UBNT gear and vlans

joblo37pam

2[H]4U
Joined
Jun 28, 2002
Messages
2,151
I posted to the UBNT forums trying to figure out a config, but haven't gotten much response. I have more confidence in [H].

Here's the original thread:

I am having some issues separating SSIDs via VLAN with Unifi and a Toughswitch. They are connecting to a ZyXel USG40 gateway with two subnets configured on separate interfaces and DHCP on both.

I have configured the Unifi APs with the controller software to have two ssids, one public (vlan3) and one private (vlan2). The APs (testing with 1, will use 3 in production) will be connected to a 5 port toughswitch on ports 3-5. Port 1 on the toughswitch is going to the subnet1 port of the zyxel, and port 2 is going to subnet2 on the zyxel.

I have configured vlans on the toughswitch as shows in the attatched picture. When I plug a configured ap into the switch and it boots, I can connect to either ssid, and get the correct ip. However, after a couple minutes, I am disconnected and the AP starts blinking. I am also not able to configure the ap when it is connected through the toughswitch, which I believe is the cause of the disconnects. I'm guessing this has something to do with tagging the management vlan to the ap, but I haven't done this enough to know for sure. I'm hoping you guys can point me in the right direction.

A little more graphical breakdown:

Zyxel:
Subnet 1 - 192.168.100.x - port 1 - connected to toughswitch port 1
Subnet 2 - 192.168.101.x - port 2 - connected to toughswitch port 2

Toughswitch:
Port 1 - connected to zyxel port 1 - tagged vlan1, untagged vlan2, exclude vlan3
Port 2 - connected to zyxel port 2 - exclude vlan1, exclued vlan2, untagged vlan 3
Port 3,4,5 - connected to unifi aps - untagged vlan1, tagged vlan2&vlan3

Unifi AP:
Connected to ports 3,4,5 on toughswitch (test AP is 192.168.100.30)
SSID1 - Private network - vlan2
SSID2 - Public network - vlan3

Again, the SSID vlans seem to be working correctly, but the ap appears to shut down because it can't communicate on the management vlan. I have even tried making the private vlan the management vlan as shown in the picture, but that didn't help either. Any ideas? Thanks.

vlan.jpg


After thinking about it a little more, I changed the native trunk vlan to 2 (private), and made the AP ports trunk ports. I am now able to communicate with the APs via the controller and ping them by IP. The public SSID works correctly, but cannot get a dhcp ip via the private SSID. I'm stumped and a bit out of my realm here. Any suggestions?
 

firedrow

Limp Gawd
Joined
Oct 11, 2013
Messages
162
It's been a while since I worked with a ToughSwitch but you're on the right track. Do some quick troubleshooting, where does DHCP stop? Change port 5 to Untagged on VLAN3, Tagged on VLAN1. Then plugin a laptop to port 5, does it get DHCP? If not, then something may be wrong on the router or port 2. If you do get DHCP, then change it back to Tagged VLAN3, Untagged VLAN1. Check your WAP settings for the Private SSID, make sure it saved the VLAN setting.

Off hand, does your ZyXel not do VLAN tagging? If it does, why not just do 1 Trunk port instead of 2?
 

berky

2[H]4U
Joined
Aug 28, 2001
Messages
2,233
is the AP tagging? Is the Zyxel tagging?

Making a few assumptions, I would try the following:

if you're not using VLAN 1, disable it.
tag all traffic between the zyxel and toughswitch
don't rely on 'native vlans'... it's a workaround more than a design. if you can tag, then tag.

if the AP can tag each SSID, you should be fine tagging both 2 and 3 to each AP
 

firedrow

Limp Gawd
Joined
Oct 11, 2013
Messages
162
is the AP tagging? Is the Zyxel tagging?

Making a few assumptions, I would try the following:

if you're not using VLAN 1, disable it.
tag all traffic between the zyxel and toughswitch
don't rely on 'native vlans'... it's a workaround more than a design. if you can tag, then tag.

if the AP can tag each SSID, you should be fine tagging both 2 and 3 to each AP

The UAP can do tagging per SSID, and I agree with berky. Go ahead and apply all VLANs to all interfaces and then your UAP will only use the tags it needs.

One thing I have noticed when doing setup with the UAP, setup your secure SSID as non-tagged (don't enable VLANs and do Untagged on the switch). Then do all public/guest SSID as tagged (enable VLANs per SSID and Tagged on switch). Your UAP uses the network/VLAN of your secure interface for management.
 

joblo37pam

2[H]4U
Joined
Jun 28, 2002
Messages
2,151
One thing I have noticed when doing setup with the UAP, setup your secure SSID as non-tagged (don't enable VLANs and do Untagged on the switch). Then do all public/guest SSID as tagged (enable VLANs per SSID and Tagged on switch). Your UAP uses the network/VLAN of your secure interface for management.

This is exactly what I did this morning, after thinking about it overnight. I deleted vlan2 completely and untagged the private ssid. I left the public ssid tagged as vlan3 on the uap, as well as all three ap ports on the toughswitch. Untagged vlan3 on the toughswitch port connected to the public vlan, and now everything is working the way it should. I was just trying to overcomplicate things. Thanks for your help guys.
 

remixedcat

Weaksauce
Joined
Jun 5, 2011
Messages
70
I had to do something sorta like that with my meraki z1/aruba rap109 x 2 setup...

vlan100=main ssid-Main (on aruba:client ip assignment:network managed/client vlan=default)
vlan3=guests ssid-Guest (on aruba:client ip assignment:network managed/client vlan=3)

and that works fine... if I make the aruba ssid main to client vlan=100 then clients won't connect.
 
Top