Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 26 replies
  • Answers 2 answers
  • Subscribers 35 subscribers
  • Views 125127 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create VLAN for WiFi Access Points

ChristopherButler

Hi everyone, 

I'm trying to create a VLAN for some Ubiquiti UniFi access points and I just can't seem to get it working correctly. 

In my interface for the access points I assigned them a VLAN ID of 2, as shown here: http://screencast.com/t/s8VuPEud7

In my Cisco SG-500 switch I created a VLAN as shown here: http://screencast.com/t/wcAMNUwJ 

I set all the ports to Trunk and accept all frames as shown here: http://screencast.com/t/TO0EcTH6iY 

Since the AP that is plugged into the port of the switch will be passing frames with the default VLAN of 1, and also a VLAN of 2. I left the port untagged for the VLAN 1 as shown here http://screencast.com/t/fjVBw9gcal and then the VLAN ID 2 is tagged on the port the AP is connected to as well as the port to the machine running Sophos XG is connected to, as shown here: http://screencast.com/t/MdJhozsoI 

Here you can see those ports and the VLAN memberships: http://screencast.com/t/b9P8sWJ1m 

In Sophos I then created a new Zone for the guests as shown here: http://screencast.com/t/IRTPRWYrsG 

I then created a new VLAN interface and assigned it an ID of 2, then assigned it to the zone I created in the previous step, as shown here: http://screencast.com/t/tA77JnCRdFDt

Finally, I created a DHCP service and selected the VLAN interface that I created from the previous step, as shown here: http://screencast.com/t/IA5yZnYtwP 

I thought that's all I needed, but it doesn't appear to be working. My devices are unable to obtain an IP address when the connect to the AP. I'm sure I've missed a step or did something incorrectly. Any assistance would be greatly appreciated. 

Thanks,
Christopher



This thread was automatically locked due to age.
Parents
  • 0
    Christopher,

    you only need tagged/trunk on port connectig to AP and to XG firewall. Also try to configure static ip on your laptop and connect to Guest SSID and see if you can ping the XG interface.
    Also make sure ping is allowed on XG under System > Administration > Device access.

    Let us know.

    Luk
  • 0 in reply to lferrara
    Hi Luk,

    I tried configuring a static IP on my laptop and connected to the guest network. I couldn't ping the XG interface. I made sure ping is allowed and it is. Any other ideas? I'm sure there is a step I must have missed...
  • 0 in reply to Alex Poklewski

    Hi All,

    I am using XG with 3 VLAN at home and I am not experiencing this issue. I have a Cisco Switch configured with 3 VLAN (1, 100, 200). The Cisco Port connected to XG is configured as show:

    interface FastEthernet0/11
     description XG_LAN
     switchport trunk allowed vlan 1,100,200
     switchport mode trunk
     duplex full
     speed 100
     spanning-tree portfast

    On XG I have 3 zones and 3 interfaces on one physical port.

    See the screenshot:

    Then I have all the needed policy rules configured. On the VLAN 100,200 I have VMs running on an ESXi.

    Hope this help!

  • 0 in reply to lferrara

    Also:

    XG does support only VLAN 1 on the physical port and you cannot change it. Hope they will remove this limitation. If you need another VLAN on the physical port, you have to create VLAN.

  • 0 in reply to lferrara

     - that's an interesting point. Perhaps I wasn't setting this up in the "expected" fashion and this is why I was no longer able to communicate on that port. I was leaving it on a virtual nic that was in a port group with NO VLAN. So once I flipped the VLAN setups on and switched the connections to the appropriate VLAN's, I couldn't communicate on the non-VLAN virtual NIC I had connected. I did notice I could reach the IP from the VLAN side though it seemed. That would also explain why I'm in need of an IP on the physical port when I'm only planning to use VLAN's as it is expecting that I'm going to have management on VLAN1 - in my case that is not true as I'm not using mgmt VLAN since all other traffic is running either on the VLAN it should, or is managed through the virtual setup, aka the only place I NEED the mgmt VLAN is inside the virtual infrastructure. 

    I think this might put me in the right direction to better configure and set this up as planned originally. I just need to account for a mgmt VLAN network that I might not actually be using, and once I do, I can hopefully get connected. 

  • +1 in reply to ShawnMix

    ShawnMix,

    the VLAN 1 is something needed on XG at the moment. In fact when you configure the physical port, it requires an IP address and VLAN ID cannot be changed. Hope to see improvements into v17. I have a customer that does not use VLAN 1 at all and leaving an interface with IP on VLAN 1 is not secure (must be disabled in some environment).

    Let's see!

  • 0 in reply to lferrara

    Hi lferrara,

     

    if I understood you right then Port 1 (LAN - Physical) is VLAN1 by default.

    Can I also use it tagged by default (config my switch port to VLAN1 tagged and

    everything keeps working as before - while other ports of switch are VLAN1 untagged)?

     

    Thanks for your help in advance,

     

    Markus

     

    PS.: This way I could config my switch-port connect to firewall to tagged and add the other vlans later :-P

  • 0 in reply to MarkusSchlüter

    Markus,

    Switched by default tags vlan 1. Anyway check your switch configuration. I always prefer to add a vlan on XG physical port and tag that one.

    Regards

  • 0 in reply to lferrara

    Hi Iferrara,

     

    thanks for your answer.

    What I wanted to know: is the physical port automatically tagged to vlan1?

     

    Cheers,

     

    Markus

  • 0 in reply to MarkusSchlüter

    The port is by default VLAN 1 mode Access.

    If you create a trunk on a switch port and then transport VLAN ID 1 and any additional VLAN you create on XG physical ports, all of them are exported.

    I never tried to trunk it without additional VLAN.

    Try it and let us know.

    Thanks

  • 0 in reply to lferrara

    Thanks for the great info. You mentioned "Then I have all the needed policy rules configured".

    Can you post a screenshot of the policies as I think there is something in mine that is causing the issue and it would be helpful to see yours for troubleshooting.

     

    Thanks!

  • 0 in reply to MarkJede

    Mark,

    share your Wi-Fi configuration and your Firewall rules.

    Regards

Reply Children
No Data