Wireless Access points with VLANs

I'm trying to configure 2 wireless access points, each with 2 SSIDs.  The 2 SSIDs must be connected to two separate physical networks to segregate internal trusted traffic from guest untrusted traffic. Thus the need for VLANs on the access points. The access points will be connected to a Netgear GS108 switch which will then be connected by 2 separate ports to the two separate physical networks. Initially connecting it to the two separate networks, I could connect to both wireless networks, but they were not communicating with either the trusted or untrusted switches (i.e, no browsing and DHCP not working).

Here's the layout:

AP:
SSID1 - VLAN2]
                          ]------------------Netgear switch
SSID2 - VLAN3]

Netgear switch:
Port 1 - AP
Port 7 - designated on the Netgear switch as belonging to VLAN1 and VLAN3, connected to a basic switch (non-VLAN capable) on the guest network
Port 8 - designated on the Netgear switch as belonging to VLAN1 and VLAN2, connected to a 3COM 2924 switch on the trusted network

The problem appears to be with the VLANs.  I have tried testing just the trusted side of the networking. If I connect the Netgear switch to a basic, untagged port on the 3COM, it doesn't communicate with the trusted network at all.  If I set the port on the 3COM switch to belong to VLAN2 (tagged), it doesn't communicate at all either.  The only way I've been able to get the Netgear switch to communicate with the 3COM is to remove all VLAN settings on both ends.  I've tried various combinations of settings on the Netgear end also, but the only thing that seems to allow these two switches to communicate is to belong to the basic untagged network. The Netgear has a rather strange way of setting up VLAN membership, and I can't quite figure out if the ports are set to tagged or untagged on the Netgear end.  It has Port Based VLAN settings and 802.1q VLAN settings.

I just don't understand why it doesn't work, and need some help!!
LVL 39
Hypercat (Deb)Asked:
Who is Participating?
 
Hypercat (Deb)Author Commented:
Craig - you were close, but the tagging is the opposite of what you were thinking.  It doesn't quite make sense to me, but here's what worked:

1.  Got rid of VLAN3 and used only VLANs 1 and 2.
2.  Each AP has 2 SSIDs, one in VLAN1 (Trusted network) and one in VLAN2 (Public network).
2.  On the switch:

     Ports 1 and 2 (APs 1 and 2) - UNTAGGED in VLAN 1, TAGGED in VLAN2, PVID1
     Port 7 (Public network) - TAGGED in VLAN2 only, PVID2
     Port 8 (Trusted network) - UNTAGGED in VLAN1 only, PVID1
0
 
Craig BeckCommented:
The VLAN settings are garbage on the GS108E (I'm assuming that is the switch).

You should use the 802.1Q advanced settings.  However, what you're doing won't work.  You'll only be able to use whichever VLAN you set as the PVID for port 7 on the unmanaged switch.

Try this...

Port 1 - TAGGED in VLANs 2-3 ONLY, PVID 2
Port 7 - UNTAGGED in VLAN 3 ONLY, PVID 3
Port 8 - UNTAGGED in VLAN 2 ONLY, PVID 2
0
 
Craig BeckCommented:
Ok fair enough, but the OP clearly states VLANs 2 and 3 for the separate networks, not 1 and 2...

AP:
SSID1 - VLAN2]
                          ]------------------Netgear switch
SSID2 - VLAN3]

Netgear switch:
Port 1 - AP
Port 7 - designated on the Netgear switch as belonging to VLAN1 and VLAN3, connected to a basic switch (non-VLAN capable) on the guest network
Port 8 - designated on the Netgear switch as belonging to VLAN1 and VLAN2, connected to a 3COM 2924 switch on the trusted network
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Hypercat (Deb)Author Commented:
Yes, and I tried setting it up the way you had suggested but it still didn't work unfortunately, as you had indicated it might not in your post. I went back and looked at a previous setup I had used that I knew worked in a similar situation, and decided that I would have to do away with VLAN3. It was an unnecessary complication that had been put in place by a colleague but after discussing it with him we realized that it wasn't needed. VLAN1 is segregated  from VLAN2 by the fact that they branch out to 2 separate physical networks after the Netgear switch.
0
 
Craig BeckCommented:
I just said what you're doing won't work... Not that what I was suggesting wouldn't.

You said you wanted 2 VLANs on the guest switch.  I was saying that wouldn't work.  The reason for that is because it's unmanaged and therefore doesn't understand VLANs.
0
 
Hypercat (Deb)Author Commented:
I'm doubly confused by your last comment.  That switch isn't unmanaged, and it does understand VLANs.  Else how could I configure it with VLAN membership?

Anyway, craigbeck, I've awarded you the points, so I'm not sure what you're complaining about.  Your comments were helpful although they didn't exactly match the configuration or solution that I ended up implementing.
0
 
Craig BeckCommented:
As per the OP...
Port 7 - designated on the Netgear switch as belonging to VLAN1 and VLAN3, connected to a basic switch (non-VLAN capable) on the guest network
0
 
Craig BeckCommented:
I appreciate that you awarded me points, and I thank you for that, but I was just baffled because you said I got the tagging all wrong, and I'm 100% sure I didn't, especially as I have a GS108E and I've done the exact same thing with my AP.
0
 
Hypercat (Deb)Author Commented:
Craigbeck's comment put me on the right track but wasn't exactly the entire solution.  My post includes the solution that I tested and that worked for my setup.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.