Wireless digital networks, such as networks operating under the current Electrical and Electronics Engineers (IEEE) 802.11 standards, are spreading in their popularity and availability. However, networks work in synergy where different components usually work together to ensure a common goal. When the different components are managed via different systems, it can become cumbersome and error-prone to ensure that the configurations in different components are working together correctly.
Specifically, access points (APs) can be deployed in bridge mode in a WLAN. When operating in bridge mode, network packets are tagged by APs with VLAN tags and forwarded directly to the next hop network node without being transmitted to a centralized network controller device. Such deployment allows network packets to be bypassed by the centralized controller and transmitted to their destination via a shortest route. APs deployed in bridge mode is capable of providing firewall services, converting a wireless packet in accordance with IEEE 802.11 standard to a wired packet in accordance with IEEE 802.3, identifying a particular VLAN for the wired packet to be forwarded on, tagging the wired packet with a particular VLAN identifier, and forwarding the wired packet tagged with the particular VLAN identifier on the particular VLAN via a wired interface to an upstream switch device. In these scenarios, it is important for the upstream switch of an AP to be configured such that the uplink port of the switch connected to the AP allows the VLANs tagged by the AP.
Each AP has a configuration that provides a static mapping between a respective service set identifier (SSID) and a respective VLAN identifier. The configuration can be obtained from a management plane mechanism, for example, either received from user configuration or from a network control device. Alternatively, an AP can determine a VLAN identifier via a control plane mechanism, such as VLAN derivation based on a client device's authentication information obtained from communication between the AP and a network authentication server (e.g., a RADIUS server). This is often referred to as “per-user firewall.”
If the upstream switch does not allow all of the VLANs that a wireless and/or wired client of the AP can possibly have, network traffic from the client would be denied of the service due to the VLAN configuration mismatch between the switch and the AP.
Moreover, in a centralized deployment where a cluster of network control devices manages all client devices in the WLAN, the upstream switch port of each network control device in the cluster must be correctly configured to allow the VLANs that client devices in the WLAN are assigned to. Because the network control devices and the switches in the WLAN may be from different vendor and configured through different systems, the VLAN configuration process possibly can generate mismatches between the VLANs configured for the upstream switch ports and the VLANs configured on the network control devices.