EAP220 tagged VLAN is not working
EAP220 tagged VLAN is not working
ok.
1: i have mikrotik router. 5 ports goes in to the bridge as well as VLAN goes through this bridge. VLAN is taged 1010 for public wifi.
2 I have tp link switch . VLAN1010 is in place , port 8 is in general state pvid 1 that means default LAN and VLAN 1010 goes through.
3: I have eap connected to port 8 in TP link switch
4: AEP is managed via controller. I have created two SSID's testLAN (default LAN) and test tagged 1010.
The problems is no mater if i connect to testLAN or test im getting IP form default LAN only, connecting to test i suppose to get ip from 1010 vlan but it doent work
where could be a problem.
Unifi systems works without any trouble .
Any help would be appreciated as seems to be im missing something.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi Sir,
VLAN mechanism of EAP serial products (except EAP330/320)
1. Ingress packets ( data stream comes into EAP from wired port). When the data packet is untagged, it will be sent according to the MAC Address table. When the data packet is tagged, it will be sent to the corresponding VLAN.
2.Egress packets ( data stream comes out from EAP to wired port). When the wireless VLAN is off, the data packet will be untagged. When the wireless VLAN is on, the data packet will be tagged with corresponding VLAN tag.
In this situation, untagged data packets from other servers or devices will be sent to wireless clients in different VLAN SSID, no matter broadcast, multicast, unicast packets. So we suggest you setting trunk/ general egress rule of the switch port which EAP connect with, make sure the packets from switch to EAP is tagged if it belong to VLAN.
- Copy Link
- Report Inappropriate Content
ok port nuber 1 is connected to router one of the bridge ports, vlan 1010 goes via bridge along vith default LAN. I have created vlan 1010 on a switch.
Port 6 is konnected to EAP.
port 1 and 6 are genaral. port 1 and 6 are members of vlan 1010.
So then i go in to details of port 1 or port 6 i may see that default vlan1 and vlan 1010 should pass via ports 1 and 6.
Next i have wifi network on EAP taged 1010 for public and non taged for internal LAN(defaultLAN)
So on the switch on vlan 1010 if i have port 1 untaged and port 6 taged im loosing connection. If i have port 1 and 6 untaged im getting IP from degault LAN 1 on both SSID's
if i have port 1 and 6 tagged im getting IP address on wifi from publick network 1010 but untaged wifi users are getting ip form 1010 aswell.
its suppose to work different public 1010 vlan should give IP's to 1010taged wifi and vlan1(default) should give IP's to non taged default wifi lan.
Im working with cisco no problems working with mikrotik unifi no problems.
I found tricky to configure TP links switch or EAP
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
IMHO, you should not mix untagged and tagged traffic on a trunk if there are no good reasons to do so (e.g. it would only make sense if you have some legacy VLAN-unaware devices connected to a trunk, which is a rare situation nowadays).
Just assign VLAN 1010 to the guest SSID and Default VLAN 1 (or whatever you did define as your Default VLAN) to the internal or private LAN. Assign port 6 of the switch as a tagged port ("trunk") assigned to both VLANs and set its PVID to the Default VLAN ID. Remember to assign the Default VLAN ID as the Management VLAN of the EAP too, if you don't use a separate MGMT VLAN.
How you configure the switch's port 1 connected to the Mikrotik router is another story - I would use tagged ports on the router too, if the router is VLAN-aware. But you could terminate the Default VLAN (and only this!) in the switch instead of in the router.
Note that the 802.1Q standard does not define such things as "Default VLANs", "Native VLANs" or even "trunk ports". In the standard there are only "ports assigned to one or more networks(s)" which make up a VLAN and how they are being handled by different devices in regard to such things as a "Default VLANs" might differ from vendor to vendor. For example, in my network there is no Default VLAN at all (but a "Blackhole VLAN" for setting the PVIDs of trunk ports to an otherwise unused VLAN to mimic Cisco's behavior of dropping untagged Ethernet frames arriving on a trunk port).
- Copy Link
- Report Inappropriate Content
I know i should not mix but i just started mixing as it really started p.......ing me off. I didnt try to do trunk on port 6 will try tomorrow.
Thanks for advise.
- Copy Link
- Report Inappropriate Content
Yes, VLAN setups can be frustrating, I know this from own experience.
Two more tips:
1. Use an untagged ("Access") port on your switch/router to hook up the PC/laptop for accessing the web UI of the EAP. PVID should be the VLAN ID of the network the EAP is connected to or the ID of the MGMT VLAN if you change it later (see 2. below).
2. There are two basic setups to isolate user groups/SSIDs while sharing common Internet access:
- Your router has only one network (e.g. 192.168.1.0/24) and one DHCP server. You want to split a single LAN into two or more virtual subnets using VLANs, which are isolated against each other, but share the same IP range and also Internet access. This is what I call the "TP-Link way", since it is used in many of their recipes, e.g. in this one for Multi-SSID on a TL-WA901 AP. You need to assign an untagged port (the one to the router) as a member of all VLANs and this port will have a PVID of the so-called "Default VLAN" which all other ports are members of, too. It's basically this topology (bubbles show termination of VLANs 1 & 2 in the switch; only the Default VLAN terminates in the router, which needs not be VLAN-aware):
- Your router has two subnets (e.g. 192.168.1.0/24 and 192.168.2.0/24), two DHCP servers and is VLAN-aware. That's how I usually set up the config even on TP-Link SOHO routers running OpenWRT. In this case, there are two isolated networks and two separate broadcast domains even for Internet access. Both links between the EAP and the switch and between the switch and the router use only tagged ("Trunk") ports (not "General"). There is no "Default VLAN" nor are there any untagged ports with membership in more than one VLAN. It's the following topology, where the switch of the router is used, but there could be an external switch in between, too (pictures are from an older post). Both VLANs 1 & 2 terminate at the router in two separate LANs:
However, in both methods the SSIDs are assigned the VLAN IDs of the different groups. In the second method you also have to assign the EAP a MGMT VLAN ID to one of the two VLANs, while in the first method no MGMT VLAN ID needs to be set.
Hope this helps.
- Copy Link
- Report Inappropriate Content
R1D2 wrote
Yes, VLAN setups can be frustrating, I know this from own experience.
Two more tips:
1. Use an untagged ("Access") port on your switch/router to hook up the PC/laptop for accessing the web UI of the EAP. PVID should be the VLAN ID of the network the EAP is connected to or the ID of the MGMT VLAN if you change it later (see 2. below).
2. There are two basic setups to isolate user groups/SSIDs while sharing common Internet access:
- Your router has only one network (e.g. 192.168.1.0/24) and one DHCP server. You want to split a single LAN into two or more virtual subnets using VLANs, which are isolated against each other, but share the same IP range and also Internet access. This is what I call the "TP-Link way", since it is used in many of their recipes, e.g. in this one for Multi-SSID on a TL-WA901 AP. You need to assign an untagged port (the one to the router) as a member of all VLANs and this port will have a PVID of the so-called "Default VLAN" which all other ports are members of, too. It's basically this topology (bubbles show termination of VLANs 1 & 2 in the switch; only the Default VLAN terminates in the router, which needs not be VLAN-aware):
- Your router has two subnets (e.g. 192.168.1.0/24 and 192.168.2.0/24), two DHCP servers and is VLAN-aware. That's how I usually set up the config even on TP-Link SOHO routers running OpenWRT. In this case, there are two isolated networks and two separate broadcast domains even for Internet access. Both links between the EAP and the switch and between the switch and the router use only tagged ("Trunk") ports (not "General"). There is no "Default VLAN" nor are there any untagged ports with membership in more than one VLAN. It's the following topology, where the switch of the router is used, but there could be an external switch in between, too (pictures are from an older post). Both VLANs 1 & 2 terminate at the router in two separate LANs:
However, in both methods the SSIDs are assigned the VLAN IDs of the different groups. In the second method you also have to assign the EAP a MGMT VLAN ID to one of the two VLANs, while in the first method no MGMT VLAN ID needs to be set.
Hope this helps.
I have followed your advise but nothing work i gave created simple diagram so you could easie understand what im atchieving with mikrotik cisco unifi but cant get working with TP-Link
so with this configuration ssid test gets ip form x.x.x.x/24 as well as taged 1010 test ssid gets ip form x.x.x.x /24 but suppose to get ip from a.a.a.a/24
I have even connected the EAP to the unifi switch and got the same results, could be that something is wrong with with EAP istself?
- Copy Link
- Report Inappropriate Content
akarpas wrote:
so with this configuration ssid test gets ip form x.x.x.x/24 as well as taged 1010 test ssid gets ip form x.x.x.x /24 but suppose to get ip from a.a.a.a/24
I have even connected the EAP to the unifi switch and got the same results, could be that something is wrong with with EAP istself?
I'm not familiar with Mikrotik, but I think the problem is with your bridge. If you bridge Ethernet interfaces, which are assigned to VLANs (e.g. eth0.1/eth0.1010 and eth1.1/eth1.1010), then all traffic goes to the bridge, not the VLANs anymore. You need to use two bridges br1 and br1010 for briding VLAN-ports. See answers to this questions on Stack Exchange.
You can easily test wether the EAP220 VLANs work: Remove port 2 from the bridge, assign it as member of VLANs 1 and 1010, so that it gets tagged. Connect with tagged port of your switch and try again.
- Copy Link
- Report Inappropriate Content
on Mikrotik creating vlan you specify its port bridge ( bridge is virtual port a bunch of phisical ports), in a bridge port configuration you may assign vlan's to specific phisical port and later enable vlan filter this means that vlans going to be filtered via chosen port, but if vlan filter is off so vlan and lan trafic goes via bridge as well as via all phisical ports in a bridge.
As i have said before no problems with mikrotik + sisco or unifi switches (they both are configured differently but im able to atchieve good results) . Problem is only with TP LINK switch or EAP itself and can figured out who is causing the problem
- Copy Link
- Report Inappropriate Content
You can test it with two subnets (no VLANs, no bridges) on the Mikrotik connected to the TP-Link switch by two cables to two access (untagged) ports, one with PVID 1, the other with PVID 1010. If this works, the problem is clearly at the Mikrotik router.
I use TP-Link switches (T1600G, T1500G, TL-SG108E/PE) and Multi-SSID TP-Link APs (Omada EAPs, Pharos CPE/WBS, SOHO TL-WA901/TL-WDR4300/Archer C7), Cisco Linkys APs, Netgear APs, standard Linux servers with VLANs, OpenWRT routers, UBNT EdgeRouters and UBNT Edge Switches all simultaneously used in my network and have no problem with VLANs. Works well with all vendor's devices.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 5731
Replies: 12
Voters 0
No one has voted for it yet.