VLAN implementation into established non-vlan network

[sai.barker]

Hi,

I have a small wisp with around 100 customers.

Our current setup:
We have a core router with our two ISP fibre feeds. We branch out to other sites with wireless bridges. these sites have customer AP's. Their ubnt airmax CPE radio is also bridge mode.

The problem we are facing is:
We are piratically giving our customers layer 2 access to our whole network if they plug a laptop directly into the CPE poe injector.
We want to configure the CPE radio's in router mode and PPPOE client. I have tested this and it works great. But I want a separate management IP assigned statically to the CPE because the PPPOE address is dynamic.

The problem is, we cannot assign a different management address to the same interface as the pppoe client / WAN. The only way to do this says ubnt is to create a VLAN and set the management interface as vlan.xxx. This still leaves normal traffic as non-vlan traffic.

I cannot for the life of me get non-vlan traffic and management traffic working simultaneously on the bench

All our sites have netonix DC switches which vary in size. On the test bench I try changing the management vlan to 200 on all devices including the wisp switch. I then tag the port with the AP that CPE's connect to. I can the access the management IP of the CPE BUT customers loose connection to our core router.
Im not sure if what im trying to do is even possible as i am fairly new to the concept of vlans.


I could set a management vlan AND a vlan for normal traffic BUT I have to change ALL CPE's at once, then change ALL the backhauls then change ALL the switches manually which would take days. During that time all customers would be offline which we just cannot have.

Has anyone else out there overcome this problem? or know of an alternate / workaround solution.

Thanks in advanced,

TL;DR
CPE is ubnt powerbeam > Bridge mode to core router via bridged sites.
Change CPE to router mode / PPPOE (dynamic wan address).
Cannot set Management IP to same interface. Must create vlan.
Struggling to pass management / vlan traffic through same switch port. (wisp switch)

[mike99]

First, I think that you should hire a consultant.

If you want some help, schema and desired configuration would help. What do you plan to use as BRAS, Mikrotik ? What are your Ubnt radio and netonix config ?

[sai.barker]

Hi Mike99,

Thanks for your response.

Yes we use mikrotik for BRAS and routing.

All of our ubnt radios are all configured as bridge mode. (CPE, AP's and backhauls).
Our Netonix switches are providing POE to the radios (Back haul and AP's) with no vlan config other than default. We use RSTP for our failover / alternate paths on backhauls.

Customers routers have a static IP and their gateway points to our core router (CCR1036), From there we create a simple queue targeting the static IP assigned to the WAN interface of their router to limit their speeds.

On the upstream side we have two providers advertising our public /23 assignment via BGP.

We then split that up into /30's to assign to customers who require a static public IP.

I have attached some screenshots of various device configs.


What i'm hoping to achieve is to use the CPE radios as a pppoe client and mikrotik as pppoe server. But I still require a static management IP for on the CPE radio.

For customers who require a public static IP, I want to use the CPE radio in router mode/ static IP. The WAN settings will be their public /30. On the local side I will serve one DHCP address and DMZ all traffic to that address. The customers router will then use dhcp client on their WAN which will take on that single DHCP address that we are DMZing to. Obviously if we are DMZing all traffic coming into the radio, Ill need an additional IP address for management.


Hopefully this helps, your assistance is appreciated!

Screenshots: https://imgur.com/a/w5gk2g1

[mike99]

You have a single tower on your network ?

Else, 1 VLAN by tower for every services ,that will allow you to have a scalable network.

Exemple,

tower 1:
management vid 11
data vid 12
tower 2:
management vid 21
data vlan vid 22

space left between tower are for additional futur out of band service like voice, IPTV, alarm system, etc.

On netonix, VLAN tab should look like this (port 1 and 2 are backhaul while other port are port facing customer)

tower 1
11 management TTTTTTTTTTTT
12 internet TTUUUUUUUUU

Ubnt radio managment vlan 11, no need to set internet vlan since it's already untag

On mikrotik, create 2 vlan interface, 11 and 12 and bound those to the interface facing the netonix at the core. Set ip address on those created vlan interface.

P.S. I wouldn't use radio as router (I've done it this way and regret it). Instead, I would use radio at layer 2, block dhcp on radio (port 67 and 68), block any broadcast except dhcp and arp, allow disovery only on management and disable WDS to nat the MAC adresse of customer router to the one of the antenna. This way, you always know from which antenna data is coming from.

If you want radius accounting, you can still use 802.1x (WPA-EAP).

[sai.barker]

Hi Mike99,

Thanks for that.

We have about 16 towers / sites on our network but I just included one to simplify the example. Some sites triangulate backhauls for redundancy and path diversity.

So I understand that the radio management vlan will be 11 which comes into a tagged port. But I don't understand how non-vlan data traffic flows when the switch port is tagging?

Also why did you regret using the cpe radio as router?

Thanks,