Ethernet Bridging
Ethernet bridging allows you to connect remote wired networks to each other using the Ethernet port of the MAPs. A common use for Ethernet bridging is installing video cameras or street poles with the mesh APs. For bridging to work, every MAP and RAP in the path must have Ethernet bridging enabled.
Prior to code Release 5.2, Ethernet bridging only allowed the extension of the Layer 2 network in which the MAPs resided. So if the APs had IP addresses in VLAN 5, for example, you could only extend VLAN 5 to the remote wired network. The 5.2 release allows you to bridge multiple VLANs. Like the earlier feature, every AP in the mesh path back to the RAP and including the RAP must support bridging the same VLANs as the MAP with the wired connection. Figure 15-10 illustrates this concept.
)
Figure 15-10 VLAN Tagging Support Example Within a Mesh Network
If you do not allow the desired VLANs on all the MAPs, then in the event of a failure within the mesh network it is possible to break the bridging feature if a MAP in the new path to the RAP does not support a particular VLAN. In Figure 15-10, if MAP1 were to go down and MAP3 changed its parent to MAP2, the Ethernet bridging on MAP3 would fail for VLAN 2 because MAP2 does not support bridging VLAN 2.
After you have enabled Ethernet bridging support on your mesh APs you need to configure the VLAN tagging. Figure 15-11 shows the Ethernet configuration of an indoor RAP, and Figure 15-12 shows the same configuration on the indoor MAP.
)
Figure 15-11 RAP VLAN Tagging Configuration
)
Figure 15-12 MAP VLAN Tagging Configuration
The RAP Ethernet port is configured as a trunk port with VLAN 20 set to Native and allowing VLAN 12. You can add more VLANs by entering the VLAN into the Trunk VLAN ID box and clicking Add. With the Ethernet port set to Trunk, the AP accepts both tagged and untagged packets. Any tagged packets for a VLAN that is not in the allowed list are dropped.
Because the MAP is only bridging VLAN 12 in this case, the Ethernet port mode is Access. The AP tags the incoming untagged packet and forwards it to the RAP. Any tagged packets are dropped.
Mesh APs use VLAN transparency to perform Ethernet bridging when extending the Layer 2 network. To allow multiple VLAN bridging/tagging, you must disable VLAN transparency (see Figure 15-13) under the Wireless>Mesh>Ethernet Bridging section on the controller. When VLAN transparency is enabled, VLAN processing does not occur. This assumes that all traffic is destined to and from the same VLAN with no 802.1 tagging.
After you have disabled VLAN transparency, reboot the mesh APs for that setting to take effect.
)
Figure 15-13 VLAN Transparency
It is important to understand the traffic flow when using Ethernet bridging. Figure 15-14 shows the traffic flow for both wired and wireless clients within the mesh network with Ethernet bridging enabled.
)
Figure 15-14 Ethernet Bridging Traffic Flow
As you can see, with Ethernet bridging enabled, the traffic flow for wireless clients is unchanged. The wireless client packets are sent using LWAPP/CAPWAP data, which is sent through the encrypted backhaul to the controller. The controller then bridges that traffic to the wired network. The bridged wired client traffic, however, is bridged directly into the backhaul toward the RAP. The RAP then bridges the traffic directly onto the wired network. The wired bridged traffic is not sent back to the controller.
Several guidelines exist in addition to disabling VLAN transparency that allow the correct VLANs on the APs when you use the Ethernet bridging and VLAN tagging feature in 5.2 code:
- For security reasons, the Ethernet port on a mesh AP (RAP and MAP) is disabled by default. It is enabled by configuring Ethernet bridging on the MAP port.
- Ethernet bridging must be enabled on all the APs in the mesh network to allow Ethernet VLAN tagging to operate.
-
VLAN mode must be set as non-VLAN transparent (global mesh parameter).
VLAN transparent is enabled by default. To set as non-VLAN transparent, you must uncheck the VLAN transparent option in the global mesh parameters window.
- VLAN configuration on a mesh AP is applied only if all the uplink MAPs are able to support that VLAN.
- If uplink APs are not able to support the VLAN, the configuration is stored rather than applied.
-
VLAN tagging can be configured only on Ethernet interfaces.
On 152x mesh APs, three of the four ports can be used as secondary Ethernet interfaces: port 0-PoE in, port 1-PoE out, and port 3- fiber. Port 2 - cable cannot be configured as a secondary Ethernet interface.
In Ethernet VLAN tagging, port 0-PoE in on the RAP connects to the trunk port of the switch of the wired network. Port 1-PoE out on the MAP connects to external devices such as video cameras.
-
Backhaul interfaces (802.11a radios) act as primary Ethernet interfaces.
Backhauls function as trunks in the network and carry all VLAN traffic between the wireless and wired network. No configuration of primary Ethernet interfaces is required.
- The switch port in the wired network that is attached to the RAP (port 0-PoE in) must be configured to accept tagged packets on its trunk port. The RAP forwards all tagged packets received from the mesh network to the wired network.
- No configuration is required to support VLAN tagging on an 802.11a backhaul Ethernet interface within the mesh network. This includes the RAP uplink Ethernet port. The required configuration happens automatically using a registration mechanism. Any configuration changes to an 802.11a Ethernet link acting as a backhaul are ignored and a warning results. When the Ethernet link no longer functions as a back-haul, the modified configuration is applied.
- VLAN configuration is not allowed on a port-02-cable modem port of an 152x AP. VLANs can be configured on ports 0 (PoE-in), 1 (PoE-out), and 3 (fiber).
- If you are bridging between two MAPs, enter the distance (mesh range) between the two APs that are bridging. (This is not applicable to applications in which you are forwarding traffic connected to the MAP or to the RAP access mode.)
- Up to 16 VLANs are supported on each sector. Therefore, the cumulative number of VLANs supported by RAP's children (MAPs) cannot exceed 16.
- Ethernet ports on APs function as either access or trunk ports within an Ethernet tagging deployment.
- In Access mode, only untagged packets are accepted. All packets are tagged with a user-configured VLAN called access VLAN. For this mode to take effect, the global VLAN mode should be non-VLAN transparent. This option is used for applications in which information is collected from devices connected to the MAP, such as cameras or PCs, and then forwarded to the RAP. The RAP then applies tags and forwards traffic to a switch on the wired network.
- Trunk mode requires the user to configure a native VLAN and an allowed VLAN list (no defaults). In this mode, both tagged and untagged packets are accepted. Untagged packets are always accepted and are tagged with the user-specified native VLAN. Tagged packets are accepted if they are tagged with a VLAN in the allowed VLAN list. For this mode to take effect, the global VLAN mode should be non-VLAN transparent. This option is used for bridging applications such as forwarding traffic between two MAPs residing in separate buildings within a campus.
-
The switch port connected to the RAP must be a trunk.
The trunk port configuration on the switch and the RAP trunk port must match.
- A configured VLAN on a MAP Ethernet port cannot function as a management VLAN.
-
The RAP must always connect to the native VLAN (ID 1) on a switch.
The RAP's primary Ethernet interface is by default the native VLAN of 1.