Problems using VLAN tags

[papahoward]

I just finished reading the VLAN How To: Segmenting a small LAN by Doug Reid. Excellent article to learn the basics of VLAN, which is where I'm at.

I have modeled a VLAN case successfully using a TP-Link SG108E managed switch and an Engenius ECB9500 AP that would isolate the AP from my network. I configured the AP with only 1 SSID and did not use VLAN tagging:

SG108E settings:

VLAN→802.1Q VLAN settings:

port 1: Netgear router
port 2: Engenius AP
ports 3-8: network PCs

802.1Q VLAN: enabled
untagged ports settings:

1 2 3 4 5 6 7 8 ports
x x x x x x x x VLAN 1 (default)
x - x x x x x x VLAN 2 (networked PCs)
x x - - - - - - VLAN 3 (Engenius AP)

802.1Q VLAN PVID Settings:
1 2 3 4 5 6 7 8 ports
1 3 1 1 1 1 1 1 PVID
- - - - - - - - LAG

It was successful as I could not ping the PCs on ports 3-8 or access shared files when connected via the AP.

My next challenge was to use 2 SSIDs with VLAN tags, one for network access and one for guest internet access only, which is were I ran into trouble. I set tags on the Engenius as recommended in http://www.engeniustech.com/images/stories/VLAN-ECB9500-EAP9550.pdf setting tags to 10 for network access and 20 for guest internet only. I played around with several settings on the SG108E switch, but with no success.

What would be the correct settings for the switch? Any help or suggestions would be appreciated.

SG108E manual: http://www.tp-link.com/resources/document/TL-SG108E_V1_User_Guide_Easy_Smart_Configuration_Utility_1910010977.pdf

ebc9500 manual: http://www.engeniustech.com/resources/ECB9500-UsersManual-V2-0_20090930.pdf

 

[abailey]

I will start off by saying I have done switch/routing for a long time but I usually use a router when making devices talk across VLAN's. That being said I am not an expert at the type of segmentation you are using, but I'll give it a try.
First, it looks like from your post that ports 3-8 (in VLAN2) have a PVID of 1. You need to change the PVID of ports 3-8 to 2 (to match their VLAN).
Next, you need to use the same VLAN numbers on your Engenius AP as you did your switch. So your guest SSID needs to use VLAN 3 and your SSID for network access needs to use VLAN 2.
Last, port 2 on your switch needs to be a TAGGED member of VLAN 2 and VLAN 3.
Also, I am not familiar with the Engenius AP, but you may have to tell the AP that its port needs to be a Tagged port. You probably do not have to do this, I just wanted to mention it.

 

[htismaqe]

Without a router (or Layer 3 switch) the devices on the individual VLANs won't be able to see each other. For all intents and purposes, they appear to an IP network as if they are separate physical networks.

If you're tagging two VLANs on the AP, you'll need to setup the wired port that it connects to as a tagged port (or trunk port, depending on the lingo). That port will have to be a member of both VLANs or it won't work.

 

[papahoward]

Much thanks for quick responses. I'll give it a try.

 

[htismaqe]

Much thanks for quick responses. I'll give it a try.

Just keep in mind that member ports in one VLAN don't really "participate" in the VLAN. The host connected to that port is not VLAN aware. The port itself does not advertise it's own VLAN. It's a "dumb" port. Only the switch fabric itself knows that VLAN X or Y goes with that port.

If you need to have the attached station be VLAN aware, as is the case with your AP, or when you're configuring a switch-to-switch connection and want to pass VLAN information or traffic back and forth, you have to configure a tagged or trunk port and make that port a member of all VLANs that you want it to know about.

 

[dreid]

Papahoward -

I tried your scenario with multiple different configurations in my lab and couldn't get multiple SSIDs on separate VLANs to work without a router that supports tagging. If you got it working, I'm curious what you did.

If you didn't get it working, the best solution is to get a router that supports VLAN tagging.