the packets by default when they are sent out from an AP, an AC, or a switch.

In this way, service packets sent out from the AP carry no service VLAN ID. When the packets reach the access switch, the access switch adds the management VLAN ID 100 to the packets. Therefore, service packets are tagged with the management VLAN ID, which does not conform to VLAN planning. As a result, some problems may be caused, for example:

  • STAs obtain IP addresses from the management VLAN address pool, causing user service disorder, for example, user ACLs do not take effect.
  • Portal authentication pages fail to be pushed after Portal authentication is configured.

Not recommended. To perform such configuration, analyze the networking and services.

No workaround

The service and management VLANs are different, and the management VLAN ID is 1 (for example, service VLAN 100 and management VLAN 1).

Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.

Not recommended

No workaround

The service and management VLANs are different, and neither of them is 1 (for example, service VLAN 100 and management VLAN 50).

Optimal standard configuration.

Recommended

NA

The service and management VLANs are both VLAN 1.

Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.

Not recommended

No workaround

The service and management VLANs are the same but not 1 (for example, service VLAN 100 and management VLAN 100).

Management packets sent out from APs do not carry VLAN IDs, while service packets carry the service VLAN ID 100. When management packets reach the access switch, the access switch adds the PVID 100 to the packets. The access switch transparently transmits service packets without processing their VLAN IDs. Downlink service packets of users carry the VLAN ID 100. When these packets are sent out from switch interfaces, the service VLAN ID is considered as the management VLAN ID and removed. When the service packets reach an AP, they are considered as management packets and discarded by the AP. As a result, services are interrupted.

Prohibited.

No workaround

Tunnel Forwarding

Combination of Service and Management VLANs

Impact Analysis

Recommended Configuration

Workaround

The service and management VLANs are different, and the service VLAN ID is 1 (for example, service VLAN 1 and management VLAN 100).

Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.

Not recommended

No workaround

The service and management VLANs are different, and the management VLAN ID is 1 (for example, service VLAN 100 and management VLAN 1).

Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.

Not recommended

No workaround

The service and management VLANs are different, and neither of them is 1 (for example, service VLAN 100 and management VLAN 50).

Optimal standard configuration.

Recommended

NA

The service and management VLANs are both VLAN 1.

Uplink direction: STA -> AP -> AC -> upper-layer network. Assume that a STA sends a broadcast packet in VLAN 1. This packet is encapsulated with a CAPWAP header by the AP and reaches the AC carrying the management VLAN ID 1. After decapsulating the CAPWAP packet, the AC finds that it is a broadcast packet (carrying service VLAN ID 1) sent by the STA, and broadcasts it. One copy of the packet will be sent back to the AC and then to the AP. In this way, a loop is formed, which may cause user service interruption.

For this reason, the access interface on an AC forbids packets from service VLANs to pass through in tunnel forwarding mode.

Not recommended

No workaround

The service and management VLANs are the same but not 1 (for example, service VLAN 100 and management VLAN 100).

In the simple networking with a STA, an AP, and an AC, the AC with the IP address of 10.1.1.1 and MAC address of AAAA-BBBB-CCCC serves as the user gateway. The AP's IP address is 10.1.1.2, and its management VLAN is VLAN 100. The STA's IP address is 10.1.1.254, and its service VLAN is VLAN 100.

A service packet is forwarded from the upper-layer network to the STA as follows: upper-layer network -> AC -> access switch -> AP -> STA. The inner Layer 2 header of the packet is as follows:

Layer 2 header: Source MAC address: AAAA-BBBB-CCCC(VLAN100) //This VLAN is the service VLAN.

In tunnel forwarding mode, a packet sent to the STA is encapsulated with an outer CAPWAP header on the AC. The outer CAPWAP header is as follows:

Layer 2 header: Source MAC address: AAAA-BBBB-CCCC(VLAN100) //This VLAN is the management VLAN.

When this packet reaches the AP through the wired interface, the inner Layer 2 header is invisible for the AP. The AP can only detect the outer CAPWAP header and then a physical interface on the AP learns the AC's MAC address AAAA-BBBB-CCCC. The MAC address table is as follows:

-------------------------------------------------------
MAC Address    VLAN/VSI        Learned-From    Type
-------------------------------------------------------
AAAA-BBBB-CCCC  100/-          GE0/0/0           dynamic
-------------------------------------------------------

For a packet carrying the CAPWAP header sent to the STA, the AP decapsulates the packet to expose the inner Layer 2 header. The CAPWAP tunnel interface on the AP learns the AC's MAC address AAAA-BBBB-CCCC again. The MAC address table is as follows:

-------------------------------------------------------
MAC Address    VLAN/VSI        Learned-From    Type
-------------------------------------------------------
AAAA-BBBB-CCCC  100/-          CAPWAP            dynamic
-------------------------------------------------------

In this way, the same MAC address in the same VLAN maps two outbound interfaces: GE0/0/0 and CAPWAP. This MAC address flaps frequently between the two outbound interfaces, causing packet forwarding disorder and service exceptions.

NOTE:

No exception occurs when the AC does not serve as the user gateway.

Prohibited. MAC address flapping and user service exceptions occur.

No workaround

Impact Analysis

The following table summarizes the configuration impact and recommendations.

NOTE:

For easy description, the VLANs in the table are only examples.

Forwarding Mode

Service VLAN

Management VLAN

Configuration Impact

Recommended Configuration

Direct forwarding

1

100

Management VLAN tags are added to user service packets, causing service disorder.

Not recommended

100

1

Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.

Not recommended

1

1

Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.

Not recommended

100

100

Data is incorrectly forwarded.

Not recommended

100

50

Recommended standard configuration.

Recommended

Tunnel forwarding

1

100

Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.

Not recommended

100

1

Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience.

Not recommended

1

1

MAC address flapping occurs, causing incorrect data forwarding.

Not recommended

100

100

MAC address flapping occurs, causing incorrect data forwarding.

Not recommended

100

50

Recommended standard configuration.

Recommended

Configuring a VLAN for an AP's Wired Interface

Networking Requirements

Figure 1-1 Networking diagram

The wired interface GE1 on the AP is directly connected to a PC. The PC obtains an IP address through VLAN 200.

When planning VLANs, you are advised to distinguish the VLAN on the wired side from that on the wireless side.

Configuration Introduction

  1. Create two AP wired port profiles for configuring GE1 on the AP directly connected to the PC and GE0 directly connected to the switch.

    # Configure an AP wired port profile for GE1.

    [AC6605-wlan-view] wired-port-profile name ge1 
    [AC6605-wlan-wired-port-ge1] display this 
    # 
      mode endpoint 
      vlan pvid 200 
      vlan untagged 200 
    # 
    return

    # Configure an AP wired port profile for GE0.

    [AC6605-wlan-view] wired-port-profile name ge0 
    [AC6605-wlan- wired-port-ge0] display this 
    # 
      vlan tagged 200 
    # 
    return

  2. Bind the two AP wired port profiles to GE0 and GE1 on the AP, respectively.

    NOTE:

    When binding the AP wired port profiles, do not bind the AP wired port profile in which the wired interfaces are configured to work in endpoint mode to the uplink interface on the AP directly connected to the switch.

    [AC6605-wlan-view] ap-id 1 
    [AC6605-wlan-ap-1] display this 
    # 
      wired-port-profile ge0 gigabitethernet 0 
      wired-port-profile ge1 gigabitethernet 1 
    # 
    return

  3. Perform configurations to allow packets from service VLAN 200 to transmit between the interface on the AP connected to the access switch and the DHCP server corresponding to service VLAN 200.
  4. Restart the AP. The PC directly connected to GE1 on the AP in wired mode obtains an IP address.

Common VLAN Configuration Errors

The following table lists common VLAN configuration errors.

Common Configuration Error

Impact

The access switch allows packets from a management VLAN to pass through, but the management VLAN is not created.

APs fail to go online.

No service VLAN is created on the AC or intermediate access switch, or a service VLAN is created but the packets from this VLAN are not allowed to pass through.

  • STAs fail to connect to the network after Layer 3 roaming.
  • STAs fail to obtain IP addresses.

A dynamic VLAN is configured on the authentication server but not on the AC.

Authentication fails.

The management-vlan command is incorrectly configured.

APs fail to go online.

FAQ: Do I Need to Create a Service VLAN on an AC When the AC Is Deployed in Bypass Mode and Service Data Is Forwarded in Direct Mode?

When an AC is deployed in bypass mode, service data is forwarded in direct mode, and the AC functions as the gateway for STAs, service VLANs must be created on the AC.

When an AC is deployed in bypass mode, service data is forwarded in direct mode, and the AC does not function as the gateway for STAs, service data does not pass through the AC. Therefore, you do not need to create service VLANs locally on the AC. However, if 802.1X authentication is used, you need to create service VLANs on the AC because authentication packets are forwarded through CAPWAP tunnels.

Operations on the CLI and web platform are as follows:

  • On the CLI:

    Create service VLANs on the AC in any version.

  • On the web platform:

    For versions earlier than V200R008, create service VLANs on the AC. For V200R008 and later versions, the system automatically creates a service VLAN when you perform service VLAN configurations.

Related Information

Download
Updated: 2019-05-06

Document ID: EDOC1100081214

Views: 195

Downloads: 21

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next