Skip to content
Snippets Groups Projects
Select Git revision
  • filmat/devel-15509
  • filmat/devel-16550
  • dynbh-rework
  • cac_abort
  • devel default protected
  • mapa-radio-mac
  • cac_ongoing
  • fm-relay-13699
  • filmat/devel-14778
  • ubus-stations
  • filmat/fm-devel-15030
  • grev6tap
  • grev6tap-opt3
  • mld-cleanup
  • wpa-supp-conf-fix
  • unassoc-sta-fix
  • eht_oper
  • acx/wip-tunnel-anqp
  • filmat/release-7.3-actscan
  • filmat/release-7.3
20 results
Blame Permalink
README-Traffic_Separation.md 5.59 KiB

Traffic Separation

Overview

This README documents important aspects regarding application of the Traffic Separation feature in Multi-AP system. When Traffic Separation is in effect, traffic from different VLANs are isolated from each other. Multiple SSIDs may belong to the same VLAN. The functionality for this is specified in Multi-AP Spec 2.0 chapter 19, which this implementation is based on. To achieve separation at layer 2 network, bridge vlan filtering feature is used and must be compiled into the kernel.

Configuration

The configuration governing the Traffic Separation (vlan tag numbering) comes from the map-controller.

Primary Vlan ID and Default PCP value is set via the controller global section, primary_vid '0' means Traffic Separation feature is disabled.

config controller 'controller'
	option enabled '1'
	option registrar '5 2'
	option primary_vid '1'
	option primary_pcp '2'

Each ap section specifies which Vlan ID it belongs to by the vid option:

config ap
        option band '5'
        option ssid 'MAP-EC6C9A79FC4E-5GHz'
        option encryption 'sae-mixed'
        option vid '1'          # Primary VID
        option type 'fronthaul'
        option key 'FPaY-7teN-hTHa-pgdT'

config ap
        option band '2'
        option ssid 'MAP-EC6C9A79FC4E-2.4GHz'
        option encryption 'sae-mixed'
        option vid '1'          # Primary VID
        option type 'fronthaul'
        option key 'FPaY-7teN-hTHa-pgdT'

config ap
        option band '5'
        option ssid 'My-Guest-Network'
        option encryption 'sae-mixed'
        option vid '50'         # Example guest VID 50
        option type 'fronthaul'
        option key 'FPaY-7teN-hTHa-pgdT'

config ap
        option band '5'
        option ssid 'Another-Guest-Network'
        option encryption 'sae-mixed'
        option vid '20'         # Example guest VID 20
        option type 'fronthaul'
        option key 'FPaY-7teN-hTHa-pgdT'

Implementation

In order for map-agent to apply vlan tagging on the Primary Network, it must receive a Default 802.1Q Settings TLV containing the Primary Vlan ID. This can be received in any of three ways:

  • in a AP-Autoconfiguration WSC message from the map-controller
  • in a Multi-AP Policy Config Request message from the map-controller
  • as a Multi-AP IE subelement in (Re-)Association Response frames

To apply tagging on Secondary Networks, it must receive a Traffic Separation Policy TLV containing at least one SSID to Vlan ID mapping. This can be received in either of the following CMDUs from map-controller:

  • a AP-Autoconfiguration WSC message
  • a Multi-AP Policy Config Request message

When Map Agent receive proper Traffic Separation policy config it will reconfigure /etc/config/network to enable vlan filtering on al_bridge (default br-lan) and configure vlan for Ethernet ports that were already bridged to al_bridge and create sink veth interfaces that allow network layer 3 (IP, IPv6, DHCP etc.) access to the vlan networks.

config device 'br_lan'
        option name 'br-lan'
	config device 'br_lan'
        option type 'bridge'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        option macaddr '44:D4:37:71:BE:32'
        option vlan_filtering '1'

Individual vlan ids for ports are configured using bridge-vlan network config entries. Ports having :t appended will keep the vlan id tag for ingress end egress traffic (802.1q frames will be sent out and received on the port). List port entries without :t will add a tag for ingress and remove on egress traffic, which is proper for sink interfaces and Ethernet interfaces for primary network.

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth2'
        list ports 'eth3'
        list ports 'eth4'
        list ports 'sink_peer1'

config bridge-vlan
        option device 'br-lan'
        option vlan '50'
        list ports 'eth2:t'
        list ports 'eth3:t'
        list ports 'eth4:t'
        list ports 'sink_peer50'

By convention vlan vid network is configured to be 192.168.vid.0/24 ip network.

config interface 'vlan50'
        option device 'sink50'
        option is_lan '1'
        option proto 'static'
        option ipaddr '192.168.50.1'
        option netmask '255.255.255.0'

Specific vlan configuration can be seen by bridge vlan command and example output can look like this:

root@iopsys:~# bridge vlan
port              vlan-id  
eth2              1 PVID Egress Untagged
                  20
                  50
eth3              1 PVID Egress Untagged
                  20
                  50
eth4              1 PVID Egress Untagged
                  20
                  50
wl0               1 PVID Egress Untagged
wl1               1 PVID Egress Untagged
sink_peer1        1 PVID Egress Untagged
br-lan            1
                  20
                  50
wl1.1             1 PVID Egress Untagged
wl1.2             20 PVID Egress Untagged
wl0.1             1 PVID Egress Untagged
wl0.2             50 PVID Egress Untagged
sink_peer50       50 PVID Egress Untagged
sink_peer20       20 PVID Egress Untagged

PVID Egress Untagged entries will add/remove vlan id tag on for incoming/outgoing frames on that port. Vlan id listed without PVID Egress Untagged mean that particular vlan tag is accepted on the port, non listed vlan tags are dropped. In example above eth2 will:

  • Accept 802.1q frames with VIDs 20 and 50
  • Change untagged incoming ethernet frames to 802.1q with vid 1
  • Remove tags for outgoing frames

For wireless port wl0.2:

  • Transfer untagged traffic to vid 50.