VLAN trunk with WAP

To start with troubleshooting, configure a test port on the switch dedicated for each VLAN (samle VLAN ID and PVID) [U]ntagged and connect a computer there - it should get an IP address bc DHCP for that subnet, and be able to ping the related default gateway, and (depending on the firewall rules) reach the Internet or some internal LAN.

---

@schumaku wrote:

To start with troubleshooting, configure a test port on the switch dedicated for each VLAN (samle VLAN ID and PVID) [U]ntagged and connect a computer there - it should get an IP address bc DHCP for that subnet, and be able to ping the related default gateway, and (depending on the firewall rules) reach the Internet or some internal LAN.

---

This worked. I tested by first untagging port 24 on VLAN 2 and connected a computer to it. No IP. Then I tagged that port. Still no IP. Then I changed the PVID for that port from 1 to 2 while the port was untagged. That worked and I got an IP from the correct subnet.

What I don't know though is how to configure this port as a trunk port and have multiple VLANs assigned to it, since you can only assign one PVID to each port.

Great, you started testing and experiencing - exactly what I expected.

Now there is a little error in the config - the PVID does define the VLAN untagged incoming packets are assigned to Define the test port to VLAN ID 2 [u]ntagged, and PVID 2 - and a normal computer (not VLAN aware) will work straight away.

If these test ports are fine, you can have an eye on the WAC trunk port - all the VLANs (except of the base one which you might want or have to keep untagged for the WAC administration) must be [t]agged, only the base VLAN is [u]ntagged and PVID. 

---

@schumaku wrote:

Great, you started testing and experiencing - exactly what I expected.

 

Now there is a little error in the config - the PVID does define the VLAN untagged incoming packets are assigned to Define the test port to VLAN ID 2 [u]ntagged, and PVID 2 - and a normal computer (not VLAN aware) will work straight away.

 

If these test ports are fine, you can have an eye on the WAC trunk port - all the VLANs (except of the base one which you might want or have to keep untagged for the WAC administration) must be [t]agged, only the base VLAN is [u]ntagged and PVID. 

---

Ok, but how do I assign multiple VLANs to a port other than port 1? So far when I try, it doesn't work. Tagged or untagged.

By going over the VLAN ID required, marking each VLAN tagged on the port (or the LAG) - VLAN Membership ... select the VLAN ... and mark port(s) and/or LAG as [T]agged or [U]ntagged for example?

Does this switch not support multiple VLAN trunk ports?

I have the WAP plugged into port 3. I have all VLANs tagged on port 3. But, I can't get an IP address on any of my tagged SSIDs.

I would assume even these Smart Managed Plus switches do - I'm not familiar with the JGS524PE model. Does it have a full Web UI including the VLAN config in switching, or do you have to use the ProSafe Plus Configuration Utility?

VLAN -> 802.1Q -> Advanced  802.1Q -> VLAN Configuration 

VLAN -> 802.1Q -> Advanced  802.1Q -> VLAN Membership

If these config options are available, I would assume it does work accordingly.

Could still be a config problem of the switch ports, being the trunk to the security appliance, being the trunk to the WAC, being the WAC itself.

Edit: The switch firmwae is anywhere near to the current one as from the JGS524PE model downloads https://www.netgear.com/support/product/JGS524PE.aspx#download ?

Sorry for my confusion before, I had a different switch family in mind.

Regards,

-Kurt

---

@schumaku wrote:

I would assume even these Smart Managed Plus switches do - I'm not familiar with the JGS524PE model. Does it have a full Web UI including the VLAN config in switching, or do you have to use the ProSafe Plus Configuration Utility?

 

VLAN -> 802.1Q -> Advanced  802.1Q -> VLAN Configuration 

 

VLAN -> 802.1Q -> Advanced  802.1Q -> VLAN Membership

 

 

If these config options are available, I would assume it does work accordingly.

 

Could still be a config problem of the switch ports, being the trunk to the security appliance, being the trunk to the WAC, being the WAC itself.

 

Edit: The switch firmwae is anywhere near to the current one as from the JGS524PE model downloads https://www.netgear.com/support/product/JGS524PE.aspx#download ?

 

Sorry for my confusion before, I had a different switch family in mind.

 

Regards,

-Kurt

 

 

 

 

 

 

 

 

---

I believe you need to use the utility, that's what I've been using so far. The screen shots in your comment match what I see. I'll check the firmware version next time I'm in front of the unit.

Great, looking forward. Provide some screenshots of the base LAN and at least one example VLAN please.

What kind of WAC is involved - and insight on it's configuration?

So here's what my screens look like:

If I tag or untag port 3 (which the WAP is physically connected to) and connect to the SSID with the cooresponding VLAN, I do not get an IP address. This is also true if I tag or untag port 1. Basically any combination of tagged or untagged on ports 1 and 3 doesn't work.

The WAPs are Ubiquiti UniFi APs. This is what the screen looks like for the SSID I'm testing:

Can't see the screenshots yet - takes a while until a moderator has approved.

In any case, when I have UniFi right in my grey cells, the management network must be untagged. 

---

@schumaku wrote:

Can't see the screenshots yet - takes a while until a moderator has approved.

 

In any case, when I have UniFi right in my grey cells, the management network must be untagged. 

---

That's one of the combinations I tried. Port 1 untagged for VLAN 5 and port 3 tagged. VLAN 1 is untagged on all ports.

---

@Kingrazor001 wrote:

That's one of the combinations I tried. Port 1 untagged for VLAN 5 and port 3 tagged. VLAN 1 is untagged on all ports.

---

All VLAN IDs used for the virtual SSIDs (for VLANs) must be tagged.

Does a simple test port configured untagged say for the VLAN ID 5 and PVID 5 supply a DHCP config and give access to the VLAN 5 and IP subnet at all?

---

@schumaku wrote:

---

@Kingrazor001 wrote:

That's one of the combinations I tried. Port 1 untagged for VLAN 5 and port 3 tagged. VLAN 1 is untagged on all ports.

---

All VLAN IDs used for the virtual SSIDs (for VLANs) must be tagged.

 

Does a simple test port configured untagged say for the VLAN ID 5 abd PVID 5 supply a DHCP config and give access to the VLAN 5 and IP subnet at all?

---

So far the only way I've gotten it to work is by assigning a PVID for that VLAN to a port. I tried applying VLAN ID 5 to a port untagged with port 1 tagged and PVID of 5 on that port and it worked.

---

@Kingrazor001 wrote:

---

I tried applying VLAN ID 5 to a port untagged with port 1 tagged and PVID of 5 on that port and it worked.

---

The test port must be VLAN ID 5, Untagged, PVID 5.

The test port must be VLAN ID [2..6], Untagged, PVID [2..6] mor generic for the other VLANs.

---

@schumaku wrote:

---

@Kingrazor001 wrote:

---

I tried applying VLAN ID 5 to a port untagged with port 1 tagged and PVID of 5 on that port and it worked.

---

The test port must be VLAN ID 5, Untagged, PVID 5.

 

The test port must be VLAN ID [2..6], Untagged, PVID [2..6] mor generic for the other VLANs.

 

---

So it looks like VLAN trunking isn't supported. If that's the case, I'd need to have one SSID per WAP to use VLANs with this switch. Right now all WAPs have all SSIDs. Guess I need a new switch.

---

@Kingrazor001 wrote:

---

@schumaku wrote:

---

@Kingrazor001 wrote:

---

I tried applying VLAN ID 5 to a port untagged with port 1 tagged and PVID of 5 on that port and it worked.

---

The test port must be VLAN ID 5, Untagged, PVID 5.

 

The test port must be VLAN ID [2..6], Untagged, PVID [2..6] mor generic for the other VLANs.

 

---

So it looks like VLAN trunking isn't supported. If that's the case, I'd need to have one SSID per WAP to use VLANs with this switch. Right now all WAPs have all SSIDs. Guess I need a new switch.

---

Nope, no new switch. Just a slightly flat learning curve on VLANs, and thier troubleshooting.

I'm asking you to set-up a non-trunked port for a test system - and move this through all the VLANs required - like this we can ensure the VLAN work appropriate between the switch and the router.

Look, >95% of the issues are on the router/VLAN/IP subnet/DHCP configuration side, and not on the L2 switches. And when I read above that you have two untagged VLANs configured on a port, that's the guaranteed start into a disaster. 

Excellent find, glad you have your set-up up and running!