For

jian Medi
gdi aTe
CONFIDENTIAL C

ngy k C
ong onf
@ tw iden
sz.c tial
om
Use
Onl
y
WiFi VLAN Application Note
 y
Outline

Onl
Use
sz.c tial
om
▪

@ tw iden
VLAN Introduction
▪ WiFi VLAN Ingress/Egress Flow Chart

ong onf
▪ WiFi VLAN Command List

ngy k C
▪ Scenarios

gdi aTe
jian Medi
For

CONFIDENTIAL C
 CONFIDENTIAL C
For VLAN INTRODUCTION
jian Medi
gdi aTe
ngy k C
ong onf
@ tw iden
sz.c tial
om
Use
Onl
y
 y
Onl
What is VLAN?

Use
sz.c tial
om
Create Separate Broadcast Domain

@ tw iden
Logical grouping of devices in the same broadcast domain

ong onf
A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a
computer network at the data link layer. VLANs work by applying tags to network frames

ngy k C
and handling these tags in networking systems

gdi aTe
Isolate traffic
jian Medi
Reduce the ability to see anything not in your VLAN
A VLAN can be used to secure LAN traffic. This means that even with a route - if a
computer isn't configured access to a VLAN they can't get into the VLAN.
For

CONFIDENTIAL C
 y
Onl
What is VLAN?

Use
sz.c tial
Allow QoS

om
Prioritizes traffic so that important packets can pass first

@ tw iden
VLAN allow QoS measures to be taken on devices normally fighting for shared bandwidth. The
network admin can provide different QoS to different VLANs and prevent low priority packets

ong onf
from killing high priority packets

ngy k C
Separate the Network Logically

gdi aTe
Keep network devices separate despite being connected to the same
physical network.
jian Medi
Creating the appearance and functionality of network traffic that is physically on a single
network but acts as if it is split between separate networks. In this way, VLANs can keep
network applications separate despite being connected to the same physical network. VLAN
also Allows hosts to be grouped together in the same broadcast domain even if they are not
connected to the same switch.
For

CONFIDENTIAL C
 y
Onl
Why Use VLAN?

Use
sz.c tial
Separate

om
@ tw iden
broadcast domain
Better network
performance

ong onf
Separate the

ngy k C
network logically Result in
Better security

gdi aTe
Isolate traffic
jian Medi
More Flexibility
Allow QoS
For

CONFIDENTIAL C
 y
Onl
Category of VLANs

Use
sz.c tial
om
@ tw iden
Port based

ong onf
Mac based
Tag based

ngy k C
IP based
Q in Q

gdi aTe
jian Medi
For

CONFIDENTIAL C
 y
Onl
802.1Q Tag Format

Use
sz.c tial
Protocols

om
@ tw iden
Standard Cisco Proprietary
IEEE 802.1Q VLAN Trunking Protocol (VTP)

ong onf
Inter-Switch Link (ISL)

ngy k C
802.1Q Ethernet
Preamble Destination MAC Source MAC Payload CRC/FCS
Header Type

gdi aTe
jian Medi
16 bits 3 bits 1 bit 12 bits
TPID PCP DEI VID
802.1Q Priority code point VLAN ID
0x8100 0-7 1 - 4094
For

CONFIDENTIAL C (0x000 and 0xFFF is reserved)

 y
Onl
Use
sz.c tial
om
@ tw iden
ong onf
ngy k C
gdi aTe
Flow Chart and Behavior
WIFI VLAN INGRESS/EGRESS FLOW CHART
jian Medi
For

CONFIDENTIAL C
 y
Onl
Egress Behavior

Use
sz.c tial
om
@ tw iden
Egress
Tx Behavior
Same VID VLAN pkt (or VID=0) Diff VID VLAN pkt Non-VLAN pkt

ong onf
If policy is Drop,drop it
VLANTag=0 Untag N/A
Otherwise, Untag

ngy k C
Insert PCP & VID
VLANTag=1 Follow Policy

gdi aTe
Policy : Drop (Default) N/A Drop N/A
Policy : ALLOW
Policy : REPLACE VID
jian Medi
N/A
N/A
Allow
Replace VID
N/A
N/A
Policy : REPLACE ALL N/A Replace PCP&VID N/A
For

CONFIDENTIAL C Copyright © MediaTek Inc. All rights reserved. 2022/1/13 10

 y
Onl
Egress Flow Chart

Use
sz.c tial
om
@ tw iden
ong onf
ngy k C
gdi aTe
jian Medi
For

CONFIDENTIAL C Copyright © MediaTek Inc. All rights reserved. 2022/1/13 11

 y
Onl
Ingress Behavior

Use
sz.c tial
om
@ tw iden
Ingress
Rx Behavior

ong onf
Same VID VLAN pkt (or VID=0) Diff VID VLAN pkt Non-VLAN pkt
Policy : Drop (Default) N/A Drop N/A

ngy k C
Policy : Untag Untag N/A

gdi aTe
Policy : ALLOW N/A Allow N/A
Policy : REPLACE VID N/A Replace VID only Insert VID only
Policy : REPLACE ALL
jian Medi
Replace PCP if PCP is diff Replace VID & PCP Insert VID & PCP
For

CONFIDENTIAL C Copyright © MediaTek Inc. All rights reserved. 2022/1/13 12

 y
Onl
Ingress Flow Chart

Use
sz.c tial
om
@ tw iden
ong onf
ngy k C
gdi aTe
jian Medi
For

CONFIDENTIAL C Copyright © MediaTek Inc. All rights reserved. 2022/1/13 13

 CONFIDENTIAL C
For COMMAND LIST
jian Medi
gdi aTe
ngy k C
ong onf
@ tw iden
sz.c tial
om
Use
Onl
y
 y
Command List (1/3)

Onl
Use
sz.c tial
om
▪ iwpriv [INTERFACE] show vlaninfo

@ tw iden
• All MBSS interfaces share the same RXPolicy

ong onf
iwpriv ra0 show vlaninfo

ngy k C
iwpriv apcli0 show vlaninfo

gdi aTe
jian Medi
For

CONFIDENTIAL C
 y
Command List (2/3)

Onl
Use
sz.c tial
om
▪ iwpriv [INTERFACE] set VLANTag=[VALUE]

@ tw iden
• VALUE = 0/1 : Egress packet will be untagged/tagged

ong onf
iwpriv ra0 set VLANTag=0 # Tx frames will be no tagged
iwpriv ra0 set VLANTag=1 # Tx frames will be tagged

ngy k C
gdi aTe
• iwpriv [INTERFACE] set VLANID=[VID]
• VID = [0,4095] (0x000 and 0xFFF is reserved)
iwpriv ra0 set VLANID=1
jian Medi
iwpriv ra0 set VLANID=20
For

CONFIDENTIAL C
 y
Command List (3/3)

Onl
Use
sz.c tial
om
▪ iwpriv [INTERFACE] set VLANPriority=[PCP]

@ tw iden
• PCP = [0,7]

ong onf
iwpriv ra0 set VLANPriority=3

ngy k C
gdi aTe
▪ iwpriv [INTERFACE] set VLANPolicy=[PATH]:[POLICY]
• PATH = 0/1 : Set the Tx/Rx Policy
jian Medi
• POLICY: refer to following slides
iwpriv ra0 set VLANPolicy=0:0 # Set Tx Policy
iwpriv ra0 set VLANPolicy=1:0 # Set Rx Policy
For

CONFIDENTIAL C
 y
Tx Policy

Onl
Use
sz.c tial
om
▪ iwpriv [INTERFACE] set VLANPolicy=0:[POLICY]

@ tw iden
POLICY Policy Name Description

ong onf
0 DROP If received packet from kernel has different VID, drop it

ngy k C
1 ALLOW If received packet from kernel has different VID, do nothing
2 REPLACE VID If received packet from kernel has different VID, replace VID

gdi aTe
3 REPLACE ALL If received packet from kernel has different VID, replace PCP & VID

jian Medi
iwpriv ra0 set VLANPolicy=0:1 # Set Tx ALLOW
iwpriv ra0 set VLANPolicy=0:1 # Set Tx REPLACE VID
For

CONFIDENTIAL C
 y
Rx Policy

Onl
Use
sz.c tial
om
▪ iwpriv [INTERFACE] set VLANPolicy=1:[POLICY]

@ tw iden
POLICY Policy Name Description

ong onf
0 DROP If ingress VLAN pkt has different VID, drop it

ngy k C
1 UNTAG If ingress pkt is tagged, un-tag it
2 ALLOW If ingress VLAN pkt has different VID, do nothing

gdi aTe
3 REPLACE VID If ingress VLAN pkt has different VID, replace VID
Insert the VLAN Tag if the ingress pkt is non-vlan
4 REPLACE ALL
jian Medi
If ingress VLAN pkt has different VID, replace PCP & VID
Insert the VLAN Tag if the ingress pkt is non-vlan

iwpriv ra0 set VLANPolicy=1:1 # Set Rx UNTAG

iwpriv ra0 set VLANPolicy=1:4 # Set Rx REPLACE ALL
For

CONFIDENTIAL C
 CONFIDENTIAL C
For TEST SCENARIOS
jian Medi
gdi aTe
ngy k C
ong onf
@ tw iden
sz.c tial
om
Use
Onl
y
 y
Ingress Rule Test - DROP

Onl
Use
AP

sz.c tial
br-lan

om
@ tw iden
ong onf
DROP

ngy k C
Tagged Driver ra0
ICMP Echo Req. VID=30

gdi aTe
Packet iwpriv ra0 set VLANTag=0
Generator jian Medi
No Reply iwpriv ra0 set VLANID=33
iwpriv ra0 set VLANPriority=3
iwpriv ra0 set VLANPolicy=0:0
Sniffer
iwpriv ra0 set VLANPolicy=1:0

Laptop
For

CONFIDENTIAL C
 y
Ingress Rule Test - UNTAG

Onl
Use
AP

sz.c tial
br-lan

om
@ tw iden
Untagged

ong onf
UNTAG
Untagged

ngy k C
Tagged Driver ra0
ICMP Echo Req. VID=33

gdi aTe
Packet iwpriv ra0 set VLANTag=0
Generator jian Medi
Untagged iwpriv ra0 set VLANID=33
ICMP Echo Reply iwpriv ra0 set VLANPriority=3
iwpriv ra0 set VLANPolicy=0:0
Sniffer
iwpriv ra0 set VLANPolicy=1:1

Laptop
For

CONFIDENTIAL C
 y
Ingress Rule Test – REPLACE VID

Onl
Use
AP

sz.c tial
br-lan

om
@ tw iden
Untagged

ong onf
REPLACE
tagged, vid=33 tagged, vid=33

ngy k C
Tagged Driver ra0 ra0.33
ICMP Echo Req. VID=30 tagged, vid=33 tagged, vid=33

gdi aTe
Packet vconfig add ra0 33
Generator jian Medi
Untagged ifconfig ra0.33 up
ICMP Echo Reply brctl addif br-lan ra0.33
iwpriv ra0 set VLANTag=0
Sniffer
iwpriv ra0 set VLANID=33
iwpriv ra0 set VLANPriority=3
Laptop iwpriv ra0 set VLANPolicy=0:0
iwpriv ra0 set VLANPolicy=1:3
For

CONFIDENTIAL C
 y
Egress Rule Test – DROP

Onl
Use
AP

sz.c tial
br-lan

om
@ tw iden
Untagged

ong onf
tagged, vid=30 tagged, vid=30

ngy k C
Tagged Driver ra0 ra0.30
ICMP Echo Req. VID=30 tagged, vid=30 tagged, vid=30

gdi aTe
DROP
Packet vconfig add ra0 30
Generator jian Medi
No Reply ifconfig ra0.30 up
brctl addif br-lan ra0.30
iwpriv ra0 set VLANTag=1
Sniffer
iwpriv ra0 set VLANID=33
iwpriv ra0 set VLANPriority=3
Laptop iwpriv ra0 set VLANPolicy=0:0
iwpriv ra0 set VLANPolicy=1:2
For

CONFIDENTIAL C
 y
Egress Rule Test – REPLACE VID

Onl
Use
AP

sz.c tial
br-lan

om
@ tw iden
Untagged

ong onf
tagged, vid=30 tagged, vid=30

ngy k C
Tagged Driver ra0 ra0.30
ICMP Echo Req. VID=30 tagged, vid=30 tagged, vid=30

gdi aTe
REPLACE

Packet vconfig add ra0 30

Generator jian Medi
Tagged ifconfig ra0.30 up
ICMP Echo Req. VID=33 brctl addif br-lan ra0.30
iwpriv ra0 set VLANTag=1
Sniffer
iwpriv ra0 set VLANID=33
iwpriv ra0 set VLANPriority=3
Laptop iwpriv ra0 set VLANPolicy=0:2
iwpriv ra0 set VLANPolicy=1:2
For

CONFIDENTIAL C
 y
Backhaul Link is VLAN

Onl
Use
sz.c tial
iwpriv ra0 set VLANTag=1 AP1 AP2 iwpriv apcli0 set VLANTag=1
iwpriv ra0 set VLANID=33 iwpriv apcli0 set VLANID=33

om
@ tw iden
iwpriv ra0 set VLANPriority=3 iwpriv apcli0 set VLANPriority=3
Tagged iwpriv apcli0 set VLANPolicy=0:0
iwpriv ra0 set VLANPolicy=0:0
iwpriv ra0 set VLANPolicy=1:1 iwpriv apcli0 set VLANPolicy=1:1

ong onf
ra0 vid=33 apcli0 vid=33
ra1 ra1

ngy k C
untagged

gdi aTe
untagged

jian Medi
STA1 STA2
For

CONFIDENTIAL C
For
jian Medi
gdi aTe
ngy k C
ong onf
Copyright © MediaTek Inc. All rights reserved.
@ tw iden
sz.c tial
om
Use
Onl
y