09-17-2011 05:39 AM
Is PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.
I have a scenario where I have a prexisting production LAN of 192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.
I accomplished this to a point.
I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.
VLAN Recap:
VLAN 1 , 192.168.75.0/24
VLAN 10, 192.168.1.0/24
VLLAN 20, 192.168.20.0/34
Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).
The Aironets have been configured correctly.
SSID: Priv is part of VLAN 10
SSID: Pub is part of VLAN 20
Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.
Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.
Here's my challenge:
The original production LAN is connected via an unmanged switch.
I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.
Any ideas or help on the above?
What I would do if I had a managed switch on the production LAN:
If I had a managed switch on the production LAN, what I think I would do is make one port a trunk port, connect that port to Port 4 on the SA520, then make all the rest of the ports on the managed switch access ports, and members of VLAN 10. Am I on the right track there?
Hiccups when setting up the WAP:
I would have changed the VLAN 1 on SA520 to 192.168.1.0/24 subnet, and only created a second subnet, but there was a challenge with that and the WAP's.
Cannot change the VLAN the dot11radio0 is a part of. There's not encapsulation command.
Could not broadcast the SSID's successfully and secure via WPA unless the SSID's were on VLAN's other than 1. The dot11radio0 would go into a "reset" state.
Could change the VLAN subinterfaces of dot11radio0 were on, for example dot11radio0.10 is a member of VLAN 10. Dot11radio0.20 is a member of VLAN2.
In any event, it's working, but the rest of the infrastructure is the challenge.
Here's one of my WAP configs as an example:
Building configuration...
Current configuration : 2737 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname WAP2
!
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
!
no aaa new-model
no ip domain lookup
!
!
dot11 syslog
!
dot11 ssid CASPRIV
vlan 10
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 107E1B101345425A5D4769
!
dot11 ssid CASPUB
vlan 20
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 132616013B19066968
!
!
!
username Cisco password 7 0802455D0A16
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 20 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
ssid CASPRIV
!
ssid CASPUB
!
mbssid
channel 6
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.10
encapsulation dot1Q 10
ip address 192.168.1.5 255.255.255.0
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
!
interface Dot11Radio0.20
encapsulation dot1Q 20
ip address 192.168.20.3 255.255.255.0
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
!
encryption mode ciphers aes-ccm
!
ssid CASPRIV
!
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
!
interface FastEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
!
interface BVI1
no ip address
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
login local
!
09-17-2011 01:03 PM
Hello Paul,
You have a lot going on here so forgive me if I miss something.
PVID is for Primary/Port Vlan ID. It is used to identify the vlan on a port and can be used to change the native vlan of a port. You can change the PVID on port 4 of the SA520 to be vlan 10 if you need to.
The simplest setup would be for you to have your private network all be on the native vlan 1 and set your guest to be on another vlan. All of this would be possible without any problem on the SA520. Unfortunately I do not have much experience with the Aironet APs but they should allow you to continue this configuration onto the wireless network. For assistance with the Aironet APs I would have to refer you to someone more familiar.
I do hope this helps with setting your network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide