We help IT Professionals succeed at work.

Tagging and SSID and getting it to work

Medium Priority
101 Views
Last Modified: 2020-02-02
I picked up a couple of the new Linksys Business APs that allow VLAN Tagging and I am having fits getting the VLANS on the switch configured properly to get these APs to work. There are currently 3 VLANS on the switch:

1: Management, ports 1-28, port 1 goes to SonicWall
2: Guest, ports 29-34, port 29 goes to SonicWall
3: Printers, ports 35-44, port 35 goes to SonicWall

Each port on the SonicWall is a different network and does the rules between networks. It is also the DHCP for each network. So... what I was trying to do was put these APs on the Guest network and if I were to tag a specific SSID with VLAN 3 it would give the clients on that SSID access to printers.

So what D-Link told me to do was to tag port 35 and share it with the Guest VLAN. So when a client on that specific SSID (tagged with VLAN 3) came in to VLAN 2 it would immediately pass the packet to VLAN 3 and in turn give it access to printers.

When I did that the management VLAN could no longer avvess printer. What a mess. It seemed so simple. Any ideas on what I am missing?
Comment
Watch Question

kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
That is not at all how my Wi-Fi works on my network. You didn't mention which port(s) the APs are on.

For my access points, the AP in on a trunk port on my switch. This means that the switch will accept 802.1q tagged traffic with a VLAN ID. I usually also have to specify the VLAN that untagged traffic will go onto. This is because the AP itself needs to send traffic, and I do not use VLAN 1 for the AP management traffic. Each SSID is also assigned to a VLAN.

Are you trying to put an SSID directly on the printers VLAN? Why? Is that for printer auto discovery?
CERTIFIED EXPERT
Commented:
While you might well only want guest traffic on the AP, I would presume that you would want to manage the AP from the management VLAN.

Select a port for the AP
Leave the native VLAN on the port as VLAN1 for management
Add VLAN 2 to the port as a tagged VLAN
Connect the AP to the port
Configure the AP to have the Guest SSID tagged with VLAN 2
LockDown32Owner
Top Expert 2016

Author

Commented:
"what I was trying to do was put these APs on the Guest network". The APS are on VLAN 2. I don't really want to use specific ports. I want to use a VLAN so if I need another AP I simply plug it in to the Guest VLAN and am done.

So I have to start by tagging every port in VLAN 2?
CERTIFIED EXPERT

Commented:
If you want to be able to manage the AP from the management VLAN, but have the SSID on VLAN2, and be able to use any port, then all of the poprts that an AP could be connected to would need to be tagged with VLAN2 using my suggested method above.
LockDown32Owner
Top Expert 2016

Author

Commented:
That isn't the problem Arne. Right now I can put as many APs on VLAN 2 as I want. No SSID tagging or anything. The APs come in to VLAN2 and and the only thing VLAN 2 has access to is the internet. The problem is setting up two SSIDs on the APs. I don't even need to tag the "Guest" SSID since is it already on the Guest VLAN. The problem is setting up on of the SSIDs to Access VLAN 3. That is what I am having a hard time figuring out.
CERTIFIED EXPERT

Commented:
The SSID used to access VLAN3 would need to be tagged with VLAN3 on the AP, and the switch port would also need VLAN3 to be tagged on the port.

This would provide you with a SSID for guests, and a SSID for printing.

As I put earlier, I would however suggest having the AP management interface on VLAN1, and then having "access" SSID/VLANs tagged.
LockDown32Owner
Top Expert 2016

Author

Commented:
Thanks Arne. The stumbling block here seems to be two fold. As mentioned above I want an entire VLAN to contain Access Points and want to try and get away from having to do this on a per port basis. I am going to guess that can't be done but no one will say so.

At this point I think I am going to forget about VLAN tagging and simply put APs on the VLANs they belong on. It is only going to be two or three more APs and is much simpler to do.
CERTIFIED EXPERT

Commented:
I think we might be at cross purposes here

To go over what you currently have

A switch with threee VLANS configured, I do not know the actual VLAN IDs, but for this they are not important

VLAN1 for Management (ports 1-28)
VLAN2 for Guest access (ports 29-34)
VLAN3 for Printers (ports 35-44)
Inter VLAN routing/firewalling is done on a SonicWALL

The normal way to deploy WiFi for this would be to have the AP management interface as untagged on VLAN1, and then have the Guest SSID mapped to VLAN2 and the Printer SSID mapped to VLAN3

On the switch, you would then tag ports 1-28 with VLAN2 and VLAN3
 
If you wanted to have a new VLAN for AP management, lets call it VLAN4, you would then have thos ports as untagged on the switch, and have have VLAN2 and VLAN3 tagged on those ports. You would however need to have management access, so this would need to be connected to the SonicWALL, either by adding it as a tagged port on one of the existing connections to the SonicWALL, or using a dedicated connection as you have for the other three connections.
LockDown32Owner
Top Expert 2016

Author

Commented:
There was no real, good, detailed solution to this. It was much easier to simple get 4 more APs and plug them directly in to the VLAN they belong to. No tagging involved.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.