• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 526
  • Last Modified:

VLAN issue driving me nuts ...

So I have two of these DLINK DAP-2360 Wifi routers where I can configure multiple SSIDs and multiple VLANs. I've configured one and it works (at the place it's now and it also worked in my office where I set it up). I've tried to configure a second one now but I only get an IP address when connecting to the 'internal' SSID but not when I try connecting to the SSID of the 'free internet' SSID ...

I think it has to do with our switch ... could someone please explain to me again how I have to tag or untag ports?

In order to be able to access two different VLANs I need to tag the port on the switch in the two VLANs, right? But I've done that and I only get access to the one VLAN, not both ... !?

As for the WAP I've got (for the 'free' VLAN) the LAN port tagged and one MSSID port untagged (it's not possible to tag it > the option is greyed out).

I've also compared it to the working WAP but I don't get it ... seems I'm confused or my brain froze ...

Any ideas!?

Thanks a lot!
0
Xeronimo
Asked:
Xeronimo
  • 16
  • 11
1 Solution
 
Zephyr ICTCloud ArchitectCommented:
Are you using the Default VLAN? I think, if I'm picturing it correctly, you should have 1 VLAN untagged (e.g:Default) and the other VLAN tagged, so that it's the same on both devices (WAP and Switch) ...

But, like I said, maybe I'm not getting the picture entirely.
0
 
XeronimoAuthor Commented:
Our setup is a bit weird ... We've got 3 VLANs:

VLAN 1 is the legacy one that we don't actually use anymore but I'm a bit hesitate to remove it in case we've forgotten about something ...
VLAN 20 is the internal LAN.
VLAN 30 is the 'free internet' VLAN.
0
 
XeronimoAuthor Commented:
But VLAN20 is the default, it's the one that's untagged. VLAN1 is mostly 'not member', I'll set all the ports on 'VLAN1: not member' and see what happens ... if everything works fine then it should be ok to remove it, no?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Zephyr ICTCloud ArchitectCommented:
I wouldn't just remove the VLAN1, unless you really know what you're doing, because most of the switches have their management on VLAN1, so if you delete it you can't reach the management web-interface for instance.

You can tell the switch (most switches) that management is on another VLAN, prior to removing VLAN1, so if you want to remove VLAN1 make sure you check that out.

When not using VLAN1, just untag VLAN20 and tag VLAN30. What switch are you using exactly?
0
 
XeronimoAuthor Commented:
The management interfaces can be reached using the IP addresses of VLAN20 so that shouldn't be a problem?

I've checked and the switches have already VLAN20 untagged (and thus it represent the default, right?).

And so the default VLAN is always untagged and only the additional VLANs are tagged?

We've got a whole mix of switches (over the years): 2x3COM, 1x HP ProCurve and 1x ancient Alcatel OmniSwitch (who needs to be replaced).
0
 
Zephyr ICTCloud ArchitectCommented:
The management interfaces can be reached using the IP addresses of VLAN20 so that shouldn't be a problem?

Normally not no...


Did you create a trunk for the port and make VLAN20 the default?
0
 
XeronimoAuthor Commented:
> Did you create a trunk for the port and make VLAN20 the default?

We've got a link aggregation and VLAN 20 is untagged on it. Does that answer your question ...?
0
 
Zephyr ICTCloud ArchitectCommented:
Ok ... But is the LACP connected to the WAP or is that between switches? I doubt the WAP can do LACP.

To test you could just use another port, set it untagged in VLAN20 and tagged in VLAN30 (without trunk or LACP).
0
 
XeronimoAuthor Commented:
The LACP is between the switches.

And ok, I'll test that.
0
 
XeronimoAuthor Commented:
Ok, I've identified the problem now:

If I set the port untagged VLAN20 then the AP does not get an internal IP address, if I set it tagged it does.

As for VLAN30 it doesn't matter whether or not it's tagged or untagged, I don't get an IP address :/

Yet on the switch that port is untagged VLAN30 and tagged VLAN20, exactly like a second switch (the ProCurve) where the other WAP (which works) is connected too ... So maybe it's the WAP VLAN configuration then?
0
 
Zephyr ICTCloud ArchitectCommented:
How does the WAP set the VLAN, is it using PVID or something? maybe it works if you set the port trunked and both VLANs tagged, sort of between switches...

On the ProCurve it's just like that? VLAN20 tagged and untagged in VLAN30... It should work the same on this switch, so it might be a problem on the WAP yes, not familiar with this brand , so I'll try and find a manual.
0
 
XeronimoAuthor Commented:
Here's a screenshot ...

screenshot
0
 
Zephyr ICTCloud ArchitectCommented:
I don't know the difference between the ports S-x and W-x ... But I see that the ports are untagged (untag VID)... If you want to mirror the switch setup you should put the VLAN20 in tagged VID I think... Of course, this doesn't solve the issue with VLAN30 not getting an IP.
0
 
Zephyr ICTCloud ArchitectCommented:
I spoke too soon .. Seeing the second screenshot only now....
0
 
XeronimoAuthor Commented:
The problem is also that I can't tag MSSID ports at all. They're greyed out? Wouldn't I need to tag the S-7 instead of untagging it?
0
 
Zephyr ICTCloud ArchitectCommented:
You say the VLAN30 is untagged on the switch, yet it is tagged in the WAP I see in the last screenshot (Tag for LAN)... I think the MSSID ports just need to be untagged in that VLAN, they act as a client on the switch (I assume).
0
 
XeronimoAuthor Commented:
no, and I'm sorry if I am confusing you but on the switch VLAN20 (the main VLAN) is untagged and the VLAN is tagged.
0
 
XeronimoAuthor Commented:
//
0
 
XeronimoAuthor Commented:
I'll try to summarize it again ...

on the 3COM switch:
var1: VLAN20 untagged & VLAN30 tagged > no IP for V20, no IP for V30
var2: VLAN20 tagged & VLAN30 tagged > IP for V20, no IP for V30
var3: VLAN20 tagged & VLAN30 untagged > IP for V20, no IP for V30
var4: VLAN20 untagged & VLAN30 untagged > no IP for V20, no IP for V30

reminder:
VLAN20 = main VLAN > internal network
VLAN30 = guest VLAN > internet only
0
 
Zephyr ICTCloud ArchitectCommented:
Ok, I'm catched up again ... Sorry, was indeed getting confused :)

So, we know one thing, VLAN20 should be tagged, that one works, now somehow need to find out why VLAN30 isn't playing ball ...

I assume VLAN30 has a DHCP server on its network, or how are the IP's sent? I also assume that the DHCP server is tagged on this VLAN30 as well, what happens when you plug in a PC in that VLAN30, on the same port or different one, is that PC getting an IP-address?
0
 
XeronimoAuthor Commented:
Our VLANs are definitely not setup neatly ... ;)

But VLAN20 only needs to be tagged if it's a hybrid port. In all the other cases the ports are VLAN20 untagged and work just fine.

VLAN30 gets its IP addresses from the firewall. That works since that other AP (on that other switch) gets addresses from it on VLAN30.

As for the laptop:

var1: VLAN20 untagged & VLAN30 tagged > IP from VLAN20
var2: VLAN20 tagged & VLAN30 tagged > IP from VLAN20
var3: VLAN20 tagged & VLAN30 untagged > IP from VLAN20
var4: VLAN20 untagged & VLAN30 untagged > IP from VLAN20

I don't even get a VLAN30 IP when I set VLAN20 to not member and VLAN30 to tagged (or untagged). Seems there's a problem with VLAN30 then ...
0
 
Zephyr ICTCloud ArchitectCommented:
Or the problem is with the switch, it can't handle both the VLANs or something, do you have the possibility to create a trunk (not LACP) and configure it with the VLANs on this switch?

I seem to vaguely remember some old switches had some strange quirks.
0
 
XeronimoAuthor Commented:
But this had worked at one time briefly ... I don't get it ... and my head is spinning now ... I need a break ;)

Thanks so far
0
 
Zephyr ICTCloud ArchitectCommented:
hmmm yes, that is strange ... Ok, time for dinner anyway ;)
0
 
Happy_ComputingCommented:
Hi,
Just reading through this as I had similar problems with vlans, mainly due to me tagging the ports to make then a member or the vlan, when they should be untagged. If I remember right only the port that connects between switches needs to be tagged as this will add and remove the vlan tags from the packets and the ports that are members of the vlan need to be untaggeded, but still assigned the vlan ID.

The other question is where do the clients on each vlan get their IP addresses. DHCP does not normally traverse VLANs so each VLAN needs it own DHCP server.
0
 
XeronimoAuthor Commented:
Ok, so this is the current situation:

I've got VLAN20 untagged and VLAN30 tagged on the switch > VLAN20 gets an IP address, VLAN30 does not ...

VLAN30 is supposed to get its IP address from the DHCP on the firewall.
0
 
XeronimoAuthor Commented:
The problem was not solved. Request the permission to close or delete this thread.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 16
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now