VLAN config for guest WiFi

alex110109
alex110109 used Ask the Experts™
on
Hi Networking Experts

I have a cunnundrum with VLAN configuration with products from different vendors.

Here is the setup.

DrayTek Vigor 2862 router.
Netgear PoE switch capable of VLANs.
Ubiquity UniFi Pro ac wireless access point.
Windows Server 2012 R2 that acts as DHCP server and also AD server for PCs.

Here is the requirement.

VLAN1 to be data VLAN for PCs.
VLAN7 to be guest WiFi networks. The AP has the capability of multiple SSIDs and putting a particular SSID in a specific VLAN.

I also need to put the VoIP phones in a diff VLAN but guest WiFi is more urgent.

DrayTek router is configured with VLANs and so is the netgear switch. DrayTek acts as DHCP for guest WiFi.

I just don’t know how to do the tagging configuration for ports on the switch where the DrayTek Router, the AP and the Windows server gets plugged in. I know that the ports to which DHCP server gets plugged into need different tag configuration than other ports.

DrayTek router is also special case since it needs to carry both VLANs and it also acts as DHCP server for guest WiFi.

Currently, the guest WiFi clients don’t get IP addresses at all.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Tagging on ports means that all packets get 4 extra bytes of which 16 are used to identify tagging  and 16 are used for priority/vlan id.

if Tagging is used on a port all equipment needs to have the same view on the netwrk.
On each port there can be only ONE untagged vlan (that VLAN is tagged internal to a switch/router, but on the wire outside).
Default is VLAN 1 is used untagged on a port. (tbh, for a more secure setup don't use VLAN 1 and use tagging for ALL VLAN's, many equipment will fall back to VLAN 1 / untagged data transmission when there are (resource) problems within a router).

A switch needs to be a managed switch type. The non-managed switches cannot handle VLAN's
Use VLAN1 as special non-used VLAN. And use tagged VLAN's for everything else.
Distinguished Expert 2018

Commented:
I just don’t know how to do the tagging configuration for ports on the switch where the DrayTek Router, the AP and the Windows server gets plugged in. I know that the ports to which DHCP server gets plugged into need different tag configuration than other ports.

Let's do these one by one:
DrayTek Router: Should be a trunk port (VLAN 1 untagged, other VLANs tagged)
AP: Could have this be a trunk port, but this really only needs VLANs 1 and 7. (VLAN 1 untagged, VLAN 7 tagged). Be sure you properly configure the wireless networks within the UniFi controller. Guest network should be configured for VLAN 7.
Windows server: I assume this is the DHCP server for ALL of the VLANs. Should be on a trunk port. (VLAN 1 untagged, others tagged)

As for your phones, ideally you have a separate VLAN for them. However, this would work out at it's finest if your switch allows VLAN assignments by OUI (so essentially, by looking at a part of the MAC address of your phones, then can get assigned to the VoIP without you having to do anything more).

Author

Commented:
@noci I know the theory but I need to know what I am supposed to be doing in practical scenario.

@mansrock I am assuming you are describing the port tagging on the switch and that you are referring to switch ports that Router and the AP and the DHCP server connects to, right?

On DrayTek side the port on DrayTek is already configured to be a trunk port, I will configure the switch port to be trunk as well.

For WiFi, it’s the DrayTek that’s going to be DHCP and not the server. For VLAN 1 only it’s the server that dishes out IPs. Though I would want to know how to get windows to do both. But I think we need to configure IP Helper or the DHCP relay agent thing configured, don’t know where though. That’s for later.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2018

Commented:
am assuming you are describing the port tagging on the switch and that you are referring to switch ports that Router and the AP and the DHCP server connects to, right?
Yes, that is correct.

On DrayTek side the port on DrayTek is already configured to be a trunk port, I will configure the switch port to be trunk as well.
Perfect, because you want the switch to be able to see all of the VLANs.

But I think we need to configure IP Helper or the DHCP relay agent thing configured, don’t know where though. That’s for later.
Correct.

Author

Commented:
I want to reopen this issue, I will shortly post my diagram to help explain the setup.

Will someone be willing to help me please?
Distinguished Expert 2018

Commented:
Go ahead and ask away
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Go ahead.

Author

Commented:
Hi Noci thanks for this.

I can upload visio file too but PDF should be fine for now.

For the phone vlan in question, I don't mind if the DHCP server is the Window server or the router.

The idea behind VoIP vlan is to dedicate bandwidth in the router so VoIP traffic doesn't struggle.

Same goes for Guest vlan, we need to restrict the bandwidth used by guest vlan so it doesn't slow down other traffic.

On the router I have defined all the VLANs and IP ranges associated with the relevant vlans.

On the netgear switch also I have configured the relevant vlans

On the access point, I have created two SSIDs, one for each vlan (data and guest, voip phones are all on cables and don't need wifi).

What I need help with is vlan tagging with some explanation of reasoning behind it.

I need to know what ports need to be tagged in which vlans and untagged in which vlans.

The ports for router, the server and access points are fixed. Rest of the ports will be used for plugging in normal computers, printers etc or VoIP phones. Computers will be piggy backed from VoIP phones where applicable.

I read somewhere that any device acting as DHCP server need to be plugged into a port that is tagged in a certain way due to the fact that it deals with broadcasts but I could be wrong.
vlan.pdf
Distinguished Expert 2018

Commented:
The idea behind VoIP vlan is to dedicate bandwidth in the router so VoIP traffic doesn't struggle. 
QoS is one option. Not 100 percent sure off the top of my head whether your Draytek allows for bandwidth allocations.

Author

Commented:
Hi Mansrock

Draytek router allows bandwidth allocation per vlan.
Distinguished Expert 2018

Commented:
Even better. I am guessing you are wondering how much to allocate to the VoIP VLAN. How many phones are kn your network?

Author

Commented:
Lol, I totally forgot to mention what I need help with doh..

I have updated the post with the diagram but here it is again.


On the router I have defined all the VLANs and IP ranges associated with the relevant vlans.

On the netgear switch also I have configured the relevant vlans

On the access point, I have created two SSIDs, one for each vlan (data and guest, voip phones are all on cables and don't need wifi).

What I need help with is vlan tagging with some explanation of reasoning behind it.

I need to know what ports need to be tagged in which vlans and untagged in which vlans.

The ports for router, the server and access points are fixed. Rest of the ports will be used for plugging in normal computers, printers etc or VoIP phones. Computers will be piggy backed from VoIP phones where applicable.

I read somewhere that any device acting as DHCP server need to be plugged into a port that is tagged in a certain way due to the fact that it deals with broadcasts but I could be wrong.
Distinguished Expert 2018

Commented:
Maybe you read that the DHCP server needs to be plugged into a trunk port? Idea being that all of the VLANs communicating with whatever system is serving as the DHCP server are able to communicate with it.

The untagged VLAN for the port the DHCP server is plugged into should be the one from which its IP address comes from.

As for the access point, the untagged VLAN should be the one that its IP address is from. Think of the untagged VLAN as the one that a device by default communicates on.

Author

Commented:
Hi Mansrock

So in my setup, what should be the vlan tag configurations for the switch ports? Sorry I am still not clear what you mean
Distinguished Expert 2018

Commented:
From what I gather, the data VLAN should be the untagged one in both cases.

Author

Commented:
So

switch port that has router - untagged in data valn and tagged in voice and guest vlans?
switch port that has windows server - untagged in data vlan and not tagged in any vlans?
switch port for the access point - untagged in data vlan and tagged in guest vlan?
all other ports - untagged in data vlan and tagged in voice vlan?

Am I correct in saying that?
Distinguished Expert 2018

Commented:
Port with router - data untagged, other VLANs tagged

Port with DHCP server - data untagged, other VLANs tagged

Port with router - data untagged, guest VLAN tagged

Ports with phones - voice untagged, data VLAN tagged. You need to test this one because it also depends on how the phones are configured.

What type of switches do you have? I can name an alternative approach for the phones that may be a bit cleaner.

Author

Commented:
The switch will be a Netgear PoE switch but should the concept not be the same irrelevant of the switch as long as they support vlans? The phones are Yealink phones with default configuration.

For the phones, with traditional PBXes and IP phones (likes of Avaya), the phone companies always used to get us to have the switch ports to be tagged for voice vlan and untagged for data, which is reverse of what you are suggesting. But I will add that in that scenario, the phones would first boot in to data vlan by default, the DHCP server in data vlan will have DHCP options for the phones so the phones are told to reboot in the voice vlan which is where they will then find the PBX which acts as DHCP server in voice vlan and provide the phones with not just the IP address but all sorts of other config for them to work. I don't remember what vlan configuration was of the switch port where the phone system was plugged into.

In my scenario, there is no phone system for the phones to connect to, the phones just need Internet access, irellevant of what VLAN they are in. I could technically put them in data vlan but i want to segregate the voice and data traffic which is why I am doing the vlan. I also don't want to dedicate ports to data and voice vlan which is why tagging is good way of going about it. This will allow us to plug the phones in to any port and the phone will be in voice (phone) vlan and the PC connecting to the back of it is in data vlan. But Phones need to get IP in the voice vlan from Draytek Router and PCs need to get IP from Windows server in the data vlan.
Distinguished Expert 2018

Commented:
The switch will be a Netgear PoE switch but should the concept not be the same irrelevant of the switch as long as they support vlans? The phones are Yealink phones with default configuration.

The reason I asked about the type of switch is because many managed switches will let you define a Voice VLAN. After that's set up, you can basically put in the OUI (first half of the MAC address) of your phones, then tell the switch to automatically assign those devices to the Voice VLAN. If you take that approach, then you can have the default ports simply be data VLAN untagged, voice tagged. In case you're wondering, any computers will get connected to the data VLAN (Including in the daisy chaining scenario).

But Phones need to get IP in the voice vlan from Draytek Router and PCs need to get IP from Windows server in the data vlan.
Any particular reason why you're not having one or the other handle all of the DHCP duties?

Author

Commented:
so the OUI setup - haven't tried it but open to using that. If we do go down that route, do we still need to proactively tag all ports in the voice vlan because out of the box, all ports are already untagged in default vlan which is what I mean by data vlan. Data vlan doesn't need to be explicitly defined, we generally use the default vlan as data vlan itself. The OUI setup does sound attractive so I will defo test it.

not using windows server for guest vlan and voice vlan because I want to keep it simple. I am again open to using one DHCP server which will have to be the Windows server (since it is also active directory server), but I think this setup will require configuring DHCP relay agent which adds to complexity or may be it is a simple setup and I am hesitant since I haven't done it before. If you explain it simply I can go with that option if you think that is easier to do.
Distinguished Expert 2018

Commented:
so the OUI setup - haven't tried it but open to using that. If we do go down that route, do we still need to proactively tag all ports in the voice vlan because out of the box, all ports are already untagged in default vlan which is what I mean by data vlan. Data vlan doesn't need to be explicitly defined, we generally use the default vlan as data vlan itself. The OUI setup does sound attractive so I will defo test it.
I don't *think* that you would have to, but I just cited that for safety's sake. I would the OUI approach for the phones first. Note: You may have multiple OUIs (not a bad thing, but just want to be sure you're aware).

Author

Commented:
Hi Mansrock

Really appreciate the conversation here.

Yes, OUI shouldn't be a problem since we are going to stick with Yealink only and may be just one more brand if we can.

Can you let me know your thoughts on the DHCP side of things?
Distinguished Expert 2018

Commented:
Well, the DHCP thing shouldn't be a huge deal. You could leave it as it is. However, you could also opt to move DHCP for the data VLAN to the router, and it should not hurt you (unless you for some reason require something that involves integration with AD). For a smaller network, I prefer to keep one device handling DHCP for everything. However, that doesn't mean you *have* to do it that way.

Author

Commented:
yes AD integration is the reason. i will try this and get back to you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial