Network with VLAN sanity check

Rogue Leader · Dec 23, 2014

Just want to sanity check my network plan. I have the following hardware
D-Link DSR-250 Router: http://us.dlink.com/products/business-solutions/unified-services-router-2/
D-Link DGS-1024D switch: http://us.dlink.com/products/business-solutions/24-port-gigabit-unmanaged-desktoprackmount-switch/
Engenius EGS-2110P PoE switch: http://www.engeniustech.com/business-networking/switches/16760-egs2110p
Running to 2 Engenius EAP 9550 WAP: http://www.engeniustech.com/business-networking/indoor-access-points-client-bridges/3304-eap9550
and 4 network security cameras.

The big switch runs to a patch panel that runs throughout the house, the PoE is just to the cameras and the 2 WAP. WAN is provided by my cable provider through the router obviously. The large switch runs to port 1 on the router and the PoE runs to port 2.

What I have set up now is 2 SSID's on the PoE's one regular and one guest, however both are on the same subnet (so there really is no difference the settings are identical other than the SSIDs), but I would like the guest to be internet only. Now I don't need crazy security because the people who will be using guest would be my parents and a few friends, so not like strangers will be in there. Also I turned down the signal strength on the WAPs so you can really only get a signal halfway through my yard, so you would really need to be sitting in the driveway near the house to get any sort of signal.

Ok so back to the guest network, the main network is 192.168.1.xxx, I would like to set up VLAN on my DSR-250 using ID 2 and point it to 192.168.10.xxx, through port 2, and the set the VLAN tag for the guest network on the WAP's to ID 2. For the cameras I will assign them specific IP addresses in the 192.168.1.xxx range to ensure I can see them on the main and not guest network.

Would this solve what I want to do? Thanks so much in advance!

APassingMe · Dec 23, 2014

Okay, short answer... yes it will do exactly what you want. But!

You have to configure that 2nd port on your router as a DMZ or whatever you need to configure it so that it can't see the rest of your network, otherwise you'll have two dhcp servers on one network among other things which causes issues. Also make sure you assign your cameras to your vlan 1 group and not vlan 2, the rest is just making sure you have the switch configured correctly to route vlan traffic where you want it (port to port).

APassingMe · Dec 23, 2014

The only issue I couldn't figure out for sure is if your router has the capacity to operate two dhcp address ranges, if it has that capacity you are set. If it doesn't than things will get a little tricky.

Rogue Leader · Dec 24, 2014

APassingMe :

Thank you for the reply!

I think I will be ok as according to section 2.2.2 in the manual (v1.08) for the DSR-250 it has the ability to operate a second DHCP server for each VLAN that is set up. I'm assuming as long as I don't overlap the ranges I should be ok.

My assumption then is that at the WAP the VLAN tag is assigned (by SSID) and that tag will remain with the data through the switch to the router. I would think if I configure the switch to output with a VLAN tag for those ports then all traffic from the WAPs would be pushed to the VLAN which I don't want because then my devices that I want in network wouldn't be able to access everything else. According to page 27 of the EGS-2110P manual it seems to support the passing through of the VLAN tag however if I enable port based VLAN on the switch then it seems it would force all traffic from that port to that VLAN which I don't want. Am I reading all that right? TIA!

APassingMe · Dec 24, 2014

You have some options depending on your gear on how you set up your vlan. If your router and AP are both vlan compatible then you can just set the switch to tag (track) the vlan packets and that's all you will need to do after you set the vlan on the devices.

If they aren't compatible (and even though it seems like they are compatible it looks like you're going this route) then you have to tag the vlan for the switch port that connects to your AP and set the vlan as the primary for the switch port that goes to the router's guest port. When using this setup you don't have to setup the vlan on the router you just have to direct the traffic to the 2nd/right port, otherwise you just setup vlan tracking on the router and plug the compatible switch/device in any port. Keep in mind that you can assign multiple vlans to a single port but a device will only connect to the primary vlan unless it is vlan compatible and is set to another vlan.

Rogue Leader · Dec 24, 2014

APassingMe :

Ok so this was a crash and burn. I started by setting the WAPs SSID 1 to VLAN 1 and SSID 2 (guest) to VLAN 2, then I set up in the router, VLAN 1 was 192.168.1.xxx, VLAN 2 was setup to 192.168.2.xxx . Restart all and no Wifi at all. Then I went into the config on the switch, and I set the ports up to try it that way (through 802.1q). That worked in that now I had WiFi service, but I could now no longer go into the WAPs admin screens, and SSID 2 did not work. I tried in the switch to point the VLANs to the MAC addresses of each SSID. That didnt work and ended up locking up the switch .

I backed out all of the settings and at least got it all back working. I feel like the switch actually won't pass through the VLAN ID, but will only assign VLAN ID's itself. That seems stupid though I mean engenius im sure sells these things to people who want to do something similar. Problem for me is that if I do a port then my wireless devices are all isolated when I just want to isolate the guests.

Any ideas? (PS by switch I'm only referring to the engenius PoE switch, the D-Link switch is out of the loop on this since the engenius goes direct to the router.)

APassingMe · Dec 25, 2014

I'm assuming you can log into the POE switch, you have to tell it which vlans to track and which to ignore (it ignores all but the primary by default), also which vlan is the primary (in your case vlan 1). Be careful when setting up vlans on the APs since you need to keep your management on vlan 1 and your guest network on vlan 2 (this would all be in the AP settings).

(Now it's switch settings) On the port that you have the AP connected to, you need to have vlan 2 tagged (tracked) and vlan 1 as the primary. You then need a vlan 1 switch port connected to your primary dhcp and another switch port with vlan 2 as primary connected to the secondary dhcp, this is dependent on how your router is setup though. (Alternate config depending on router settings) If your router is setup to track vlan 2 and have primary on vlan 1 (on all ports) then you just need one switch port connected to the router from your POE witch with vlan 1 set to primary and vlan 2 set to tag (track, I keep mentioning this because the naming convention differs on some switches so you'll have to figure out what it calls it).

Rogue Leader · Dec 25, 2014

APassingMe :

Ok so this is where I am confused, if you take a look at pages 27-31 of the manual for the EGS-2110P you will see the VLAN options and I just don't see a way to do anything other than force a specific port to a specific VLAN.

I also tried setting static MAC addresses (page 26) to point to the specific MAC addresses from the WAPs and set them to the corresponding VLAN ID. That didn't work though (although I may try this again as the switch had locked up and required a hard reset with this). Port 10 of the switch goes out to the router, I feel like that port may be outputting with VLAN ID 1 no matter what I do.

Thanks again for your help, I thought I have done what you're saying but it doesn't seem to work.

APassingMe · Dec 29, 2014

Okay, I took a look at your switch and it's possible that it may not support vlan tagging and only default vlan per port.

APassingMe · Dec 29, 2014

If your POE switch can't deal with tagged vlans and automaticly route them to the correctly configured ports then you will have to replace your POE switch to do what your wanting to do.

I apologize as I didn't review the manual on that model and have never run into a switch that supported vlan without tagging, check with your product support to see what they have to say and go from there. I did double check your AP and it's definitely fine, either vlan option (tagged or not) is okay on the router provided you have a switch that can handle the tagged vlan ports from your AP.

Rogue Leader · Dec 29, 2014

APassingMe :

Thanks I emailed engenius to find out if the switch requires the VLAN tags to be assigned to specific ports or not. I'll let you know what they reply. I believe their tech support is outside the US so hopefully I will have an answer tonight!

APassingMe · Dec 29, 2014

Just so we're on the same page.

A vlan port is a port that is designed to take all traffic that goes to that port and feeds it to any other ports that are marked as the same vlan (the switch is tagging the traffic but the tag doesn't get passed on to the devices connected, and it doesn't read incoming packets for a vlan tag), so you can have separate virtual switches on the same switch but the max number of ports usable is equal to the max of the physical switch.

A vlan port with vlan tagging is a port that accepts all default traffic and forwards it to ports on the same vlan but it also checks the packets for a vlan tag and if that tag is not the same as the default vlan then it will either reject that traffic (default) or move it into another vlan virtual switch (assuming the port is configured to accept that tagged vlan) where it will only go to the ports that have that vlan tagged on them. In this case the virtual switches can be assigned to the same ports as the default vlan ports but traffic will only go through if a device is connected that can read vlan tags and is configured to accept that vlan number. The max number of virtual ports in this case is the max number of vlans x the total number of physical ports.

Rogue Leader · Dec 30, 2014

APassingMe :

Just so we're on the same page.

A vlan port is a port that is designed to take all traffic that goes to that port and feeds it to any other ports that are marked as the same vlan (the switch is tagging the traffic but the tag doesn't get passed on to the devices connected, and it doesn't read incoming packets for a vlan tag), so you can have separate virtual switches on the same switch but the max number of ports usable is equal to the max of the physical switch.

A vlan port with vlan tagging is a port that accepts all default traffic and forwards it to ports on the same vlan but it also checks the packets for a vlan tag and if that tag is not the same as the default vlan then it will either reject that traffic (default) or move it into another vlan virtual switch (assuming the port is configured to accept that tagged vlan) where it will only go to the ports that have that vlan tagged on them. In this case the virtual switches can be assigned to the same ports as the default vlan ports but traffic will only go through if a device is connected that can read vlan tags and is configured to accept that vlan number. The max number of virtual ports in this case is the max number of vlans x the total number of physical ports.

Yeah I got that, I want it to operate like paragraph 2, but my fear is that it operates like paragraph 1. No answer from engenius yet.

Search

Network with VLAN sanity check

Rogue Leader

It's a trap!

APassingMe

APassingMe

Reputable

APassingMe

Reputable

Rogue Leader

It's a trap!

APassingMe

Reputable

Rogue Leader

It's a trap!

APassingMe

Reputable

Rogue Leader

It's a trap!

APassingMe

Reputable

APassingMe

Reputable

Rogue Leader

It's a trap!

APassingMe

Reputable

Rogue Leader

It's a trap!

TRENDING THREADS

Latest posts

Moderators online

Share this page