This post is more than 5 years old
6 Posts
0
71902
May 12th, 2014 10:00
VLANs not working as expected
Current setup:
Firewall and route point for two networks (staff and guest). One port (port 1) is for the staff and a separate port (port 2) is for the guest. Port 1 (staff) on the FW goes to a Dell connect 2724 with a managed default config. All staff resources are on the dell connect. Also on the dell connect is a wireless access point for the staff. Port 2 (guest) plugs directly to a guest wifi AP (separate from the staff). Everything works.
To be state:
The wireless AP we use is the Engenius EAP350 and it has the ability to have 8 SSIDs each in their own VLAN. I am looking to move both wireless networks onto a single AP.
To do this I moved the FW port 2 to a port on the dell connect (port 9) and put this in PVID 2 and changed the dell connect port that connected to the existing staff wifi AP (port 7) to a trunk port (tag 2). all other settings are still default. The staff wifi is vlan 1 and the guest wifi is vlan 2 and tagged on the AP. My assumption is that the vlans are tagged at the AP, allowed through the dell connect trunk port port and then DHCP requests for vlan one then go to the FW through port one and dhcp requests for vlan 2 go to the fw on port 9. It didn't work. So to remove the AP from the equation all together, I made port 10 on the dell connect a PVID in vlan 2 also and plugged my laptop in it. Since port 9 and 10 are both access ports in vlan 2, all dhcp requests should have been fullfilled by the FW in the correct subnet. However, it did not work. any ideas or examples that can be sent on access and trunk setup. I am very well versed on them with cisco, but dell connects are doing it a little different.
cbroadway
6 Posts
0
May 12th, 2014 12:00
the firewall config is set up with routed physical interfaces and not VLAN interfaces. It would require more work than needed to change the firewall. In the current state, FW port 1 is the GW for the staff network and port 2 is the gateway for the guest network. If I create PVID 2 and assign it to on the dellconnect port 9 and port 10, I should be able to get an IP from the guest network by connecting port 9 to the FW and dellconnect port 10 to a laptop. The operation flow from the laptop would be: from laptop untagged into dell connect port 10...tag 2 put on as it enters port 10...only other port in vlan 2 is port 9 ...data forward out port 9 untagged to firewall port 2....FW port 2 is the GW for the guest net and DHCP request fill. But that is not working. If I plug a laptop directly into FW port 2, it works.
cbroadway
6 Posts
0
May 12th, 2014 13:00
As the default dellconnect config is, all ports are PVID to vlan 1 and untagged on egress. Everything in the staff network is working.
cbroadway
6 Posts
0
May 15th, 2014 17:00
So I made some changes today to try and isolate where the issue exists. Dell connect has port 1 in default PVID 1 and that connects to the staff FW/router/DHCP server, while port 2 is in PVID 2 and connects to the guest FW/router/DHCP server. Port 9 is trunk port with vlan 2 tagged and vlan 1 the default not changeable untagged.
The Engenius EAP350 AP has two SSIDs. "Staff" SSID is tagged vlan 1 and "Guest" is tagged vlan 2.
Test 1- the AP is connected to the trunk port on the dellconnect and I try to join the "staff" SSID and the "guest" SSID. I am able to connect to the AP, but receive no IP addresses from the DHCP server.
test 2- I add a Cisco CE500 and connect its trunk port to the Dell connect port 9, and the connect the AP to another trunk port on the Cisco CE500. Everything works as expected
this test helped me confirm that the AP is sending tagged frames and the dellconnect is vlan forwarding based whatever the vlan ID is in the frame. So the only thing left is that the dellconnect trunk port is not receiving the vlan frames as the Cisco CE500 is.
cbroadway
6 Posts
0
May 16th, 2014 07:00
In test #2 while using the Cisco CE500 and trunking to the dellconnect, the CE500 is forwarding the tagged frames over the trunk to the dellconnect. It receives those tagged frames and forwards correctly.
So are you saying I can remove the default PVID 1 from port 9 and just let that blank?
cbroadway
6 Posts
0
May 16th, 2014 08:00
i think I just found the answer. The Dellconnect cannot receive tagged frames from vlan 1 period, where the Cisco can. So if I wanted this to work, I would have to stop using vlan 1 all together. Does this sound correct?