Hi!
I found some topic under this issue but there is no clear to me if it would be possible to capsman assign vlan to ssid in local-forwarding mode where vlans specified on CAP device and not on capsman. I have a capsman device and caps devices in hub&spoke topology. CAPs are on some sites, and each site has different vlan set.
In manager forwardinbg mode I can set vlan for every SSID.
In local-forwarding mode I can assign CAP interfaces to a vlan.
Can I set in capsman to drop an SSID into a specific VLAN on a CAP and not on CAPsMAN? I mean CAP device has a trunk port on its uplink, MGMT vlan is untagged (but it could be tagged too) and client vlans are tagged and can I say to capsman to separate SSIDs by vlans on each CAP device on that local (CAP) vlan where that vlan is not on the capsman (or it is a dummy vlan)?
Thanks!
oreggin
You can edit this in the corresponding CAP interface under datapath.
select vlan-mode = tag and then set the corresponding vlan id.
A bit cumbersome, but it works.
-Chris
I tried it but it didn’t work for me in local-forwarding mode. How to configure the CAP in this case? Now it has a bridge in MSTP as peer is MSTP too and under bridge I set the vlan assigment. How will control capsman the CAP network stack?
Thanks!
oreggin
For using local forwarding, your CAP devices must have a bridge configured with ethernet and wlan interfaces in them.
Then you set in cap settings bridge=
-Chris
I did it:
[oreggin@ap11] > interface bridge print
Flags: X - disabled, R - running
0 R name="LAN" mtu=auto actual-mtu=1500 l2mtu=1600 arp=enabled arp-timeout=auto
mac-address=E4:8D:8C:XX:XX:XX protocol-mode=mstp fast-forward=no igmp-snooping=no
auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s
transmit-hold-count=6 region-name="LAN" region-revision=1 max-hops=20
vlan-filtering=yes pvid=1
[oreggin@ap11] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 ether1 LAN yes 800 0x80 10 10 none
1 wlan_2.4GHz LAN 1 0x80 10 10 none
2 wlan_5GHz LAN 1 0x80 10 10 none
3 D wlan19 LAN 1 0x80 10 10 none
4 D wlan20 LAN 1 0x80 10 10 none
[oreggin@ap11] > interface bridge vlan print
Flags: X - disabled, D - dynamic
# BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED
0 LAN 800 LAN ether1
1 LAN 808 LAN
ether1
2 D LAN 1 LAN
wlan_2.4GHz
wlan_5GHz
wlan_2.4GHz
wlan_5GHz
wlan_2.4GHz
wlan19
wlan_5GHz
wlan20
[oreggin@ap11] > interface wireless cap print
enabled: yes
interfaces: wlan_2.4GHz,wlan_5GHz
certificate: request
lock-to-caps-man: no
discovery-interfaces:
caps-man-addresses: 10.1.1.1
caps-man-names:
caps-man-certificate-common-names:
bridge: LAN
static-virtual: no
requested-certificate: CAP-E48D8CXXXXXX
[oreggin@ap11] >
As I add two master wireless interface to the bridge it will has a pvid=1 and every dynamically created wlanX interface has pvid=1 too. How they would be dropped into the proper vlan? Initially it would be good to drop every wireless IF into vlan808.
Thanks!
oreggin
/int bri po set (number) pvid=808
-Chris
Thanks, but the topic started at somewhere “can capsman assign vlan to SSID on CAP instead of configuring it on every CAP by hand?” At the moment I assign vlans on CAP to SSID by hand.
Kind regards,
oreggin
Yes, this can be done in datapath.
I jumped on the “do it manually per interface” train b/c you said that vlans differ from site to site for the same ssid… And this can only be done by hand 
-Chris
I can configure as many datapath/configuration as I need and then assign it to provision and I can separate APs on different site based on identifier for example. For example I configure datapath properly and under configuration I change the VlanID if it needed.
So now, I would like to see a configuration example (both capsman and cap) as my configuration doesn’t works 
Thanks,
oreggin
## cap config
/interface wireless cap
set bridge=bridge1 caps-man-addresses=172.10.11.12 enabled=yes interfaces=wlan1,wlan2
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 hw=no interface=ether1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
## manager config
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=v444 vlan-id=444 vlan-mode=use-tag
/caps-man configuration
add country=switzerland datapath=v444 datapath.client-to-client-forwarding=yes hide-ssid=no mode=ap multicast-helper=full name=myVlanConfig rx-chains=0,1,2 security=mysecurity ssid=mySSID tx-chains=0,1,2
That is extracted from a working production config here.
And looking at the state of the bridge ports,I think by now that it’s even unnecessary to add the h/w wlan interfaces to the bridge, just ether1 should work.
-Chris
If you have local forwarding checked in caps-man configuration… There is the option to set VLAN tag. That’s it. All devices that get config from that controller will have the SSID vlan tagged.
Here is a working example
/caps-man configuration
add country="united states3" datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes datapath.vlan-id=100 datapath.vlan-mode=use-tag mode=ap name=TaggedSSID security.authentication-types=wpa-psk,wpa2-psk security.encryption=aes-ccmsecurity.group-encryption=aes-ccm security.group-key-update=1h security.passphrase=someoddpassword ssid=SSIDwithaTag
Thanks to all!
So, the solution is disabling vlan-filtering on the CAP’s bridge and then voilà! CAP drops selected SSID to its vlan what I set in CAPsMAN, so now CAPsMAN controlling the CAPs Vlan selection based on SSID.
If I enabling vlan-filtering, this method is not works! As this is not a problem on CAPs so this issue is resolved 
Best regards,
oreggin