VLAN Deployment Guide for WLAN
Introduction
When using Huawei WLAN devices, users generally retain the default settings to simplify configuration. For example, the default service and management VLAN IDs of an AP may be both 1. In this case, various problems may occur.
This document describes impact of APs' service VLAN and management VLAN configurations on services in tunnel and direct forwarding modes, recommended configurations, and common VLAN configuration errors. It aims to instruct users to deploy services and reduce such errors.
What Are the Management VLAN and Service VLAN?
Management VLAN
A management VLAN transmits packets that are forwarded through CAPWAP tunnels, including management packets and service data packets forwarded through CAPWAP tunnels.
Typically, a management VLAN is the VLAN configured using the capwap source interface command on an AC.
- Configuration command in V200R005C00 and earlier versions:
[AC6605] wlan [AC6605-wlan-view] wlan ac source interface Vlanif 100
- Configuration command in V200R005C10 and later versions:
[AC6605] capwap source interface Vlanif 100
By default, management packets of APs are untagged, and an access switch directly connected to the APs adds VLAN tags to the management packets. In practice, the PVID of the access switch interface to which an AP directly connects needs to be configured as the management VLAN ID.
[Switch] interface GigabitEthernet 0/0/1 [Switch-GigabitEthernet0/0/1] port trunk pvid vlan 100
If no PVID is configured for the access switch to which an AP directly connects, the access switch adds the tag of VLAN 1 to the management packets by default. In this case, VLAN 1 is the management VLAN of the AP.
management-vlan
The management-vlan command is used to configure a management VLAN. In practice, the management VLAN is configured on an access switch directly connected to an AP. If the interface on the access switch directly connected to an AP is in use or has another PVID configured, run the management-vlan command to configure the management VLAN. You only need to configure the access switch connected to the AP to allow packets from the management VLAN to pass through, without the need to configure a PVID on the access switch.
The configuration method is as follows:
[AC6605] wlan [AC6605-wlan-view] ap-system-profile name ap-system1 [AC6605-wlan-ap-system-prof-ap-system1] management-vlan 100 Warning: The incorrect management VLAN configuration will cause the AP to go out of management. This operation will make the AP reset. Continue? [Y/N]:y
After the configuration, restart the AP to make the management VLAN take effect.
Service VLAN
A service VLAN transmits service data packets. The default service VLAN is VLAN 1.
VLAN 1
VLAN 1 is a special VLAN. Use it with caution. Interfaces on a standard Layer 3 switch are added to VLAN 1 by default to run with zero configuration.
If a switch with zero configuration is used, the broadcast domain of VLAN 1 may be large, which may easily cause broadcast flooding. Therefore, it is not recommended that VLAN 1 be used as the management VLAN or service VLAN during WLAN planning.
Management VLAN and Service VLAN Recommendations
This chapter analyzes impact of different combinations of service and management VLANs in direct and tunnel forwarding modes, and provides configuration recommendations.
Recommended Configuration
The following table summarizes the configuration impact and recommendations.
For easy description, the VLANs in the table are only examples.
Forwarding Mode |
Service VLAN |
Management VLAN |
Configuration Impact |
Recommended or Not |
|---|---|---|---|---|
Direct forwarding |
100 |
50 |
Recommended standard configuration. |
Yes |
1 |
100 |
Management VLAN tags are added to user service packets, causing service disorder. |
No |
|
100 |
1 |
Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience. |
No |
|
1 |
1 |
Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience. |
No |
|
100 |
100 |
Data is incorrectly forwarded. |
Prohibited |
|
Tunnel forwarding |
100 |
50 |
Recommended standard configuration. |
Yes |
1 |
100 |
Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience. |
No |
|
100 |
1 |
Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience. |
No |
|
1 |
1 |
Broadcast and multicast packets of wireless services are still forwarded to the wired interfaces on APs, which may affect AP performance. |
Prohibited |
|
100 |
100 |
Broadcast and multicast packets of wireless services are still forwarded to the wired interfaces on APs, which may affect AP performance. |
Prohibited |
Impact of the Service VLAN and Management VLAN Configurations in Direct Forwarding Scenarios
Combination of Service and Management VLANs |
Impact Analysis |
Recommended Configuration |
|---|---|---|
The service and management VLANs are different, and neither of them is 1. |
Optimal standard configuration. |
Recommended |
The service and management VLANs are different, and the service VLAN ID is 1. |
In direct forwarding mode, the service VLAN ID is 1. User packets are tagged with the service VLAN ID 1 by an AP. Due to particularity of VLAN 1, VLAN ID 1 is removed from the packets by default when they are sent out from an AP, an AC, or a switch. In this way, service packets sent out from the AP carry no service VLAN ID. When the packets reach the access switch, the access switch adds the management VLAN ID 100 to the packets. Therefore, service packets are tagged with the management VLAN ID, which does not conform to VLAN planning. As a result, some problems may be caused, for example:
|
Not recommended. To perform such configuration, analyze the networking and services. |
The service and management VLANs are different, and the management VLAN ID is 1. |
Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience. |
Not recommended |
The service and management VLANs are both VLAN 1. |
Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience. |
Not recommended |
The service and management VLANs are the same but not 1. |
For example, service VLAN 100 and management VLAN 100. Management packets sent out from APs do not carry VLAN IDs, while service packets carry the service VLAN ID 100. When management packets reach the access switch, the access switch adds the PVID 100 to the packets. The access switch transparently transmits service packets without processing their VLAN IDs. Downlink service packets of users carry the VLAN ID 100. When these packets are sent out from switch interfaces, the service VLAN ID is considered as the management VLAN ID and removed. When the service packets reach an AP, they are considered as management packets and discarded by the AP. As a result, services are interrupted. |
Prohibited. |
Impact of the Service VLAN and Management VLAN Configurations in Tunnel Forwarding Scenarios
Combination of Service and Management VLANs |
Impact Analysis |
Recommended or Not |
|---|---|---|
The service and management VLANs are different, and neither of them is 1. |
Optimal standard configuration. |
Yes |
The service and management VLANs are different, and the service VLAN ID is 1. |
Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience. |
No |
The service and management VLANs are different, and the management VLAN ID is 1. |
Network congestion may occur due to the large broadcast domain of VLAN 1 and broadcast flooding, affecting user experience. |
No |
The service and management VLANs are both VLAN 1. |
Uplink direction: STA -> AP -> AC -> upper-layer network. Assume that a STA sends a broadcast packet in VLAN 1. This packet is encapsulated with a CAPWAP header by the AP and reaches the AC carrying the management VLAN ID 1. After decapsulating the CAPWAP packet, the AC finds that it is a broadcast packet (carrying service VLAN ID 1) sent by the STA, and broadcasts it. One copy of the packet will be sent back to the AC and then to the AP. In this way, which may cause user service interruption. |
Prohibited |
The service and management VLANs are the same but not 1. |
For example, service VLAN 100 and management VLAN 100. In the simple networking with a STA, an AP, and an AC, the AC with the IP address of 10.1.1.1 and MAC address of AAAA-BBBB-CCCC serves as the user gateway. The AP's IP address is 10.1.1.2, and its management VLAN is VLAN 100. The STA's IP address is 10.1.1.254, and its service VLAN is VLAN 100. A service packet is forwarded from the upper-layer network to the STA as follows: upper-layer network -> AC -> access switch -> AP -> STA. The inner Layer 2 header of the packet is as follows: Layer 2 header: Source MAC address: AAAA-BBBB-CCCC(VLAN100) //This VLAN is the service VLAN. In tunnel forwarding mode, a packet sent to the STA is encapsulated with an outer CAPWAP header on the AC. The outer CAPWAP header is as follows: Layer 2 header: Source MAC address: AAAA-BBBB-CCCC(VLAN100) //This VLAN is the management VLAN. When this packet reaches the AP through the wired interface, the inner Layer 2 header is invisible for the AP. The AP can only detect the outer CAPWAP header and then a physical interface on the AP learns the AC's MAC address AAAA-BBBB-CCCC. The MAC address table is as follows: ------------------------------------------------------- MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------- AAAA-BBBB-CCCC 100/- GE0/0/0 dynamic ------------------------------------------------------- For a packet carrying the CAPWAP header sent to the STA, the AP decapsulates the packet to expose the inner Layer 2 header. The CAPWAP tunnel interface on the AP learns the AC's MAC address AAAA-BBBB-CCCC again. The MAC address table is as follows: ------------------------------------------------------- MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------- AAAA-BBBB-CCCC 100/- CAPWAP dynamic ------------------------------------------------------- In this way, the AC's MAC address learned by the AP maps two outbound interfaces GE0/0/0 and CAPWAP, causing packet forwarding disorder and service exceptions. |
Prohibited |
Recommendations for Creating and Allowing Management VLANs and Service VLANs in Different Forwarding Modes
In direct forwarding mode
- If the AC is deployed in inline mode, to create a management VLAN and a service VLAN on the AC. Configure the network devices between the AC and APs to allow packets from the management VLAN to pass through, and configure the network devices between the AP and upper-layer network to allow packets from the service VLAN to pass through.
- If the AC is deployed in bypass mode, create a management VLAN on the AC, and determine whether to create a service VLAN based on the site requirements. Configure the network devices between the AC and APs to allow packets from the management VLAN to pass through, and configure the network devices between the AP and upper-layer network to allow packets from the service VLAN to pass through.
If the AC serves as the user gateway, create the service VLAN on the AC.
If the AC does not serve as the user gateway, service data does not pass through the AC. Therefore, the service VLAN configuration is usually not required on the AC. However, if 802.1X authentication is used, authentication packets need to be forwarded through a CAPWAP tunnel. In this case, you must create the service VLAN on the AC.
Operations on the CLI and web platform are as follows:- On the CLI:
Create service VLANs on the AC in any version.
- On the web platform:
For versions earlier than V200R008, create service VLANs on the AC. For V200R008 and later versions, the system automatically creates a service VLAN when you perform service VLAN configurations.
- On the CLI:
In tunnel forwarding mode
In tunnel forwarding mode, the management VLAN and service VLAN must be created on the AC regardless of whether the AC is deployed in inline or bypass mode. Configure the network devices between the AC and APs to allow packets from the management VLAN to pass through, and configure the network devices between the AC and upper-layer network to allow packets from the service VLAN to pass through.
Example for the VLAN Configurations on an AP's Wired Interfaces
An AP can have wired users connected through its downlink wired interfaces. This example describes the VLAN configuration on an AP's wired interfaces.
Networking Requirements
The wired interface GE1 on the AP is directly connected to a PC. The PC obtains an IP address through VLAN 200.
When planning VLANs, you are advised to distinguish the VLAN on the wired side from that on the wireless side.
Configuration Introduction
- Create two AP wired port profiles for configuring GE1 on the AP directly connected to the PC and GE0 directly connected to the switch.
# Configure an AP wired port profile for GE1.
[AC-wlan-view] wired-port-profile name ge1 [AC-wlan-wired-port-ge1] mode endpoint [AC-wlan-wired-port-ge1] vlan untagged 200 [AC-wlan-wired-port-ge1] vlan pvid 200 [AC-wlan-wired-port-ge1] quit
# Configure an AP wired port profile for GE0.
[AC-wlan-view] wired-port-profile name ge0 [AC-wlan-wired-port-ge0] vlan tagged 200 [AC-wlan-wired-port-ge0] quit
- Bind the two AP wired port profiles to GE0 and GE1 on the AP, respectively.
When binding the AP wired port profiles, do not bind the AP wired port profile in which the wired interfaces are configured to work in endpoint mode to the uplink interface on the AP directly connected to the switch.
[AC-wlan-view] ap-id 1 [AC-wlan-ap-1] wired-port-profile ge0 gigabitethernet 0 [AC-wlan-ap-1] wired-port-profile ge1 gigabitethernet 1
- Perform configurations to allow packets from service VLAN 200 to transmit between the interface on the AP connected to the access switch and the DHCP server corresponding to service VLAN 200.
- Restart the AP. The PC directly connected to GE1 on the AP in wired mode obtains an IP address.
Common VLAN Configuration Error Cases and Handling Suggestions
APs Cannot Go Online After a Management VLAN Is Configured
Fault Symptom
The management VLAN is incorrectly configured, causing APs' failures to go online.
Procedure
By default, management packets of APs are untagged, and the access switch directly connected to the APs tags VLAN IDs on the management packets. After the management-vlan vlan-id command is executed, the management and control packets sent from APs to the AC contain the management VLAN tag. You can use this command based on the networking. This configuration takes effect only after an AP is restarted.
Error-prone configuration: A management VLAN is incorrectly configured, causing disconnection of intermediate networks.
- Check whether the management VLAN is configured and whether the AP restart reason can be found in the log (Reboot for AP management VLAN change).
WLAN/3/AP_NORMAL_TO_FAULT(l)[5415014]:AP changed from normal to fault. (MAC=[d0.d0.4b.ac.f7.e0 (hex)], ApID=18, Sysname=XXX-2-AP-x, Reason=Reboot for AP management VLAN change)?
- Check whether access switches can learn the MAC address of the AP.
- Create the VLAN on the access switches and add the VLAN to the allowed list on the specified interfaces, so that the switches can learn the MAC address of the AP.
Suggestion:
- Modify the management VLAN and add the VLAN to the allowed list on the AC and access switches. In this manner, APs can communicate with the AP through the modified management VLAN.
- Configure VLAN mapping on the access switches to replace the original management VLAN with the correct VLAN.
- Delete the management VLAN configured on the AC.
- Create the correct management VLAN and configure VLAN mapping on the interface of the access switch. (If multiple interfaces are involved, run the interface range command and then configure the VLAN and VLAN mapping.)
# interface GigabitEthernet0/0/1 qinq vlan-translation enable port vlan-mapping vlan 400 map-vlan 1100
The Network Is Disconnected After STAs Roam at Layer 3
Fault Symptom
The network is disconnected after STAs roam at Layer 3.
Procedure
- Check the service VLAN configuration on the AC.
Error-prone configuration: Service VLANs are not created or not added to the allowed list, causing network disconnection after STAs roam at Layer 3.
Suggestion: Create the service VLANs and add them to the allowed list on the AC and intermediate switches.
All STAs Associated with an AP Cannot Obtain IP Addresses Automatically in DHCP Mode
Fault Symptom
All STAs associated with an AP cannot obtain IP addresses automatically in DHCP mode.
Procedure
- Check whether the undo dhcp trust port command is configured.
Error-prone configuration: The undo dhcp trust port command is configured in the AP wired port profile, causing STAs' failures to obtain IP addresses.
[AC6605-wlan-view] wired-port-profile name p1 [AC6605-wlan-wired-port-p1] undo dhcp trust port
Suggestion: Configure the dhcp trust port command.
- Check whether VLANs are created and added to the allowed list on intermediate networks.
- Direct forwarding
- Check whether service VLANs are created on the AC and intermediate devices.
- Check whether VLANs are in the allowed list of the AC and intermediate devices.
- Tunnel forwarding
Check whether service VLANs are created and added to the allowed list on the AC.
Error-prone configuration: Service VLANs are not created or not added to the allowed list on the AC, causing disconnection of intermediate networks.
Suggestion: Create service VLANs and add them to the allowed list on the AC.
- Direct forwarding
Authentication Fails When the AC Does Not Have a Dynamic VLAN Created
Fault Symptom
A dynamic VLAN is created on the authentication server, but the same VLAN is not created on the AC. As a result, authentication fails.
Procedure
- Check whether the dynamic VLAN is created on the AC.
Error-prone configuration: The AC does not have a dynamic VLAN created.
Suggestion: Create the corresponding VLAN on the AC.
Continue Reading About VLAN
- For the basics of VLAN, see What Is a VLAN?
- For VLAN deployment recommendations, see VLAN Deployment Recommendations.
- For the VLAN configuration for an AP's wired interface, see Configuring the Working Mode and VLAN for an AP's Wired Interface.
- For WLAN data forwarding modes, see WLAN Data Forwarding Modes.