Multiple VLANs on one SSID: how does this actually work?

Unanswered Question
May 17th, 2007

I'm familiar with the procedure for bridging multiple VLANs between two Aironet bridges (e.g. 1300 series) over a single SSID, but I have no idea how it works, and that really bugs me.

Since frame tagging a la 802.1q isn't part of the WiFi protocols (at least I don't think it is), how do the bridges differentiate traffic in the 802.11 packets? Is there some Cisco-proprietary extension of the standards to support 802.1q tags in the 802.11 headers? Or is it something else?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (6 ratings)
b.julin Fri, 05/18/2007 - 11:39

As far as I know, the controller simply differentiates each client and places them on the configured VLAN. I don't think the LWAPs have any idea what VLANs are even in use. Could be wrong there, but my bet is it is all done on the controller.

gglynn Fri, 05/18/2007 - 11:43

This particular question doesn't involve LWAPP controllers, it's about Aironet bridges, which run IOS.

bcolvin Fri, 02/22/2008 - 11:40

George

In addition to the Native VLAN for the AP IP subnet, you will need to create an SSID/VLAN pair for for each VLAN you want to bridge the .1q trunking on the switch should do the rest.

I strongly suggest that you use the WEB interface to configure the VLAN's as doing iit with the CLI is both cumbersome and prone to error.

This link explains it

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml

Good Luck

Bill

gglynn Fri, 02/22/2008 - 12:28

Hi, Bill,

Thabks for the reply, but I'm familiar with how to set it up, and have done so a number of times. My question boils down to, "How does it actually work?"

-George

bcolvin Fri, 02/22/2008 - 13:08

George

The AP in autonomous mode is basicaly a layer two device and does not know about IP and VLAN's this is a good question.

to answer your original question "Multiple VLANs on one SSID: how does this actually work?" the answer is from Cisco is "Failure to recognize that multiple VLANs and SSIDs indicate multiple OSI Model Layer 3 subnets

Deprecated versions of Cisco Aironet software permit binding multiple SSIDs to one VLAN. Current versions do not"

The Packet headers have a VLAN tag field that the Switch or AP decodes/inserts depending on direction to determine the correct routing,

that is the short version

Bill

gglynn Fri, 02/22/2008 - 13:16

I'm afraid that I'm confused by your answer, Bill. Which "packet headers" have a "VLAN tag"? The wireless (802.11) packets? Which header field is it in? And why would a layer 2 device necessarily not understand VLANs? 802.1q is a layer 2 VLAN tagging protocol.

Keep in mind I'm specifically asking about *bridging* VLANs across a point-to-point wireless link using a single SSID, not about associating VLANs with SSIDs on a one-to-one basis (as for wireless client devices), and not about "binding multiple SSIDs to one VLAN" (from your post).

bcolvin Fri, 02/22/2008 - 13:26

George

Multiple VLANS on a single SSID are not supported by the current software, you must assign each VLAN to it's own SSID.

the VLAN tags are in the packet headers between the Switch and the AP. Between the AP's or AP and client the SSID/VLAN pair determines the logical routing.

I hope this helps

Bill

gglynn Fri, 02/22/2008 - 13:38

"Multiple VLANS on a single SSID are not supported by the current software."

This is true for APs and SSIDs used to serve client devices. However, this is not true for bridge links. According to the same configuration guide you quoted earlier, "When you bridge, there is no need to associate a separate SSID with each VLAN." Cisco explicitly instructs you to use only a single SSID when *bridging* multiple VLANs.

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#vlanbr

Again, I already know that this *does* work, I've got it in production on several customer networks. I want to know *how* it works. There's no concept of VLAN tagging in 802.11 as far as I know, so I want to know how one bridge device tells the other bridge device what VLAN a packet belongs to. If you don't know, that's okay, but that's the piece of information that I want to know.

bcolvin Fri, 02/22/2008 - 22:05

My best guess is that as you have configured your AP's they are operating as a pure Layer 2 device for the bridge and as such do not examine the wired packets just encapsulate them into a wireless packet for the bridge and the AP on the other side remove the wireless encapsulation and forwards the packet to the wired network.

VLANS aare then handeled by the switches on either side of the bridge.

Hope this explanation holds water because it goes back to basic MAC layer bridging which appears to be what you are implementing.

this has been fun

Bill

scottmac Sat, 02/23/2008 - 06:55

I believe Bill has it pretty much nailed.

Keep in mind that "wireless bridging" is *not* part of the 802.11 standard and a manufacturer can make it work with elves and bunnies, if that's their chosen technology.

Because the devices also happen to be 802.11 APs, it just makes it easier to mutilate the existing protocols to gain that functionality.

(and probably a Good Thing, because the elves unions have tightened up their contract, and PETA is pitching a fit about servile bunnies for technological purposes).

That's why is it "difficult" (i.e., damn near impossible) to get wireless bridges (specifically bridges) from different vendors to inter-operate.

Straight-up L2 bridging (with adjustments for the dot1q) over proprietary link protocol sounds like a winner to me.

FWIW

Scott

Rob Huffman Sat, 02/23/2008 - 10:43

Hey Scott,

Perfect! 5 points for making my day with this wonderful answer :)

Take care my friend!

Rob

gglynn Sat, 02/23/2008 - 20:43

I want to know specifically how Cisco bridges multiple VLANs on a single SSID on the 1300 series outdoor wireless bridges (at least). In fact, this is precisely what I asked in the post that started this thread. If they fully encapsulate 802.1q-tagged 802.3 packets inside 802.11 packets, then that's what I want to know. If they add a proprietary field to the 802.11 header, then that's what I want to know. It's not "elves and bunnies."

scottmac Sat, 02/23/2008 - 23:37

The thing that makes the bridging proprietary is not the frame or headers, it's (usually) the timing.

If you really have to see it with your own eyeballs, load up a copy of WireShark (www.wireshark.org)with WinPcap (http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/packet-capture/winpcap)

- both are free - and capture a stream; you'll see every byte of detail for all levels communicated.

And, for future reference, nobody here gets paid to answer your questions; if you get snippy and start demanding, I can pretty much guarantee crickets back atcha.

Your question was answered.

"Have a nice day"

Scott

Rob Huffman Sun, 02/24/2008 - 06:42

Hi Bill,

I just realised that I didn't also rate your great work with trying to explain this. 5 points for going the extra mile here :)

Take care,

Rob

gglynn Sat, 03/01/2008 - 12:27

He didn't answer the question, though. Can someone else answer the question I actually asked? Here it is again, reworked slightly to make it clearer:

Since VLAN tagging a la 802.1q isn't part of the WiFi protocols, how do Aironet 1300 series bridges differentiate traffic from different VLANs (tagged by 802.1q on the wire) when they're bridged over a single SSID? Is there some Cisco-proprietary extension of the standards to support 802.1q tags in the 802.11 headers, or are the 802.1q packets encapsulated completely within 802.11 packets, perhaps?

Actions

Login or Register to take actions

This Discussion

Posted May 17, 2007 at 2:14 PM
Stats:
Replies:17 Avg. Rating:4
Views:881 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard