VLAN Tags and Management


#1

I am testing the Mimosa Gear for a PtMP and am having some issues getting it to work like I want it to. What I want to do is have a management VLAN where I can manage the A5 and any C5s, and then data VLANs that are untagged on the LAN side of the C5s for customer use.

I am running the beta software 2.0.1.2 because of its extra vlan support.

Below is my test setup…

The A5 is connected to my switch. The switch is programmed with 3 VLANs, 3, 20, and 30. 3 is the management VLAN, 20 is a data VLAN and 30 is a second data VLAN.

The A5 has the management VLAN enabled at 3 (This is working). I have setup 2 SSID’s, 1 for VLAN 20 and 1 for VLAN 30.

The C5 connects, but I cannot manage it remotely through VLAN 3. If I enable VLAN management on the C5, the VLAN seems to only be on the LAN and not on the WAN. If I do not have VLAN management enabled on the C5, it gets a lease from the Data VLAN.

Does anyone have any suggestions on how I can my scenario to work?

Thank you in advance,
Gilbert


#2

Hi Gilbert,

The Management VLAN (at least for C5), per-SSID VLAN, and VLAN Passthrough features are mutually exclusive in 2.0.1.x. We are working on a method to enable the C5 Management VLAN in these cases, and will follow up once we have scoped this. There are many VLAN feature permutations and edge cases to work through.


#3

Any updates on this? Need the ability to tag a vlan on C5 ethernet, or to do vlan passthrough and per SSID tagging for C5 clients.


#4

Hi Carl,

Firmware version 2.0.2 (releasing this week) supports Management VLAN on C5 with or without VLAN Passthrough. C5 Management VLAN is not compatible with Per-SSID VLANs because we do not support 802.1ad (QinQ).


#5

Thanks Chris,

Not sure why this would require QinQ. Its the same as a native vlan on a trunk port. i.e

switchport mode trunk
switchport trunk native vlan 100 (This would be the native vlan for untagged (VL1) traffic on the SSID)
switchport trunk allowed vlan add 10, 20, 30 etc (Or allow everything)


#6

The other way to support this would be allowing us to set the vlan on the C5 ethernet port. using VLAN passthrough on the AP, this would work fine and would work the same way most fixed wireless gear works, i.e Cambium 450.

Ideally, the CPE would default to a fallback IP without a vlan when not connected to an AP, and then revert to the Payload VLAN once connected to an AP.


#7

Hi Carl,

We understand the ask and logic behind it. We have shared your comments with our development team and are working toward providing options that accomplish this in future firmware versions.

We do not currently support native VLAN and trunk on the same SSID. With Per-SSID VLANs enabled, all traffic is tagged on Ethernet. With VLAN Passthrough, all traffic is treated as-is (tagged or untagged).


#8

As someone currently looking at and evaluating Mimosa to replace a large legacy WISP network, this is a major stumbling block and a show stopper for me.

There is NO way to restrict the management network from the ethernet port on the C5 currently. Nothing thus stops any of our clients to simply ‘plug in’ in our management network. The management network can also not be firewalled further up, due to diagnostics and cloud connectivity required for Mimosa.

Even with VLAN tagging the management LAN, the client can simply sniff the packets and tag their own traffic into the existing VLAN.

So, just how are we supposed to deploy secure networks, with Mimosa? It’s a year and a half later, and there’s still no resolution to this. Doesn’t sit too well with a new, prospective client, TBH.


#9

A separate Management VLAN can be configured device running pre 2.4.0 firmware. However, there are significant enhancements to the VLAN capabilities in version 2.4.0

VLAN
In addition to a management VLAN, the A5, running 2.4.0, now supports several VLAN configuration options:

*VLAN per C5, including a default VLAN for un-provisioned subscribers. VLANs can be manually configured in the A5 GUI or automatically provisioned using RADIUS. When utilizing the default VLAN, an unassigned C5 can be placed into an on-boarding or unsecured VLAN with access to a billing or setup portal.

*VLAN per SSID provides the same VLAN for all C5 clients connected to an SSID. The VLAN tag will be added to tagged and untagged uplink traffic.

*Trunk Mode. This mode was previously called Pass-through and simply passes through any tagged or untagged packets coming upstream from the C5.

VLAN Double Tagging (QinQ)
*Working in conjunction with the VLAN per C5 feature, double tagging permits a configurable TPID and will add an outer VLAN tag for enhanced core switching. This enables packets from a customer VLAN (C-VLAN) to be routed to a service provider’s or data center VLAN (S-VLAN) by adding an 802.1Q tag with a specified TPID for customized routing.


#10