cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Get the latest Cisco news in this February issue of the Cisco Small Business Monthly Newsletter

3240
Views
0
Helpful
1
Replies
Highlighted

Quesiton about PVID , SA520, Native VLAN

Is PVID the same thing as "native vlan"? Can the native VLAN be changed on a SA520? Currently I believe it to be 1, I'd like to change the native VLAN to 10.

I have a scenario where I have a prexisting production LAN of  192.168.1.0/24 . It's a small organization (a church), but they purchased 3 Aironet 1130ag units. They want to have a "private" WLAN that is part of 192.168.1.0/24 , and a guest WLAN of a different subnet (I chose 192.168.20.0/24) . The two should never meet. There will likely never be a guest computer connected via ethernet. Guest computers would always have to connect wirelessly.

I accomplished this to a point.

I left VLAN 1 on the SA520 192.168.75.0/24 subnet as default.I created a VLAN 10 , 192.168.1.0/24 subnet, and I created a VLAN 20, 192.168.20.0/24 subnet.

VLAN Recap:

VLAN 1 , 192.168.75.0/24

VLAN 10, 192.168.1.0/24

VLLAN 20, 192.168.20.0/34

Ports 1-3 of the SA520 are members of VLAN 1, 10, and 20 (cannot remove membership of VLAN1, which is pretty annoying).

The Aironets have been configured correctly.

SSID: Priv is part of VLAN 10

SSID: Pub is part of VLAN 20

Both are secured by WPA, and when I connect, the proper DHCP subnet passes from the firewall through to the wireless client, for each respective SSID.

Ultimately, I'd like the SBS 2003 server to handle DHCP for VLAN 10, and have the SA520 handle DHCP for VLAN 20, but i'll take what I can get.

Here's my challenge:

The original production LAN is connected via an unmanged switch.

I'd like to trunk the unmanaged switch to Port 4 on the SA520. However, since the PVID (native vlan?) of SA520 is 1, and I cannot make Port 4 on the SA520 ony a member of VLAN 10, then anything traffic coming from the unanaged switch will automatically be tagged with VLAN1, correct? Thus causing the already existing production network to start receiving DHCP from the firewall in the 192.168.75.0/24 range.

Any ideas or help on the above?

What I would do if I had a managed switch on the production LAN:

If I had a managed switch on the production LAN, what I think I would do is make one port a trunk port, connect that port to Port 4 on the SA520, then make all the rest of the ports on the managed switch access ports, and members of VLAN 10. Am I on the right track there?

Hiccups when setting up the WAP:

I would have changed the VLAN 1 on SA520 to 192.168.1.0/24  subnet, and only created a second subnet, but there was a challenge  with that and the WAP's.

Cannot change the VLAN the dot11radio0 is a part of. There's not encapsulation command.

Could  not broadcast the SSID's successfully and secure via WPA unless the  SSID's were on VLAN's other than 1. The dot11radio0 would go into a  "reset" state.

Could change the VLAN subinterfaces  of dot11radio0 were on, for example dot11radio0.10 is a member of VLAN  10.  Dot11radio0.20 is a member of VLAN2.

In any event, it's working, but the rest of the infrastructure is the challenge.

Here's one of my  WAP configs as an example:

Building configuration...

Current configuration : 2737 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname WAP2

!

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx

!

no aaa new-model

no ip domain lookup

!

!

dot11 syslog

!

dot11 ssid CASPRIV

   vlan 10

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 107E1B101345425A5D4769

!

dot11 ssid CASPUB

   vlan 20

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 132616013B19066968

!

!

!

username Cisco password 7 0802455D0A16

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 20 mode ciphers aes-ccm

!

encryption vlan 10 mode ciphers aes-ccm

!

ssid CASPRIV

!

ssid CASPUB

!

mbssid

channel 6

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.10

encapsulation dot1Q 10

ip address 192.168.1.5 255.255.255.0

no ip route-cache

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

bridge-group 10 spanning-disabled

!

interface Dot11Radio0.20

encapsulation dot1Q 20

ip address 192.168.20.3 255.255.255.0

no ip route-cache

bridge-group 20

bridge-group 20 subscriber-loop-control

bridge-group 20 block-unknown-source

no bridge-group 20 source-learning

no bridge-group 20 unicast-flooding

bridge-group 20 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

!

ssid CASPRIV

!

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.10

encapsulation dot1Q 10

no ip route-cache

bridge-group 10

no bridge-group 10 source-learning

bridge-group 10 spanning-disabled

!

interface FastEthernet0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

no bridge-group 20 source-learning

bridge-group 20 spanning-disabled

!

interface BVI1

no ip address

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

!

line con 0

line vty 0 4

login local

!

Everyone's tags (4)
1 REPLY 1
Participant

Quesiton about PVID , SA520, Native VLAN

Hello Paul,

You have a lot going on here so forgive me if I miss something.

PVID is for Primary/Port Vlan ID. It is used to identify the vlan on a port and can be used to change the native vlan of a port. You can change the PVID on port 4 of the SA520 to be vlan 10 if you need to.

The simplest setup would be for you to have your private network all be on the native vlan 1 and set your guest to be on another vlan. All of this would be possible without any problem on the SA520. Unfortunately I do not have much experience with the Aironet APs but they should allow you to continue this configuration onto the wireless network. For assistance with the Aironet APs I would have to refer you to someone more familiar.

I do hope this helps with setting your network.