Thanks Jouni. I appreciate your response. My comments/discussion are below interleaved in email. -----Original Message----- From: Jouni Malinen [mailto:j@xxxxx] Sent: Friday, October 22, 2010 11:28 AM To: Chaoxing Lin Cc: linux-wireless@xxxxxxxxxxxxxxx Subject: Re: Help: Guidance on "AP/VLAN" mode On Thu, Oct 21, 2010 at 03:54:30PM +0000, Chaoxing wrote: > 1. Can any one here help me understand what mac80211 "AP/VLAN" mode is and how > it's used? I googled and could not find a good document on this. See dynamic-VLAN configuration in hostapd.conf. CLIN: I saw that dynamic-VLAN section. And did not quite understand how to setup. Is there any further documentation on dynamica-VLAN? Must the interface in /etc/hostapd.vlan be type of __ap_vlan? Or it can be any AP interface specified in "bss=xxx" in multi-BSSID case? > 2. If it's meant for VLAN interface for multiple-SSID, how is the VLAN ID > configured? In theory, it could be used with multiple-SSID (i.e., mapping from SSID to VLAN), but there is no support for that in hostapd. The main use for this AP/VLAN interface is to get VLAN ID from a RADIUS server (or for more limited testing, from a local text file based on the station MAC address). CLIN: Getting VLAN ID from Radius server means all VLANs must use 802.1x way for authentication. This limits the flexibility of multiple-SSID. My current AP with proprietary driver&app allow different VLAN to use any authentication/encryption. Although hostapd provide build-in radius server, it's kind of a hack to use it just to add VLAN ID for clients using WEP/WPA-PSK > 3. In my AP with proprietary driver, there's multiple-SSID over the same BSSID. > (Meaning they share the same MAC address.) Each SSID is mapped to one VLAN. > Broadcasting SSID is disabled. > On receiving packet from clients, AP adds VLAN tag per SSID client associates. > On transmitting packet to clients, AP remove VLAN tag. > Is it possible to achieve the above functionality through existing open source > software(mac80211, iw, hostapd, radio driver, etc)? You can do similar setup with RADIUS-based VLAN ID allocation. Though, mac80211 will leave the VLAN tagging or other upper layer configuration to other parts of the networking stack (VLAN, bridge, IP routing). hostapd can set that up for the bridge and WLAN interfaces and if desired, you can then bind those to tagged ethernet interface. Since we support multi-BSSID configuration (which is superior to multi-SSID for most cases), I haven't seen enough justification to work with multi-SSID functionality. Do you have a use case that would need it or would the RADIUS-based VLAN ID allocation or multi-BSSID support address your needs? CLIN: 1. Most of the time multi-BSSID is superior to multi-SSID. But multi-BSSID uses multiple MAC addresses and each radio actually has only reserved one MAC address. Meaning, all other MAC addresses used are actually reserved by other radio/Ethernet adapter, etc. When product like this goes on market, it's bound to have MAC address conflict, unless vendor reserves enough MAC for its product. It's kind of a waste to reserve 32 (in my case) MAC addresses per radio since most of the time multi-BSSID won't be used in SOHO. 2. The other thing regarding hostapd dynamic VLAN is that it creates a bridge for each VLAN and tag is only added at a certain interface e.g. "vlan_tagged_interface=eth0". There are a few problems with this design. a. One bridge for each VLAN overloads system unnecessarily. It means that all protocols over bridge have to run multiple copies, one per bridge. This is expensive for embedded devices. b. In case there multiple interfaces need vlan tag, does hostapd allow me to put multiple interfaces in "vlan_tagged_interface=xxx" option? Even if it allows that, it's still inconvenient if the interface list is dynamic. My current product has one bridge which encloses one Ethernet port, AP/VLAN interface, and multiple(dynamic, auto detect by proprietary app) WDS interfaces. Only AP/VLAN interface adds/removes/checks VLAN tag per SSID, while all other interfaces in the bridge pass packet as is (In other words, they behave as VLAN trunk ports). Eventually, it's up to the VLAN switch attached at the Ethernet port to distribute packet per VLAN rules. It seems hard for me to use current (mac80211, hostapd, iw, etc) to achieve what I need. -- Jouni Malinen PGP id EFC895FA -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
