Does the AP or the BSC's managed interface have to be on a trunk port allowing the appropriate vlans? This may be referred to as tagging vlans on some switches.

Version 2

    Q: Does the AP or the BSC's managed interface have to be on a trunk port allowing the appropriate vlans? This may be referred to as tagging vlans on some switches.

     

    A: Bluesocket Access Points

    By default BSAPs tunnel traffic back to the BSC in EtherIP (IP Protocol 97). The 802.1q vlan tagging is performed inside the tunnel and not exposed to the switch. If you are using BlueSecure access points you are not required to put the BSAPs or the BSC's managed interface on trunk ports. They can be placed on access ports. This may be referred to as untagged ports on some switches. The exception to this is the BSAP-1600. BSAP-1600s do not support EtherIP tunneling.

     

    3rd Party Access Points

    If you are using 3rd party access points and you want to deploy multiple ssid assigned to multiple managed side vlans both the 3rd party access points and the BSC's managed interface must be placed on trunk ports. This may be referred to as tagging vlans on some switches. Here is an example vlan setup with the BSC, 3rd Party AP and Cisco switches.

     

    -BSC's protected physical interface on vlan 5. This could be the existing wired network or a dmz.

    -BSC's managed physical interface on vlan 10. Vlan 10 is used for 3rd party AP management in this example.

    -Employee ssid assigned to managed vlan 15

    -Guest ssid assigned to managed vlan 20

     

    BSC's Protected Interface Switchport Configuration

    Switchport mode access vlan 5

     

    BSC's Managed Interface Switchport Configuration

    Switchport mode trunk

    Switchport trunk encapsulation dot1q

    Switchport trunk allowed vlan 10,15,20

    Switchport trunk native vlan 10

     

    3rd Party APs switchport Configuration

    Switchport mode trunk

    Switchport trunk encapsulation dot1q

    Switchport trunk allowed vlan 10,15,20

    Switchport trunk native vlan 10

     

    ***The physical interfaces of the BSC cannot send or receive dot1q tags, only the vlan interfaces can. Notice above the protected physical interface is on an access port (untagged) and the managed physical interface is on the native vlan of the trunk (untagged).

     

    Here is the same example vlan setup with HP switches.

     

    vlan 5
    untagged e10
    vlan 10 untagged e11,e12
    vlan 15 tagged e11,e12
    vlan 20 tagged e11,e12

     

    This example assumes the BSC's Protected interface is plugged into switchport e10, Managed interface into e11, and 3rd Party AP into e12.

     

    ***Notice the protected physical and managed physical interfaces are untagged and the managed vlan interfaces are tagged. The physical interfaces of the BSC cannot send or receive dot1q tags, only the vlan interfaces can.

     

    Wired Support
    If you are required to support wired users on the BSC you may be required to put the BSC's managed interface on a trunk port also. For example you may have a conference room where you could assign switchports to the guest vlan 15 so that visitors can get the BSC's login page and be policed by the BSC's role based authorization. If the wired users were placed on the managed physical network trunking/tagging would not be required.

     

    Edge-to-Edge
    The Edge-to-Edge feature essentially disables the EtherIP tunnel from the BSAP to the BSC on a per ssid basis. Therefore you may be required to put the BSAP and the managed physical interface on trunk ports if you are using the Edge-to-Edge feature. If the Edge-to-Edge ssid is assigned to the managed physical network (vlan 0) then trunking/tagging would not be required.