Re: BBSM 5.3 Multiple Guest VLANs Support

sushilk · ‎01-20-2005

Can BBSM be configured to support more than 1 guest VLANs?

The following is brief requirements:

1) VLANs 2,3,4 (Office VLANs) = Bypass BBSM (no billing is required) and go to Firewall directly (Trunk port to PIX firewall)

2) VLANs 100, 101, 102, 103,etc VLA(Guest Ns) - Requires multiple VLANs for security reason.

The 3rd requirement is that if I have separate mgmt vlan for switches & access points.

e.g vlan 50 - Mgmt VLAN for Switches

vlan 51 - mgmt vlan for APs.

Is this supported by BBSM?

smahbub · ‎01-26-2005

BBSM 5.3 supports only dual vlans. Please refer to http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm53/config/cfg53_04.htm

amowat · ‎01-26-2005

The BBSM can handle two VLAN's. The idea behind this is to have one for devices and one for customers.

There are some issues that you should be able to find, and a couple bugs you may not be able to find (don't use vlan 255).

A question is, are you using multiple VLANs for a type of port to port security? Can the same security be attained by using Port Protected (switches) and PSPF (APs)? If so, then you don't need the superfluous VLANs and the BBSM is right for you. If not, and you need the multiple VLANs, you'll need a Unix based gateway that supports more than 2 VLANs.

JOHN BERGLUND · ‎04-08-2005

You can do this with the BBSM. You would use the layer 3 approach and each VLAN would be considered a site.

3gschalmo · ‎10-10-2005

I have a configuration that i am trying to do this and am unsuccessful. I will attach the PPT of what I have but I can not get the sites to work. If myhost uses the BBSM for its DG it works fine. If I put a user in vlan 2 or 3 I get the network problem page from the BBSM. I can find any docs on how this should work. I think the problem is that the BBSM only looks at the vlan 4 that is configured for clients. Any and all help would be appreciated

stschmidt · ‎10-10-2005

When searching for clients BBSM uses SNMP to poll the BRIDGE-MIB on all switches. However you can define only one SNMP community string per

switch and since the community string looks like community@ (eg public@100) BBSM will only be able to locate clients in the VLAN you

specify with the community string (eg community string without "@" will actually poll VLAN 1.

You can have more than 2 vlans defined, BBSM will only talk to the ones it knows about. The others need to be handled by other devices.

In order to solve this problem in Bridged environment you should either put all clients on each switch/AP to be in one VLAN per switch/AP.

Another possible solution is to find aggregation point where all clients will be in the same VLAN - for example port on the router. Please note

this scenario would require use of Routed design and not Switched/Bridged.

On a side note:

If you have BBSM configured for dual vlan and you are using VLAN 1 for management, you are going to have issues. By default, VLAN 1 is untagged.

When BBSM is configured for 1Q trunking, it expects to see all packets tagged. If you are using a 3550 as the connecting switch, you can use the IOS

command: DOT1Q NATIVE VLAN TAGGING to force the tagging of all packets. Some switches do not support this command. For those that don't, you can work

around this by issuing the SWITCHPORT TRUNK NATIVE VLAN where is a VLAN that is NOT defined on BBSM. In fact, make it a VLAN that is not

defined anywhere.

Also, in order to make the AP communication work correctly, on the switchport that the AP is attached to, you will need the SWITCHPORT TRUNK

NATIVE VLAN where is the VLAN that is used for management. This should match the same command on the AP.

3gschalmo · ‎10-10-2005

We never use vlan one for anything for security purposes. If I am using in my case vlan 8 for managment and 2-4 for machines then I am ok if I use a seperate switch for each vlan than?

3gschalmo · ‎10-10-2005

We never use vlan one for anything for security purposes. If I am using in my case vlan 8 for managment and 2-4 for machines then I am ok if I use a seperate switch for each vlan than?

stschmidt · ‎10-10-2005

As long as you get the traffic from the other vlans into the vlan that BBSM is aware of for client traffic it should work for you. If BBSM has connectivity to the switches the clients connect to and the clients traffic can get to the vlan that BBSM is aware of you should be fine.