Wireless Access points with VLANs

I'm trying to configure 2 wireless access points, each with 2 SSIDs.  The 2 SSIDs must be connected to two separate physical networks to segregate internal trusted traffic from guest untrusted traffic. Thus the need for VLANs on the access points. The access points will be connected to a Netgear GS108 switch which will then be connected by 2 separate ports to the two separate physical networks. Initially connecting it to the two separate networks, I could connect to both wireless networks, but they were not communicating with either the trusted or untrusted switches (i.e, no browsing and DHCP not working).

Here's the layout:

AP:
SSID1 - VLAN2]
                          ]------------------Netgear switch
SSID2 - VLAN3]

Netgear switch:
Port 1 - AP
Port 7 - designated on the Netgear switch as belonging to VLAN1 and VLAN3, connected to a basic switch (non-VLAN capable) on the guest network
Port 8 - designated on the Netgear switch as belonging to VLAN1 and VLAN2, connected to a 3COM 2924 switch on the trusted network

The problem appears to be with the VLANs.  I have tried testing just the trusted side of the networking. If I connect the Netgear switch to a basic, untagged port on the 3COM, it doesn't communicate with the trusted network at all.  If I set the port on the 3COM switch to belong to VLAN2 (tagged), it doesn't communicate at all either.  The only way I've been able to get the Netgear switch to communicate with the 3COM is to remove all VLAN settings on both ends.  I've tried various combinations of settings on the Netgear end also, but the only thing that seems to allow these two switches to communicate is to belong to the basic untagged network. The Netgear has a rather strange way of setting up VLAN membership, and I can't quite figure out if the ports are set to tagged or untagged on the Netgear end.  It has Port Based VLAN settings and 802.1q VLAN settings.

I just don't understand why it doesn't work, and need some help!!
LVL 39
Hypercat (Deb)Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
The VLAN settings are garbage on the GS108E (I'm assuming that is the switch).

You should use the 802.1Q advanced settings.  However, what you're doing won't work.  You'll only be able to use whichever VLAN you set as the PVID for port 7 on the unmanaged switch.

Try this...

Port 1 - TAGGED in VLANs 2-3 ONLY, PVID 2
Port 7 - UNTAGGED in VLAN 3 ONLY, PVID 3
Port 8 - UNTAGGED in VLAN 2 ONLY, PVID 2
0
Hypercat (Deb)Author Commented:
Craig - you were close, but the tagging is the opposite of what you were thinking.  It doesn't quite make sense to me, but here's what worked:

1.  Got rid of VLAN3 and used only VLANs 1 and 2.
2.  Each AP has 2 SSIDs, one in VLAN1 (Trusted network) and one in VLAN2 (Public network).
2.  On the switch:

     Ports 1 and 2 (APs 1 and 2) - UNTAGGED in VLAN 1, TAGGED in VLAN2, PVID1
     Port 7 (Public network) - TAGGED in VLAN2 only, PVID2
     Port 8 (Trusted network) - UNTAGGED in VLAN1 only, PVID1
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Craig BeckCommented:
Ok fair enough, but the OP clearly states VLANs 2 and 3 for the separate networks, not 1 and 2...

AP:
SSID1 - VLAN2]
                          ]------------------Netgear switch
SSID2 - VLAN3]

Netgear switch:
Port 1 - AP
Port 7 - designated on the Netgear switch as belonging to VLAN1 and VLAN3, connected to a basic switch (non-VLAN capable) on the guest network
Port 8 - designated on the Netgear switch as belonging to VLAN1 and VLAN2, connected to a 3COM 2924 switch on the trusted network
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

Hypercat (Deb)Author Commented:
Yes, and I tried setting it up the way you had suggested but it still didn't work unfortunately, as you had indicated it might not in your post. I went back and looked at a previous setup I had used that I knew worked in a similar situation, and decided that I would have to do away with VLAN3. It was an unnecessary complication that had been put in place by a colleague but after discussing it with him we realized that it wasn't needed. VLAN1 is segregated  from VLAN2 by the fact that they branch out to 2 separate physical networks after the Netgear switch.
0
Craig BeckCommented:
I just said what you're doing won't work... Not that what I was suggesting wouldn't.

You said you wanted 2 VLANs on the guest switch.  I was saying that wouldn't work.  The reason for that is because it's unmanaged and therefore doesn't understand VLANs.
0
Hypercat (Deb)Author Commented:
I'm doubly confused by your last comment.  That switch isn't unmanaged, and it does understand VLANs.  Else how could I configure it with VLAN membership?

Anyway, craigbeck, I've awarded you the points, so I'm not sure what you're complaining about.  Your comments were helpful although they didn't exactly match the configuration or solution that I ended up implementing.
0
Craig BeckCommented:
As per the OP...
Port 7 - designated on the Netgear switch as belonging to VLAN1 and VLAN3, connected to a basic switch (non-VLAN capable) on the guest network
0
Craig BeckCommented:
I appreciate that you awarded me points, and I thank you for that, but I was just baffled because you said I got the tagging all wrong, and I'm 100% sure I didn't, especially as I have a GS108E and I've done the exact same thing with my AP.
0
Hypercat (Deb)Author Commented:
Craigbeck's comment put me on the right track but wasn't exactly the entire solution.  My post includes the solution that I tested and that worked for my setup.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.