VLAN config for guest WiFi

Hi Networking Experts

I have a cunnundrum with VLAN configuration with products from different vendors.

Here is the setup.

DrayTek Vigor 2862 router.
Netgear PoE switch capable of VLANs.
Ubiquity UniFi Pro ac wireless access point.
Windows Server 2012 R2 that acts as DHCP server and also AD server for PCs.

Here is the requirement.

VLAN1 to be data VLAN for PCs.
VLAN7 to be guest WiFi networks. The AP has the capability of multiple SSIDs and putting a particular SSID in a specific VLAN.

I also need to put the VoIP phones in a diff VLAN but guest WiFi is more urgent.

DrayTek router is configured with VLANs and so is the netgear switch. DrayTek acts as DHCP for guest WiFi.

I just don’t know how to do the tagging configuration for ports on the switch where the DrayTek Router, the AP and the Windows server gets plugged in. I know that the ports to which DHCP server gets plugged into need different tag configuration than other ports.

DrayTek router is also special case since it needs to carry both VLANs and it also acts as DHCP server for guest WiFi.

Currently, the guest WiFi clients don’t get IP addresses at all.
alex110109Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
Tagging on ports means that all packets get 4 extra bytes of which 16 are used to identify tagging  and 16 are used for priority/vlan id.

if Tagging is used on a port all equipment needs to have the same view on the netwrk.
On each port there can be only ONE untagged vlan (that VLAN is tagged internal to a switch/router, but on the wire outside).
Default is VLAN 1 is used untagged on a port. (tbh, for a more secure setup don't use VLAN 1 and use tagging for ALL VLAN's, many equipment will fall back to VLAN 1 / untagged data transmission when there are (resource) problems within a router).

A switch needs to be a managed switch type. The non-managed switches cannot handle VLAN's
Use VLAN1 as special non-used VLAN. And use tagged VLAN's for everything else.
masnrockCommented:
I just don’t know how to do the tagging configuration for ports on the switch where the DrayTek Router, the AP and the Windows server gets plugged in. I know that the ports to which DHCP server gets plugged into need different tag configuration than other ports.

Let's do these one by one:
DrayTek Router: Should be a trunk port (VLAN 1 untagged, other VLANs tagged)
AP: Could have this be a trunk port, but this really only needs VLANs 1 and 7. (VLAN 1 untagged, VLAN 7 tagged). Be sure you properly configure the wireless networks within the UniFi controller. Guest network should be configured for VLAN 7.
Windows server: I assume this is the DHCP server for ALL of the VLANs. Should be on a trunk port. (VLAN 1 untagged, others tagged)

As for your phones, ideally you have a separate VLAN for them. However, this would work out at it's finest if your switch allows VLAN assignments by OUI (so essentially, by looking at a part of the MAC address of your phones, then can get assigned to the VoIP without you having to do anything more).
alex110109Author Commented:
@noci I know the theory but I need to know what I am supposed to be doing in practical scenario.

@mansrock I am assuming you are describing the port tagging on the switch and that you are referring to switch ports that Router and the AP and the DHCP server connects to, right?

On DrayTek side the port on DrayTek is already configured to be a trunk port, I will configure the switch port to be trunk as well.

For WiFi, it’s the DrayTek that’s going to be DHCP and not the server. For VLAN 1 only it’s the server that dishes out IPs. Though I would want to know how to get windows to do both. But I think we need to configure IP Helper or the DHCP relay agent thing configured, don’t know where though. That’s for later.
masnrockCommented:
am assuming you are describing the port tagging on the switch and that you are referring to switch ports that Router and the AP and the DHCP server connects to, right?
Yes, that is correct.

On DrayTek side the port on DrayTek is already configured to be a trunk port, I will configure the switch port to be trunk as well.
Perfect, because you want the switch to be able to see all of the VLANs.

But I think we need to configure IP Helper or the DHCP relay agent thing configured, don’t know where though. That’s for later.
Correct.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VLAN

From novice to tech pro — start learning today.