Hi guys,
so I have router and a dumb AP with vlans up and running.
I got a cisco switch and connected that to a port on my dumb ap, and set the switchport to trunk.
There is only 3 vlans in use, but my question is, would this work like I have done it now?
My vlans and 3,4,5 -
fa0/1 on switch to be vlan 3, fa0/2 to vlan 2 and fa0/3 to vlan 3.
Locally connected my pc to fa0/1 with static IP for the moment to access switch.
Green lights on my cisco switch on port gig0/1 that is the trunk port back to dumb ap.
Dump AP sends a lot of errors; but it looks like the cisco is being blocked
Tue Jun 27 10:25:52 2023 kern.err kernel: [ 2736.341192] mv88e6085 f1072004.mdio-mii:00: VTU member violation for vid 1, source port 0
Tue Jun 27 10:25:52 2023 kern.err kernel: [ 2736.451191] mv88e6085 f1072004.mdio-mii:00: VTU member violation for vid 1, source port 0
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
> uci export network; uci export wireless; \
> uci export dhcp; uci export firewall
{
"kernel": "5.15.112",
"hostname": "Router",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1900ACS",
"board_name": "linksys,wrt1900acs",
"rootfs_type": "squashfs",
"release": {
"distribution": "Divested-WRT",
"version": "SNAPSHOT",
"revision": "r23079+12-5636ffc22d",
"target": "mvebu/cortexa9",
"description": "Divested-WRT SNAPSHOT r23079+12-5636ffc22d"
}
}
package network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
option device 'br-lan.3'
config device
option name 'wan'
option macaddr ''
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config device 'guest_dev'
option type 'bridge'
option name 'br-guest'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
list ports 'lan2'
list ports 'lan3'
config bridge-vlan
option device 'br-lan'
option vlan '4'
list ports 'lan1:t'
list ports 'lan2'
list ports 'lan3'
config bridge-vlan
option device 'br-lan'
option vlan '5'
list ports 'lan1:t'
list ports 'lan2'
list ports 'lan3'
config interface 'IOT'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option device 'br-lan.5'
option ipaddr '10.50.1.1'
config interface 'IOTW'
option proto 'static'
option device 'br-lan.6'
option netmask '255.255.255.0'
option type 'bridge'
option ipaddr '10.60.1.1'
config bridge-vlan
option device 'br-lan'
option vlan '6'
list ports 'lan1:t'
list ports 'lan3'
config interface 'Guest'
option proto 'static'
option device 'br-lan.4'
option ipaddr '10.40.1.1'
option netmask '255.255.255.0'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT40'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option macaddr ''
option encryption 'psk2'
option key ''
option ieee80211r '1'
option mobility_domain '123F'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option ssid ''
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option channel '7'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option macaddr ''
option ssid ''
option encryption 'psk2'
option key ''
option ieee80211r '1'
option mobility_domain '123F'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option encryption 'psk2'
option key ''
option network 'IOT'
option ssid 'IOT'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid ''
option key ''
option network 'Guest'
option encryption 'none'
config wifi-iface 'wifinet4'
option device 'radio1'
option mode 'ap'
option encryption 'psk2'
option key ''
option network 'IOTW'
option ssid 'IOTW'
option hidden '1'
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option ednspacket_max '1232'
option confdir '/tmp/dnsmasq.d'
option localservice '1'
option noresolv '1'
list server '127.0.0.53'
config dhcp 'lan'
option interface 'lan'
option start '100'
option dhcpv4 'server'
option limit '180'
option leasetime '12h'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'IOT'
option interface 'IOT'
option start '100'
option limit '150'
option leasetime '6h'
config dhcp 'IOTW'
option interface 'IOTW'
option leasetime '12h'
option start '1'
option limit '50'
config dhcp 'Guest'
option interface 'Guest'
option start '100'
option limit '150'
option leasetime '2h'
package firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'GuestZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'Guest'
config rule
option name 'DNS and DHCP guest'
option src 'GuestZone'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
option family 'ipv4'
option dest_port '53 67'
config forwarding
option src 'GuestZone'
option dest 'wan'
config rule
option name 'DNS and DHCP IOT'
option src 'IOT'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
option dest_port '53 67 123'
config zone
option name 'IOT'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOT'
config forwarding
option src 'lan'
option dest 'IOT'
config rule
option name 'DHCP and DNS IOTW'
option src 'IOTW'
option dest_port '53 67'
option target 'ACCEPT'
option family 'ipv4'
config zone
option name 'IOTW'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IOTW'
config forwarding
option src 'lan'
option dest 'IOTW'
config forwarding
option src 'IOTW'
option dest 'wan'
config forwarding
option src 'IOT'
option dest 'wan'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
cisco switch (some ports removed to save some text)
192.168.1.36 is a static ip from my router to this switch (and this is the home network (192.168.1.0))
sh run
Building configuration...
Current configuration : 3262 bytes
!
! Last configuration change at 00:10:12 UTC Mon Jan 2 2006
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco-switch
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5
enable password
!
username password 0
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
system mtu routing 1500
!
!
ip domain-name lan
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-4063627648
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4063627648
revocation-check none
rsakeypair TP-self-signed-4063627648
!
!
crypto pki certificate chain TP-self-signed-4063627648
certificate self-signed 01
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/1
description vlan1 port
spanning-tree portfast disable
!
interface FastEthernet0/2
description vlan1 port
!
interface FastEthernet0/3
description vlan3 port
switchport access vlan 3
!
interface GigabitEthernet0/1
description Uplink
spanning-tree portfast
!
interface GigabitEthernet0/2
description Uplink 2
spanning-tree portfast disable
!
interface Vlan1
ip address 192.168.1.36 255.255.255.0
!
ip default-gateway 192.168.1.1
If you want to get rid of the message with your current kernel, then you have to either remove VID 1 from the trunk on the 3560 or add it to the port on the mv88e6085 switch. Note that Cisco typically use VID 1 as a default and implicit management VLAN
If you want I can also post the dumb ap config here, but should be quite similar to the router I believe - edit, interface 4 on dumb ap is connected to cisco switch, I enabled tagging for all 4 Vlans on that interface.
And I connected a reolink with poe to the switch and this camera got a IP on my home network, so it seems to work
Added the rest of the vlans on the cisco switch, added the minimal config I know to port fa0/11 and 12, moved cameras to that, and voila, it's on IOT Vlan and works from my phone when connected to home network. Thanks!
Yes that's important. If you don't explicitly set switchport mode trunk, Cisco ports operate in an automatic mode which does some strange things especially when not connected to another Cisco switch.
Thanks! What else does the trunk port configuration need?
Regarding the untagged ports, on my router it's only port 1 that is connected to the dumb ap and then the cisco switch. If I do tagged ports on lan2 and lan3, will that not stop the hubs from working?
Ok, vlan 3-6 is allowed, that all the vlans I have.
So for each lan port, for instance lan2, can only have one untagged vlan?
In my case they are on vlan 3, home network vlan, so that would be the untagged vlan and the rest tagged then?
An OpenWrt port that is untagged in one VLAN and not part of any other VLAN is the same as a Cisco mode access port. It's intended to be connected to a device that doesn't use VLAN tags and should only have access to one network-- such as a PC or printer.
OpenWrt does not have a direct equivalent of mode trunk where any and every VLAN is by default switched to the port without further configuration. You can get the same result though by making the port tagged in all VLANs of interest. You do have to declare each VLAN separately.
