I had a really similar problem trying to setup Cisco Wireless Access Points Aeronet 1200's with the same switch using a Debian "router". Documentation provided with the switch is terrible. Tech support is nothing to write home about either - I argued with them for 4 hours and finally they looked at the docs that came with the router and said - oh - it is missing that info isn't it. Still not in there last I looked. Oh well - I am not going to pay them to do their job for them...
The sample they provided in the book was not complete. It has been a while since we got it working - if I remember correctly we ended up having to tag our VLAN's as something other than 1 in the Debian system. All ports on the switch had to be untagged members VLAN 1 (Management VLAN). We then created VLAN's 2 and 3 on the router and then on the switch also made port 1 an untagged member for both those VLAN's. Once this was done we made the other ports (where the switches and hubs were installed) tagged members of whichever VLAN they needed to be as well as untagged members of VLAN 1... Ex: - the router went into port 1 which was untagged member of VLAN 1, VLAN 2, and VLAN 3. The router will provide the VLAN tagging for the packets so the switch does not need to. - several devices went into ports 2-5 which needed to be on VLAN 2. Therefore we made the ports 2-5 untagged members of VLAN 1 and tagged members of VLAN 2. - another switch went into port 6 which needed access to VLAN 3. We made port 6 an untagged member of VLAN 1 and a tagged member of VLAN 3. There is also a setting to set the default tag of the port to which a device plugs into - this needs to be set to the same as the tag you want to give untagged packets. So you set the default tag on ports 2-5 as 2 and port 6 as 3. What happens is that an untagged packet coming to the switch on ports 2-5 will be tagged with VLAN 2 and will have access to ports 1,2-5 as these are all members of the VLAN 2. The switch will forward that packet to the router and the router will know which VLAN to forward to based on the tag on the packet. The router will then reply to the packet and tag it with VLAN 2 which will re-enter the switch and again can access ports 1,2-5. If the packet goes out ports 2-5 the tag will be stripped and the packet seen by the devices as a standard Ethernet packet without the VLAN tag. The same works for VLAN 3. Of course in the router you need the routing and firewalling setup correctly to properly handle everything. We have this setup on a system now with 4 nics and several VLAN's on one of the NIC's. We had to use Debian as it was already setup - but I used OpenBSd to research and test much of this. Good Luck and hope this helps - Brian Shackelford > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Raja Subramanian > Sent: Tuesday, May 16, 2006 5:15 AM > To: misc@openbsd.org > Subject: vlan router problems > > Hi, > > I'm trying to build a VLAN router with a singe NIC (tried sis > and fxp). I have two subnets (192.168.1.1/24, 192.168.2.1/24) > on independent VLANs. I'm stuck because the router is unable > to exchange data with the VLAN clients. > > I have a Netgear FS726T switch that is VLAN capable, and > vlan(4) says my cards (sis, fxp) are are also VLAN ready. The > cards and switch are both 100BT. I tried OpenBSD 3.9 (and > FreeBSD 6.1) have the following problems: > > On my box, I've used: > ifconfig vlan1 vlan 1 vlandev sis0 192.168.1.1 255.255.255.0 up > ifconfig vlan2 vlan 2 vlandev sis0 192.168.2.1 255.255.255.0 up > > The switch is setup so that the router's port is tagged, while all > other ports are untagged. > > If I use the default MTU 1500 on both the vlan interface and the > parent interface, I'm unable to transfer large data between the > router and clients on my LAN. Running top on the router while > logged in over ssh from a client machine would kill the > connection. > > But reducing the MTU of the vlan pseudo interface to 1492 > makes things faster, but I still get repeated ping timeouts and > my packet loss is ~10%. > > The routing between VLANs is terribly slow (~500 bytes/sec). > > > I can't figure out what I'm doing wrong. My understanding is that > everything should be handled by the switch and the router and > the the whole process should be transparent to the client > machines. My understanding of the packets as they leave my > router are: > > *BSD --> VLAN frames (1504 bytes) --> switch/trunk --> switch --> > untagged frames (1500 bytes) --> client > > ...and the entire process is reversed during replies. > > I can't figure out what I'm doing wrong. Can someone please > help? I'm at wits end! > > - Raja
