Make Netgate XG-7100 and Cisco Mobility Express work together on 2nd WLAN
-
Hello folks,
I have an XG-7100 and six Cisco APs (1830) controlled by Cisco Mobility Express (ME) which is a virtual controller built into the APs. I am able to make the Netgate XG and the Ciscos work together.
What I am having trouble with is making a second WLAN in a separate VLAN work with the XG. My config for the second WLAN:
on XG-7100:
Created interface: OfficeGuest with VLAN ID 3003; DHCP segment is at 10.10.30.x/24 (OfficeLAN is 10.10.0.0/21)on Mobility Express:
Created 2nd WLAN: OfficeGuest; Native VLAN ID: 4000; VLAN ID: 3003; DHCP is handled by pfsense on the XG-7100===================
My wtf moments:- There's a "Native VLAN ID" and a separate VLAN ID on the Mobility Express?? I cannot find their differences on the internet
- When I connect to the OfficeGuest wifi I still get an IP address from the OfficeLAN pool
Does anyone have any idea how to make the second WLAN work with the XG?
-
How are the access points connected to the XG-7100? If they are all connected to the Eth switch ports did you create the VLAN in the switch config there?
Do you have VLAN 4000 configured anywhere?
I assume the OfficeLAN is using untagged coming from the XG-7100. If devices on guest is pulling an IP in that subnet traffic from it must be arriving untagged somehow.
Steve
-
Hi Stephen,
The XG-7100 is connected to UnmanagedSwitch, the access points are connected to a POEswitch and that POEswitch is connected to UnmanagedSwitch1. No VLANs configured in the switches. VLAN4000 is not configured anywhere. I have:
VLAN4080 on lagg0 for WAN1
VLAN4081 on lagg0 for LAN
VLAN4082 on lagg0 for WAN2
VLAN4083 on lagg0 for WAN3
VLAN3003 on lagg0 for OfficeGuestI assume the OfficeLAN is using untagged coming from the XG-7100
I assume this also but looking at the above I am not exactly sure. -
@noel-alanguilan how you want to achieve your task with unmanageable switch that doesn't work with vlans at all?
If your poe switch support vlans management you can disconnect it from unmanageable switch and connect it directly to xg7100. Then configure tagged vlans on port that used on xg7100 and poe switch to! Management vlan for your cisco will be lan due you have all network on unmanaged switch.
In case your poe not support vlans too: congratulations - buy new equipment that support common needs or forget about vlans. -
@dragoangel said in Make Netgate XG-7100 and Cisco Mobility Express work together on 2nd WLAN:
how you want to achieve your task with unmanageable switch that doesn't work with vlans at all?
Where does this nonsense come from? An unmanaged switch will pass VLANs. It just can't do anything else with them, such as assign to ports etc. In this situation, there should be no difference between having an unmanaged switch in the path and an Ethernet cable.
The only difference between a VLAN frame and any other is the contents of the Ethertype field. Here is a list of the various Ethertypes. Any switch that can't pass every one of them is defective.
-
@noel-alanguilan
How is the switch in the XG-7100 configured? Did you tag through VLAN 3003 to whichever port it's connected to?
The output ofetherswitchcfg
will show that.@JKnott said in Make Netgate XG-7100 and Cisco Mobility Express work together on 2nd WLAN:
Where does this nonsense come from?
From the fact that some seemingly unmanaged switches do not pass VLANs as you might expect them to. You can say that they should and I won't disagree but I wouldn't rely on it without testing.
Steve
-
@stephenw10 said in Make Netgate XG-7100 and Cisco Mobility Express work together on 2nd WLAN:
From the fact that some seemingly unmanaged switches do not pass VLANs as you might expect them to. You can say that they should and I won't disagree but I wouldn't rely on it without testing.
I'd really like to know why any unmanaged switch would do that. In order to block VLANs, the switch would have to read the Ethertype and then block on it. That seems a bit strange, given that a switch is supposed to pass all frames, regardless of the Ethertype/length field.
-
I agree. My own theory is that it's actually cheaper now to use a switch chip that supports VLANs even if you don't expose the option to do so. That, probably, works fine as long as it's actively set in port vlan mode or defaults to that mode.
The most times I've run into it are people using the switch built into some SOHO router. Those are almost always VLAN capable and many times are in fact configured for VLANs to separate the ports as WAN/LAN. But they usually don't expose any of the VLAN options to the user.Steve
-
@stephenw10 said in Make Netgate XG-7100 and Cisco Mobility Express work together on 2nd WLAN:
My own theory is that it's actually cheaper now to use a switch chip that supports VLANs even if you don't expose the option to do so.
Given the frame expansion to support VLANs has been around for 20 years, any device compliant with the current spec will allow them. The only significant difference with a VLAN frame is the contents of the Ethertype field and the 4 extra bytes to hold the tag. Older gear, that supports only 1500 bytes, would fail, as the VLAN frame would be too big. In that case, just reduce the MTU on the network to 1496 and problem solved.
-
Here's some info about the Ethernet specs. Frame expansion to support VLANs came in with 802.3ac in 1999 and was incorporated into the base spec with 802.3-2002 in 2002. So, any gear compliant with 802.3-2002 or later must be able to pass VLANs, regardless of whether it's capable of being configured for VLANs.
-
Yup, that's all true. But if you set a 5 port switch chip in 802.1q mode and just put all the ports in VLAN1 it will appear as an unmanaged switch but won't pass VLANs. That's what you get in a SOHO device with a built in switch.
Steve
-
@stephenw10 said in Make Netgate XG-7100 and Cisco Mobility Express work together on 2nd WLAN:
Yup, that's all true. But if you set a 5 port switch chip in 802.1q mode and just put all the ports in VLAN1 it will appear as an unmanaged switch but won't pass VLANs. That's what you get in a SOHO device with a built in switch.
Steve
That would be QinQ, which became part of the VLAN spec with 802.1ad in 1998. Try an experiment with that 5 port switch you mentioned (Why does the number of ports have anything to do with this?). Ping with a VLAN tag and then try a file transfer spanning multiple frames. If the ping passes, but the full MTU frames the file transfer fail, then you're hitting a hard limit. If the switch complied with 802.3-2002, but not later, then you might run into that problem. However, later specs, providing for larger frames would not have that issue. 802.3as, which supports up to 2K bytes appeared in 2003. Since then supported frame sizes have increased significantly. 9K jumbo frames are commonly used now and some SOHO level switches support up to 16K.
-
The number of ports obviously has nothing to do with it. I only chose that because they are commonly built into soho routers which is where I have hit this most often.
It has nothing to do with frame size. If that is a problem it's something else I'm not referring to here.
If the switch chip is configured for .1q mode it will drop packets tagged for any VLAN it's not configured with.Anyway this is not helping the OP so that's all from me.
Steve
-
I apologize guys. We had to scramble a bit because of a 2-drive crash on a nas, incident reports, UGH.
etherswitchcfg output is:
===========================
etherswitch0: VLAN mode: DOT1Q
port1:
pvid: 4080
state=8<FORWARDING>
flags=0<>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
port2:
pvid: 4081
state=8<FORWARDING>
flags=0<>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
port3:
pvid: 4082
state=8<FORWARDING>
flags=0<>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
port4:
pvid: 4083
state=8<FORWARDING>
flags=0<>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
port5:
pvid: 3001
state=8<FORWARDING>
flags=0<>
media: Ethernet autoselect (none)
status: no carrier
port6:
pvid: 3001
state=8<FORWARDING>
flags=0<>
media: Ethernet autoselect (none)
status: no carrier
port7:
pvid: 3001
state=8<FORWARDING>
flags=0<>
media: Ethernet autoselect (none)
status: no carrier
port8:
pvid: 3001
state=8<FORWARDING>
flags=0<>
media: Ethernet autoselect (none)
status: no carrier
port9:
pvid: 1
state=8<FORWARDING>
flags=1<CPUPORT>
media: Ethernet 2500Base-KX <full-duplex>
status: active
port10:
pvid: 1
state=8<FORWARDING>
flags=1<CPUPORT>
media: Ethernet 2500Base-KX <full-duplex>
status: active
laggroup0:
members 9,10
vlangroup0:
vlan: 1
members none
vlangroup1:
vlan: 4080
members 1,9t,10t
vlangroup2:
vlan: 4081
members 2,9t,10t
vlangroup3:
vlan: 4082
members 3,9t,10t
vlangroup4:
vlan: 4083
members 4,9t,10t
vlangroup5:
vlan: 3001
members 5,6,7,8
vlangroup6:
vlan: 3003
members 9t,10t========================
-
I read that the ports in an unmanaged switch will just forward anything that is thrown at them which includes tagged and untagged traffic so this challenge I'm having is in the interaction between the virtual wireless controller and the XG-7100.
Guys, fyi, this thread has been very informative for me and made "read more to learn more". Thanks I appreciate this.
-
@noel-alanguilan said in Make Netgate XG-7100 and Cisco Mobility Express work together on 2nd WLAN:
I read that the ports in an unmanaged switch will just forward anything that is thrown at them which includes tagged and untagged traffic
Yep. That's the point I often have to make. You'd be surprised at the number of people who don't understand that. They seem to think there's something magic about VLANs that cause an unmanaged switch to choke on them.
Incidentally, my experience with Ethernet goes back almost 35 years, to the days of DECNet over 10Base5. My LAN experience goes back to 1978, with a proprietary Rockwell Collins system that used time slots, rather than packets. As I came up as a tech, working hands on with the hardware, I tend to get fussy with the details. Also, I'm probably the only one here who has actually hand wired an Ethernet controller, built on a prototyping board with discrete logic ICs.
-
Ok there are several problems there.
Which port on the XG-7100 is connected to Unmanagedswitch1? It looks like it's probably on LAN so that would be port 2 only.
That is the port you need VLAN3003 to be tagged out on.
The switch config for vlan 3003 should read:
vlangroup6: vlan: 3003 members 2t,9t,10t
The actual VLAN group number there is not relevant. VLAN 3001 appears to be something else there.
EDIT: Moved out of wireless, this isn't a wifi issue.
Steve
-
I must apologize to everyone who replied to this thread for being absent. The XG-7100 just stopped responding via web on all interfaces one Sunday and I just had to take care of that issue first before proceeding to this thread. fyi, the XG-7100 was throwing filesystem full messages via console and everything slowed down to a crawl. I was able to do a reset to factory, restore from backup and all is well again but under observation. this is for another thread.
Yes, the XG-7100 is connected to Unmanagedswitch1 via LAN (port2). Okay, i'll try that switch config in a bit and report back.
Thanks for moving this to the proper area, Steve.