Can someone help me set up VLANs with Ubiquiti Unifi USG?
I currently have a Cisco RV-110W router set up for 2 VLANS - 1 is the private network (IP addresses 192.168.1.0/24 from the SBS server acting as DHCP server, 1 is a public network - those devices get 192.168.10.0/24 IPs from the router acting as DHCP server. There's a 3rd admin VLAN for the wireless access points - they get a 192.168.111.0/24 address, also from the router as DHCP server.
That router lets you choose tagged / untagged for each vlan on a port by port basis (packets on port 1 that are untagged are considered vlan 5, etc. ) is this untagged capability a common / uncommon feature?
Port 1 of the router has all of the wired PCs connected through an unmanaged switch. All these devices are the private VLAN devices & get 192.168.1.0/24 IP addresses from the SBS server also on port 1.
Port 2 has all the wireless access points (they get the 192.168.111.0/24 IPs because this port is set for untagged packets are on the admin vlan). Then the access points each have 2 SSIDs - devices connecting to the public SSID with no encryption get the 192.168.10.0 IPs and can't get to the private machines on port 1. devices connecting to the private SSID with encryption key get a 192.168.1.0 IP and CAN get to the private devices on port 1.
That router is failing and I want to move to a unifi USG.
Some people say I don't need managed switches to tag the desktop PCs on port 1... other people say I DO need a managed switch to tag those devices as being on the private network.
Is there a way to set up the VLANs to keep private and public networks separate using only the Unifi USG and unifi access points? No managed switch for the desktop devices?
THANKS!
That router lets you choose tagged / untagged for each vlan on a port by port basis (packets on port 1 that are untagged are considered vlan 5, etc. ) is this untagged capability a common / uncommon feature?
Port 1 of the router has all of the wired PCs connected through an unmanaged switch. All these devices are the private VLAN devices & get 192.168.1.0/24 IP addresses from the SBS server also on port 1.
Port 2 has all the wireless access points (they get the 192.168.111.0/24 IPs because this port is set for untagged packets are on the admin vlan). Then the access points each have 2 SSIDs - devices connecting to the public SSID with no encryption get the 192.168.10.0 IPs and can't get to the private machines on port 1. devices connecting to the private SSID with encryption key get a 192.168.1.0 IP and CAN get to the private devices on port 1.
That router is failing and I want to move to a unifi USG.
Some people say I don't need managed switches to tag the desktop PCs on port 1... other people say I DO need a managed switch to tag those devices as being on the private network.
Is there a way to set up the VLANs to keep private and public networks separate using only the Unifi USG and unifi access points? No managed switch for the desktop devices?
THANKS!
the access points are Unifi. I set up the 2 SSIDs - each with their own vlan. So that part is OK (I think... but if I knew so much I wouldn't be here : )
It's somehow being able to tag all the desktops (they go into an UNmanaged switch then into 1 port on the current Cisco LOW end RV110W router. And that lets you say (I think) 'all data from this port is treated as / tagged as VLAN X.
You know the Unifi USG specifically that you say it needs a managed switch? Is that typical? Or the ability to say 'everything on that port is VLAN X in the router the more standard route?
What's the cheapest managed switch? Unifi's (managed) switches start at $100. Seems goofy to have to spend another hundred when this cheap cisco router is able to deal with untagged data : (
In the unifi forums someone posted this a while ago:
Anytime we go to an unmanaged switch we have to ensure that the "untagged" packets are in the same vlan as we want the switch & systems we're attaching to that port. On that same port, we allow no tagged networks. All the traffic coming from units on the unmanaged switch end up being on the proper vlan.
I think that's what I am trying to do. But they don't explain how to do it.
It's somehow being able to tag all the desktops (they go into an UNmanaged switch then into 1 port on the current Cisco LOW end RV110W router. And that lets you say (I think) 'all data from this port is treated as / tagged as VLAN X.
You know the Unifi USG specifically that you say it needs a managed switch? Is that typical? Or the ability to say 'everything on that port is VLAN X in the router the more standard route?
What's the cheapest managed switch? Unifi's (managed) switches start at $100. Seems goofy to have to spend another hundred when this cheap cisco router is able to deal with untagged data : (
In the unifi forums someone posted this a while ago:
Anytime we go to an unmanaged switch we have to ensure that the "untagged" packets are in the same vlan as we want the switch & systems we're attaching to that port. On that same port, we allow no tagged networks. All the traffic coming from units on the unmanaged switch end up being on the proper vlan.
I think that's what I am trying to do. But they don't explain how to do it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm you are using two SSID's on the AP, each in a separate VLAN, I am pretty positive the USG can perform a "router on a stick" setup for your AP. You'd just add the two associated subnets to the LAN interface the AP is connected to and assign their appropriate vlan tag. The LAN interface IP would be the gateway for the SSID's. No need for a managed switch if you are home running the AP directly to the USG.
The second LAN interface on the USG I would assume will be the gateway for the desktops. So the unmanaged switch will be connected to that port. The vlan for that port won't matter.
@soulja he can't though. BeGentleWithMe-INeedHelp wants to:
- Multiple APs on LAN port 2 and assuming a separate unmanaged switch for LANport 2
If he wants to bridge the APs and the LAN ports to the same vLANs, he will require a managed switch.
((shrugs)) :)
- Multiple APs on LAN port 2 and assuming a separate unmanaged switch for LANport 2
If he wants to bridge the APs and the LAN ports to the same vLANs, he will require a managed switch.
((shrugs)) :)
Oh, I thought the author was referring to one AP with multiple SSID's. Can the author please confirm?
Didnd't really get an answer I don't think, but thank you guys!
What Access Points(AP) do you have? Do they support vLAN tagging?