Unmanaged switches and VLANS

[trunolimit]

I think I already know the answer to this question but I'm hoping I'm wrong.

So this is my set up. I have 3 Luxul switches which are unmanaged and they are hooked up to a Meraki MX60W. I also have Meraki APs atahced to each switch.

Now my goal is to set up a guest network so I can set restrictions on guest attaching to the network. How I normally do it is I set up VLANs for each SSID and call it a day. I can then apply rules to that VLAN.

In this case I have unmanaged switches in-between the VLAN capable stuff. Shouldn't the Switch just automatically pass along the 802.1Q info along or will that get stripped out? If it does get stripped out will that mean only the native VLAN will be answering DHCP request?

What's the best way to go about this?

 

[abailey]

In this case I have unmanaged switches in-between the VLAN capable stuff. Shouldn't the Switch just automatically pass along the 802.1Q info along or will that get stripped out? If it does get stripped out will that mean only the native VLAN will be answering DHCP request?

What's the best way to go about this?

A non manage switch does not have support for VLAN tags, thus it does not pass them on. So only the native VLAN would work correctly. On the bright side, managed switches have come way down in price so maybe that would be an option?

Also, I am not familiar with your WAP's but the Ubiquiti AP's I use can form a visitor network on the same VLAN as everything else, but isolate it so it can't see anything else. Maybe yours can do that?

 

[trunolimit]

A non manage switch does not have support for VLAN tags, thus it does not pass them on. So only the native VLAN would work correctly. On the bright side, managed switches have come way down in price so maybe that would be an option?

Also, I am not familiar with your WAP's but the Ubiquiti AP's I use can form a visitor network on the same VLAN as everything else, but isolate it so it can't see anything else. Maybe yours can do that?

Yeah I figured as much. Can you explain the technical details as to how the Ubiquiti accomplishes this? These Meraki are enterprise grade WAPs so they probably do have that capabilities I just need to understand how and then I can dig into the menus to do it.

 

[abailey]

On the Ubiquiti AP's you can set up different VLANs and SSID's but it also has a setup for quest access. Under the Guest access portion, it has access controls and under the access controls it has a place to put restricted subnets. There you can put in any subnets you don't want the Guest network to see, including the subnet it is on. If you put the subnet it is on, then it can't see anything else on the subnet. Also in the config you can apply bandwidth control to the VLANs or the Guest network.

 

[trunolimit]

Meraki suggest that adding this little rule to the particular SSID is enough to isolate the guest network without using VLANs

I would assume this would stop internet traffic too because you need to traverse the wired LAN to get to the internet. When I get it up and running I will test to see if this really does the trick.

Thanks for your help. I was actually looking into Ubiquity for their IP cameras. And from what I understand you don't have to pay a licensing fee for the cloud management software like you do with Meraki.

 

[trunolimit]

I got a response from luxul which I think is totally wrong.

the question I posed:

I have your XGS 1024s switch between 2 other vendor devices. My router supports VLAN tags and my access points support VLAN tags. Will the xgs 1024s pass along that 802.1Q VLAN tag? Or will the XGS drop that tag? Are all the ports set up to auto trunk?

The response I got:

The Switch XGS-1024 should not drop any tagging. The switch only cares about MAC addresses that works in the Layer 2 of the OSI model, and the tagging works on the Layer 3 of the OSI model. So the switch doesn’t even look at the tagging it just pass the data through.

 

[abailey]

It is possible for an unmanaged switch to pass VLAN tagged frames. The problem is some do and some do not. If your switches do not care about oversized frames they may work. You will just have to see if yours will. So his answer is not totally wrong, it just is not totally right either as some dumb switches will think the VLAN tagged frames (that are larger than normal frames) are malformed and will drop them. There are also other problems that can crop up and security is an issue so it is generally accepted as a bad idea to try to run VLAN's through an unmanaged switch.

 

[stevech]

It is possible for an unmanaged switch to pass VLAN tagged frames. The problem is some do and some do not. If your switches do not care about oversized frames they may work. You will just have to see if yours will. So his answer is not totally wrong, it just is not totally right either as some dumb switches will think the VLAN tagged frames (that are larger than normal frames) are malformed and will drop them. There are also other problems that can crop up and security is an issue so it is generally accepted as a bad idea to try to run VLAN's through an unmanaged switch.

agree.

In the past, my encounter with Luxul was not good.