Is it possible to perform vlan tagging on a Branch Router without assigning subnets to the vlans?

  • 1
  • Question
  • Updated 5 years ago
  • Answered
  • (Edited)
I just deployed a BR in our corporate office to provide routing for our guest subnet via a guest SSID to an autonomous ISP...Mission accomplished.

I have these nice radios and I'd like to utilize them as much as possible; So I'm wondering if I can also use the router as an AP for our corporate SSIDs and vlans. I'd like to be able to setup vlan trunking on a LAN port and assign corporate vlans to SSIDs without linking them to a subnet, but It appears I am unable to configure vlan tagging for the SSIDs without doing so.

Additionally, I am concerned that if I try to assign subnets to vlans, OSPF will advertise those routes to the rest of my network, creating routing loops or at best, less than optimal routing through the BR.
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes

Posted 5 years ago

  • 1
Photo of Juha Lindström

Juha Lindström

  • 1 Post
  • 0 Reply Likes
As far as I've understood, you can do this but only running the BR in AP-mode. If you're running it in BR-mode, then it'll want to do routing.

As for assigning IP's for the vlans, that shouldn't present you a problem really. You can still use access-lists and policy routing etc to make sure the guests have no means to be routed to your corporate networks.

What comes to OSPF, that shouldn't be a problem either. If there's no OSPF running in the BR then it won't have any affect on your current OSPF setup. Rather you should have separate subnets for the clients behind the BR and then in default gateways respective to each corporate network, you'd point a static route towards the said vlans interface on the BR. After this you make sure to add those static routes to your internal OSPF and then your network should work.

Alternatively if you don't want the separate subnets you can have the BR do NAT for the traffic destined to your corporate network.

For guest networks, there's also one cool option to place a BR in a DMZ of your firewall and then do GRE-tunneling to the guest network traffic from the access-points to that BR in the DMZ. This way you can tunnel guest traffic through your corporate network with out worrying about them accessing it AND use the BR's in AP mode to provide bridged access to corporate networks via respective SSID's.

I know all this can be achived, but don't ask me for specifics. I haven't set these up yet as my time with Aerohive has been pretty brief. But based on what I've learned & understood so far, all of this should be actually fairly trivial to accomplish.

//Juha
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Thanks for the reply Juha. I guess what I'm asking for is either a hybrid or dual mode for the BRs in order to subvert all the additional configuration of route maps, acls, etc.
Since I am using the BR for routing, it would be nice to allow it to simply vlan tag traffic on a particular SSID, and send it out a trunk port, as it would if it were in AP mode, rather than forcing it out the WAN port.
Perhaps this is more accurately designated as a feature request.
Photo of Anupam Upadhyaya

Anupam Upadhyaya

  • 11 Posts
  • 4 Reply Likes
Hello tsn007,

In the case that you describe, Who is providing the IP addresses for the clients associated to the BR ?
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
A 3rd party (M$) dhcp server. I recently found out I may be able to use an AP330 in AP mode to perform what I am attempting. I'll update the post after configuring and testing.
Photo of Anupam Upadhyaya

Anupam Upadhyaya

  • 11 Posts
  • 4 Reply Likes
The way you are describing the use case, you really want the AP mode .