Hi all,
I want to ask some few questions that came up during my setup of CAP/CAPsMAN
In a test environment (all devices running ROS 7.3.1), I connect 3x hAP ac routers directly to a CAPsMAN
(at the moment an old RB450G, will be exchanged for an RB5009 as soon as it is available)
ether5 from each CAP is connected to ether1,ether2,ether3 respectively to CAPsMAN.
Step #1: The default setup is very simple.
Local forwarding on the CAPs is disabled, which means that the CAPSsMAN manages everything,
in particular the routing of the WLAN/HOTSPOT data to the appropriate bridge,
which is important for the assignment to the appropriate DHCP server.
in this setup I have 3 bridges :
bridgeCAP (internal CAP/CAPSsMAN network 192.168.15.0/24)
bridgeWLAN (WLAN network 192.168.10.0/24)
bridgeHOTSPOT (Hotspot network 192.168.14.0/24)
in each network CAPsMAN has assigned ip address .1 (e.g 192.168.15.1), CAP[n] ip 1[n] (e.g CAP1 > 192.168.15.11)
Step #2 Extending the setup so both 'local forwarding' enabled and disabled work just by changing the parameters in the datapth config:
For CAPsMAN:
created vlan interface 'bridgeCAP-99' (VLAN 99) attached to bridgeCAP
created vlan interface 'bridgeWLAN-11' (VLAN 11) attached to bridgeWLAN
created vlan interface 'bridgeHOTSPOT-12' (VLAN 12) attached to bridgeHOTSPOT
created vlan interface ether1-VLAN99,ether1-VLAN11,ether1-VLAN12 attached to ether1
(accordingly for ether2 and ether3)
bridged all VLAN 99 ports >> bridgeCAP
bridged all VLAN 11 ports >> bridgeWLAN
bridged all VLAN 12 ports >> bridgeHOTSPOT
enabled vlan filtering for all affected bridges
configured vlan table (tagged/untagged ports for every bridge/vlan)
For CAP:
created bridge 'bridgeVLANs'
created vlan interface bridgeVLANs-VLAN99,bridgeVLANs-VLAN11,bridgeVLANs-VLAN12 attached to bridgeVLANs
created vlan interface ether5-VLAN99,ether5-VLAN11,ether5-VLAN12 attached to ether5.
bridged all vlan ports >> bridgeVLANs
moved wlan1, wlan2 interfaces to bridgeVLANs
enabled vlan filtering for bridgeVLANs
configured vlan table
Finally in CAPsMAN datapth config I set the following:
for WLAN: vlan mode: use tag, vlan id: 11, local forwarding: yes
for HOTSPOT: vlan mode: use tag, vlan id: 12, local forwarding: yes
Unbelievable, Step#2 works 3x faster but still at 1/3 wire speed:)
The data flow for wlan data (CAP1) is:
WLAN-data(tagged vlan id 11) > bridgeVLANs-VLAN11 > ether5-VLAN11 > ether5 > wire > ether1 > ether1-VLAN11 > bridgeWLAN-11
Now my questions are:
#1 Originally all bridges/ports were configured to admit only vlan tagged packets.
I was able to ping interface bridgeVLANs-VLAN11 (192.168.10.1) from CAPs interface ether5-VLAN11 (192.168.10.11)
but as soon as I have assigned the ip to the bridge (bridgeWLAN instead of bridgeWLAN-VLAN11) this is no longer the case.
Why? I have no explanation for that.
I need the ip assigned to the bridge, because dhcp server doesnt work with slave interfaces.
Workaround: port bridgeWLAN-VLAN11 is now untagged and the bridge admits all traffic, which means that vlan tags are added/removed unnecessarily for all packets that pass the bridge.
However, the ping works now regardless of whether the ip is assigned to the interface or the bridge.
#2 There is one slave interface on ether5 for each vlan.
For simplicity i thought to use only one tagged interface (let's name it ether5-VLAN99-11-12) because we can configure the vlan table to pass all allowed VLANs.
Every VLAN that goes through that interface should end up on the corresponding interface (bridgeVLANs-VLAN99, bridgeVLANs-VLAN11, bridgeVLANs-VLAN12) like this
Data flow for WLAN:
WLAN-data(tagged vlan id 11) > bridgeVLANs-VLAN11 > ether5-VLAN99-11-12 > ether5 > wire > ether1 > ether1-VLAN11 > bridgeWLAN-11
Data flow for HOTSPOT:
HOTSPOT-data(tagged vlan id 12) > bridgeVLANs-VLAN12 > ether5-VLAN99-11-12 > ether5 > wire > ether1 > ether1-VLAN12 > bridgeWLAN-12
What am I doing wrong that this doesn't work?
#3 Not surprisingly, the CPU on the CAPsMAN is running at 100%.
Basically, we only need a way to send the WLAN data to the right bridge on CAPsMAN side (in local forwarding mode).
If I would use a tunnel (e.g. eoip), it would be sufficient to send the WLAN data through a special gateway (through the eoip tunnel) on CAP side.
and to make the other tunnel endpoint member of the correct bridge on the CAPsMAN side.
It would of course be necessary to check whether this is faster at all, but vlan interfaces, VLAN filtering, VLAN table entries, all of that would be unnecessary.
Hardware offloading would be possible again. All together will lower the CPU load.
I guess the data flow can currently only be controlled via the VLAN IDs in the datapath configuration.
May I request this feature? Is it a good or bad idea if i am going to request this feature?
If desired, I can share the config files (I have to remove the unnecessary stuff first)
Thanks for the support (and for better ideas on the topic)