Help with 3rd party tagging and Cisco VLANs

cwkronk01 · ‎08-11-2015

A little background: I've taken the first two of a four part Cisco CCNA course through my local community college and have a pretty decent grasp on VLANs and how to set them up with Cisco equipment.

The problem I'm looking for a solution to here is 3rd party VLAN tagging (HP & Netgear) and how that operates with a Cisco switch. I've been researching this topic on the interwebs, but there's sooo much information out there and there's bits and pieces here and there I'm having trouble putting it all together.

The first setup does not have a Cisco switch. It's a Netgear switch, a Sonicwall, an HP Switch, 8 Sonicpoints on the Netgear switch and 1 Sonicpoint to be installed on the HP switch. The Sonicpoints are set to run on a 172.16.50.0 network. They pull IPs via DHCP. There are two VLANs setup for the Sonicpoints as 172.16.60.0 and 172.16.70.0 for guest and employees respectively. They're assigned VLAN IDs of 50, 60, and 70. The Sonicpoints themselves are untagged on each switch at the ports where they plug in to on the 50 VLAN. Is this because that's the VLAN that contains the actual physical device address? The other two VLANs are tagged. Then on the port that crosses from Netgear to HP all three are tagged. I'm assuming this is like a basic trunk port that transfers all VLANs across the cable between switches. The setup on the HP is similar. So are my assumptions here correct as to why they're setup this way?

Now, what if I replaced the Netgear with a Cisco switch and have the Sonicpoints plugged in. What I've learned so far (and I'm sure I've forgotten as much) that if you setup the VLAN on the port it's access or trunked and that's that. If I setup the Sonicpoint ports as pure trunk, will they have an issue or is there a way to do similar tagging in the Cisco switches? Is it even needed?

Now, the last part I probably should have asked first. Are these Sonicpoints basically switches? Is that why all the VLANs have to be "trunked" to them? Until I started working where I'm at now, I haven't had any exposure to APs with multiple networks on them so it was one port for one AP. If I'm looking at them as a switch that has wireless connections and that's more or less correct, that makes a lot more sense to me. I just need to figure out the tagged vs untagged and how that translates to Cisco gear.

Martin Hruby · ‎08-11-2015

Hello

From what you wrote I understand that you have a NetGear switch connecting 8 Sonicpoint wireless APs and those APs are managed through VLAN 50 (their management IPs are part of this VLAN). I also understand that the APs are connected to trunk ports on the NetGear where you are tagging frames belonging to VLANs 60 and 70 and not tagging frames belonging to VLAN 50. So in this scenario, all untagged frames are considered to be part of VLAN 50. This VLAN 50 is therefore the native VLAN and that's what is usually used for network management traffic (to separate it from user traffic). If on the trunk between your NetGear switch and your HP switch you are tagging VLAN 50 - that's absolutely fine if it fits your needs and doesn't change anything. It's still a trunk and frames from VLANs 50, 60 and 70 will be tagged when sent over it.

To be able to replace the NetGear switch with a Cisco Catalyst switch, make sure that the VLAN tagging protocol you use in your network is IEEE 802.1Q, which is standard and most likely the one you already have.

A wireless AP is basically a bridge (or switch if you will) in the sense that it bridges Ethernet frames to 802.11 frames and vice-versa. Usually when you have multiple SSIDs (like you have for guests and employees), you bridge frames from one VLAN (e.g. 60) to SSID guest and from the other VLAN (70) to SSID employees. That way you have different user traffic separated in the wireless space and also in the wired network because it's part of different VLANs. So there's one-to-one mapping between wireless SSIDs and wired VLAN IDs. In most scenarios, wireless APs are connected via a trunk port to a switch and the trunk carries traffic from various SSIDs tagged with a corresponding VLAN ID.

On a Cisco Catalyst switch the configuration of a trunk port (connecting to your wireless AP) would look something like this:

interface GigabitEthernet1/2
description Trunk to Wireless AP 1
switchport trunk native vlan 50
switchport mode trunk
switchport trunk encapsulation dot1q <- not necessary on newer versions

interface GigabitEthernet1/3
description Trunk to HP switch
switchport mode trunk

Note: in the above example I'm not tagging frames belonging to VLAN 50 on port Gig1/2 facing a wireless AP and I'm tagging all frames (except the native VLAN - by default VLAN 1) on port Gig1/3 in direction to the HP switch. When configuring the new Cisco Catalyst ensure that you configure STP correctly so as not to mess up your network ;)

Best regards,
Martin

cwkronk01 · ‎08-11-2015

*From what you wrote I understand that you have a NetGear switch connecting 8 Sonicpoint wireless APs and those APs are managed through VLAN 50 (their management IPs are part of this VLAN). I also understand that the APs are connected to trunk ports on the NetGear where you are tagging frames belonging to VLANs 60 and 70 and not tagging frames belonging to VLAN 50. So in this scenario, all untagged frames are considered to be part of VLAN 50. This VLAN 50 is therefore the native VLAN and that's what is usually used for network management traffic (to separate it from user traffic). If on the trunk between your NetGear switch and your HP switch you are tagging VLAN 50 - that's absolutely fine if it fits your needs and doesn't change anything. It's still a trunk and frames from VLANs 50, 60 and 70 will be tagged when sent over it.*

Each AP is assigned an IP. I'm assuming this would just be considered a management IP? So if the IP of the basic LAN that all the desktops are plugged in to is 192.168.1.0 /24 and the IPs to manage the APs are 172.16.50.0 /24, would the APs be untagged on the Netgear because they're physically plugged in to those ports? The Sonicwall which receives the IP from the APs for management, guest, and employee are also on that switch so they would not be tagged going into that device? But all three would have to be tagged going from switch to switch because they're on separate VLANs and traveling across switches where on the second HP switch with one AP hooked up they're going out fa0/24 with the management VLAN untagged (where AP is physically plugged in) and the other two VLANs tagged?

At that point, I just read in a big CCNA training book a line that said you do not want to change the native VLAN from 1. If the Native VLAN is switched to 50 for the management VLAN of the switches, would it essentially be the same as sending that VLAN out of the port untagged on the Netgear and HP switches? Was that line from the book rubbish?

Martin Hruby · ‎08-11-2015

Hello

Yes correct! The AP forwards L2 frames, it has no need to make decisions based on IP addresses, so the only IP address that you assign to it is for management purposes. Tagging always relates to a trunk. If on a trunk a native VLAN is configured as VLAN ID 50 than the switch will not tag frames belonging to this VLAN when sending over this trunk. Similarly in opposite direction all frames received untagged on this trunk are considered to be part of VLAN 50. On other trunks it can be different.

You are correct in your observation of tagging between NetGear and HP and how trunking would work for the new AP connected to the HP switch.

I agree in most scenarios it is not a good idea to have different native VLANs in your network. You should keep this consistent because then you are risking possible leaking of frames from one VLAN to another (e.g. if two switches interconnected by a trunk have inconsistently configured native VLAN on this trunk).

Best regards,
Martin