Ethernet Vlan Tagging Guidelines - Cisco Mesh Access Points Deployment Manual

Connecting the Cisco 1500 Series Mesh Access Points to the Network
When VLAN Transparent is disabled, the default Ethernet port mode is normal. VLAN Transparent must
Note
be disabled for VLAN tagging to operate and to allow configuration of Ethernet ports. To disable VLAN
Transparent, which is a global parameter, see the Configuring Global Mesh Parameters section.
• Normal mode—In this mode, the Ethernet port does not accept or send any tagged packets. Tagged
frames from clients are dropped.
Use the normal mode in applications when only a single VLAN is in use or there is no need to
segment traffic in the network across multiple VLANs.
• Access Mode—In this mode, only untagged packets are accepted. All incoming packets are tagged
with user-configured VLANs called access-VLANs.
Use the access mode for applications in which information is collected from devices connected to
the MAP, such as cameras or PCs, and then forwarded to the RAP. The RAP then applies tags and
forwards traffic to a switch on the wired network.
• Trunk mode—This mode requires the user to configure a native VLAN and an allowed VLAN list
(no defaults). In this mode, both tagged and untagged packets are accepted. Untagged packets are
accepted and are tagged with the user-specified native VLAN. Tagged packets are accepted if they
are tagged with a VLAN in the allowed VLAN list.
• Use the trunk mode for bridging applications such as forwarding traffic between two MAPs that
reside on separate buildings within a campus.
Ethernet VLAN tagging operates on Ethernet ports that are not used as backhauls.

Ethernet VLAN Tagging Guidelines

Follow these guidelines for Ethernet tagging:
• For security reasons, the Ethernet port on a mesh access point (RAP and MAP) is disabled by default.
It is enabled by configuring Ethernet bridging on the mesh access point port.
• Ethernet bridging must be enabled on all the mesh access points in the mesh network to allow Ethernet
VLAN tagging to operate.
• VLAN mode must be set as non-VLAN transparent (global mesh parameter). See the Configuring Global
Mesh Parameters (CLI) section. VLAN transparent is enabled by default. To set as non-VLAN transparent,
you must unselect the VLAN transparent option on the Wireless > Mesh page.
• VLAN tagging can only be configured on Ethernet interfaces as follows:
• Backhaul interfaces (802.11a radios) act as primary Ethernet interfaces. Backhauls function as trunks
in the network and carry all VLAN traffic between the wireless and wired network. No configuration
of primary Ethernet interfaces is required.
OL-27593-01
◦ On AP1500s, three of the four ports can be used as secondary Ethernet interfaces: port 0-PoE in,
port 1-PoE out, and port 3- fiber. Port 2 - cable cannot be configured as a secondary Ethernet
interface.
◦ In Ethernet VLAN tagging, port 0-PoE in on the RAP is used to connect to the trunk port of the
switch of the wired network. Port 1-PoE out on the MAP is used to connect to external devices
such as video cameras.
Cisco Mesh Access Points, Design and Deployment Guide, Release 7.3
Configuring Ethernet VLAN Tagging
153