Business Community > Switches > Vlan setup issue
< Switches

Vlan setup issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Vlan setup issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Vlan setup issue
Vlan setup issue
2017-10-09 00:04:49
Model :

Hardware Version :

Firmware Version :

ISP :

Hello guys,

I just bought a SG108E switch and in my setup i encounter an issue. My setup:

-Sophos home made firewall with 3 interfaces (WAN, LAN1 and LAN2)
-TP LINK SG108E
-CISCO AIR-LAP1131G-E-K9 access point

The devices are connected as follows: Sophos LAN1 -> port 1 TPLINK - TPLINK port 2 -> Cisco AP

Sophos LAN 1 has VLAN2 and VLAN3 on it, as well as the other ports involved in the connection above. TPlink has only ports 1&2 configured as trunk; the rest of them are access ports in vlan 2 and port 8 is untagged. Cisco AP has a classic trunk with VLANs 2 and 3 corresponding to ssid main and guest, and also the native vlan (which is untagged).
Sophos device is a layer 3 device, unable to manage untagged Vlans.
TPlink device has the management IP on the untagged vlan1.
Cisco AP has the management IP address on Native vlan 1. This model cannot have a management IP address on any vlan other than the native one (which is untagged).

TPLINK config iamges:






Problem: while the tagged vlans work OK, the untagged ones are unreachable (management IP of TPlink and Cisco AP). As a workaround, i configured the spare interface on sophos LAN2 with a fixed IP in the same subnet as the native VLAN of TPLINK and Cisco, and connected it to TPLINK port 8 (which is not tagged). Now i can reach the TPLINK IP, but still cannot reach Cisco IP (which is on the same subnet).
Is there a way to solve this?
  0      
 
  0      
 
#1
Options
4 Reply
Re:Vlan setup issue
2017-10-09 09:15:47
where is your computer that want to access the web interface of cisco?(connect firewall or wirless ap), In my opinion, you need check configuration in your cisco AP.
When you computer connect to cisco AP via wireless directly, could your computer are able to open the web page of cisco AP.
  0  
  0  
#2
Options
Re:Vlan setup issue
2017-10-09 18:49:06

panicos wrote

Now i can reach the TPLINK IP, but still cannot reach Cisco IP (which is on the same subnet).


This is another example of the never-ending story of TL-SG108E having a fixed Default VLAN 1. The question is, what happens with untagged Ethernet frames in the Default VLAN on egress? According to the switch's manual, any untagged Ethernet frames received by the switch over the trunk will be added the PVID of the trunk port (that's correct behavior in the sense of Cisco's native VLAN). Since PVID is 1 in your setup above, untagged frames will get assigned to VLAN 1.

But what happens on egress of such frames on the trunk port? Since ports 1 & 2 are set as untagged ports for VLAN 1, the VLAN tag should be removed, so the Cisco AP should see an untagged frame and handle it through its native VLAN. But since ports 1 & 2 are trunk ports, according to the manual the frame will be forwarded unchanged, i.e. the VLAN tag not removed on egress. I still couldn't figure out what really happens to VID1-tagged frames on egress over a trunk.

Long story short: I did give up to handle VLAN 1 in my network through TL-SG108Es (I have two of them and similar requirements to be able to handle trunked VLAN 1). While my appliance switch (a TL-SG2008) can be configured to handle VID1-tagged frames over a trunk, I was not able to set it on TL-SG108E. I opened several tickets with TP-Link asking for a firmware change to be able to handle VLAN 1 much like any other VLAN (as it is possible with TL-SG2008), but so far I only got a response that they won't change the Default VLAN on the Easy Smart Switches. So I'm actually considering to replace the TL-SG108Es by smart switches such as the Netgear GS 108E, which allows me to configure VLAN 1 just like any other VLAN.

If TP-Link insists to set a fixed Default VLAN for whatever reason, they should use a VLAN ID above 4090, but not VLAN 1.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#3
Options
Re:Vlan setup issue
2017-10-11 16:43:34
you guys are both right. However, after more analysis, tcpdumps on the firewall i figure it out. The issue was on the AP, because although it has an IP in vlan 1 native (untagged), it does not have a default gateway set for that. So the AP was constantly ARPing for mac of destinations in another subnets, like he was thinking himself to be in the same subnet with vlan 2, or vlan3, etc - very strange. Setting a default gateway in it (def gateway, the Firewall IP address in that subnet) fixed the issue. The initial setup worked for a previously cisco router, but after i replaced it with the firewal and also mounted the tplink in the middle, it didn't anymore.
Thanks both of you.
Thread may be closed.
  0  
  0  
#4
Options
Re:Vlan setup issue
2017-10-11 16:54:32
Great that it works. However, if the switch indeed uses untagged Ethernet frames for the mgmt IP of the AP in VLAN 1 and the AP uses a default address of the router, this means that the AP's mgmt interface can be reached from each VLAN, right? So, the Default VLAN problem still remains, since every port is always a member of VLAN 1 (that was my point).
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#5
Options

Information

Helpful: 0

Views: 3360

Replies: 4

Related Articles
Vlan setup
433 0
Vlan Issue
415 0
Managment VLAN issue
203 0
Need some guidance on VLAN setup
2130 0
T1600G-28PS VLAN setup
10812 0
 SETUP VLAN
600 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.