This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG wireless VLAN issue

I'm currently using Peplink AC One Mini APs for all the indoor access points.  It's a major pain when I need to update a setting on all 18 APs we have across the company, so I recently purchased a Sophos AP55 to try out in one of our shops before jumping in and buying all 18 APs and then finding out something doesn't work the way I need it to.  So let me give you the rundown of our network layout... 

We have an XG310 as the main firewall/router and use Cisco SG300 and SG500 series switches with the following VLANs (1, 8, 99, 100) as well as auto voice VLAN for VoIP.

The "untagged" VLAN (1) is the main internal corporate network.  The wireless side of this VLAN requires all of the connecting devices to be members of Active Directory. 

Then we have a BYOD VLAN (8) for corporate devices such as iPads and diagnostic equipment that obviously are not members of Active Directory.  The XG relays DHCP from this VLAN to a domain DHCP server to get addresses.  There a a few firewall rules to allow access to internal network devices such as printers and web servers. 

Next we have a GuestWifi VLAN (99).  This VLAN gets an IP from the XG and is routed directly to the internet.  No access to any other LAN subnets/devices.

Then we have a VoIP VLAN (100).  As the name implies, this is for VoIP phones.  DHCP requests are relayed to the domain DHCP and then is routed out the WAN to our VoIP provider.

 

So, I got my first AP55 added in the XG and started setting up the SSIDs.  I created one called "SopTest" for the internal corporate network (untagged).  I set it as "Bridge to AP LAN" and the encryption mode as WAP2-Enterprise.  This SSID is working exactly as expected.

Then I created a "BYODTest" SSID.  I set it to "Bridge to VLAN" and set the VLAN ID to 8 and set the encryption mode to WPA2-personal.

When I go to the AP and add the BYODTest SSID to it and click save, I get the following error: "The current VLAN tagging setting in access point group is not compatible with the wireless network in bridge mode to VLAN".

I can't seem to figure out exactly why I'm getting this error or how to resolve it.  All I want to do is tag traffic on that SSID to VLAN 8 like I've done in the past with every other access point I've ever used.  Surely to goodness I'm not the only one who's ever had this error.  Any suggestions?



This thread was automatically locked due to age.
Parents
  • Thanks Keyur and rfcat_vk for your help.  Much appreciated!  After reading up it appears that I cannot leave the APs on the default untagged VLAN as they won't use VLAN 0 or 1, which is why it's giving that error.  I did confirm that I can create a new zone and assign that SSID (BYOD2) to that zone and it seems to work as expected (after configuring appropriate firewall rules).  I want to do a little more testing first.  I will most likely go that route as adding a whole new VLAN for all corporate devices at this point with a network as big as ours would be a HUGE nightmare.  For anyone who is interested, below is a screenshot of the SSID config.  You can either do DHCP on the XG or you can relay it off to another DHCP server, though I've not tried setting up the relay yet, but it looks possible.

     

Reply
  • Thanks Keyur and rfcat_vk for your help.  Much appreciated!  After reading up it appears that I cannot leave the APs on the default untagged VLAN as they won't use VLAN 0 or 1, which is why it's giving that error.  I did confirm that I can create a new zone and assign that SSID (BYOD2) to that zone and it seems to work as expected (after configuring appropriate firewall rules).  I want to do a little more testing first.  I will most likely go that route as adding a whole new VLAN for all corporate devices at this point with a network as big as ours would be a HUGE nightmare.  For anyone who is interested, below is a screenshot of the SSID config.  You can either do DHCP on the XG or you can relay it off to another DHCP server, though I've not tried setting up the relay yet, but it looks possible.

     

Children
No Data