Trunking Help: ER-X > SG1016DE >SG1016DE>EAP225
Struggling to get the last piece of the puzzle into place.
I recently bought an EAP225 to replace an old router being used as an access point.
My goal was to set up a VLAN for my IoT devices separate from the rest of my network.
My router is a Ubiquiti ERX, and it connects to Port 15 of the first (top) SG1016DE
The EAP225 is on Port 9 of the (top) SG1016DE
My second (bottom) SG1016DE connects to Port 1 of the first.
I set up the VLAN as VLAN20, and I can't get an IP address to the EAP225.
The rest of my network is up and running fine.
I suspect I have the trunking ports wrong, but I'm new to VLANs and trunking, so basically shooting in the dark.
TOP SWITCH
BOTTOM SWITCH
On the ER-X router, I believe I have the DHCP, DNS and VLAN set up correctly, but its my first ubiquiti product and I'm admittedly a bit over my head.
Where am I screwing this up? Thanks in advance!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
go to »Config Tree«, select switch / switch0 / switch-port / interface / eth2 / vlan.
Add VLAN 1 and 20 as shown below. Leave PVID empty. This is your trunk port on ER-X now.
Ports 1/9/15 of the upper Tl-SG1016DE switch must be tagged members of VLANs 1 and 20 (you have them untagged in VLAN 1, that's wrong).
Port 1 of the lower TL-SG1016DE switch must be a tagged member of VLAN 1, too.
For the EAP, assign IoT SSID to VLAN 20 and another SSID to VLAN 1.
As for management traffic of the EAP itself, you have two choices:
- either set the PVID of the switch port 9 to VID 1 – mgmt traffic from the EAP gets tagged by the switch with VID 1,
- or explicitly set the EAP's »Management VLAN« setting to VID 1 – mgmt traffic from the EAP gets tagged by the EAP with VID 1.
Second solution requires to set tagged port 9 to untagged temporarily when adopting a new EAP, then set it back to tagged again to complete configuration after adoption.
First solution does not need this trick.
- Copy Link
- Report Inappropriate Content
CoKro wrote
1&2) PVIDs too, I presume?
PVID is the Port VLAN ID (I prefer the term Primary VLAN ID, but note that other vendors use this term already for another type of VLANs). In my terminology, this primary VLAN is the VLAN a port belongs to. Any port always belongs to at least one VLAN.
If the port is member of only one VLAN and the device connected to it isn't VLAN-aware (needs untagged frames), the port is an Access port and the PVID matters.
If the port is member of two or more VLANs, it is a Trunk port and the connected device needs to be VLAN-aware. In my switch setups, a trunk port always processes tagged frames, so its PVID doesn't matter. Of course, the PVID of a trunk indeed matters if you carry untagged traffic over a trunk, too.
If you want to use Multi-SSIDs, the port an EAP is connected to must be a trunk port. PVID of a trunk port doesn't matter as long as you don't use untagged frames on this port – that's why I use the Management VLAN setting for traffic to the EAP itself (not to the wireless networks). If your traffic to the EAP itself is untagged, PVID of this port matters.
3) Yes, I want to use multi-ssid. [...] I don't know enough to know if it makes sense to isolate a Google Mini, a Roku, an Amazon FireTV, etc, or if it causes more problems than its worth.
In my opinion, isolating IoT or streaming devices makes sense even if you don't restrict their traffic in some way. Rule of thumb: any device which should not be able to access a service in your LAN should be isolated in a separate network. If such a device has a security problem, it does not affect your LAN. In addition, broadcasts from those devices don't reach the LAN.
But beware of too much SSIDs. Every SSID adds another SSID beacon which needs to be sent using the lowest possible speed (1 Mbps for 802.11b, 6 Mbps for 802.11n) which affects radio airtime and therefore reduces overall throughput. So keep the numbers of SSIDs as low as possible and set WiFi modes to 802.11n-only for 2.4 GHz and to 802.11ac-only for 5 GHz if possible.
- Copy Link
- Report Inappropriate Content
go to »Config Tree«, select switch / switch0 / switch-port / interface / eth2 / vlan.
Add VLAN 1 and 20 as shown below. Leave PVID empty. This is your trunk port on ER-X now.
Ports 1/9/15 of the upper Tl-SG1016DE switch must be tagged members of VLANs 1 and 20 (you have them untagged in VLAN 1, that's wrong).
Port 1 of the lower TL-SG1016DE switch must be a tagged member of VLAN 1, too.
For the EAP, assign IoT SSID to VLAN 20 and another SSID to VLAN 1.
As for management traffic of the EAP itself, you have two choices:
- either set the PVID of the switch port 9 to VID 1 – mgmt traffic from the EAP gets tagged by the switch with VID 1,
- or explicitly set the EAP's »Management VLAN« setting to VID 1 – mgmt traffic from the EAP gets tagged by the EAP with VID 1.
Second solution requires to set tagged port 9 to untagged temporarily when adopting a new EAP, then set it back to tagged again to complete configuration after adoption.
First solution does not need this trick.
- Copy Link
- Report Inappropriate Content
R1D2 wrote
Port 1 of the lower TL-SG1016DE switch must be a tagged member of VLAN 1, too.
For the EAP, assign IoT SSID to VLAN 20 and another SSID to VLAN 1.
As for management traffic of the EAP itself, you have two choices:
- either set the PVID of the switch port 9 to VID 1 – mgmt traffic from the EAP gets tagged by the switch with VID 1,
- or explicitly set the EAP's »Management VLAN« setting to VID 1 – mgmt traffic from the EAP gets tagged by the EAP with VID 1.
Second solution requires to set tagged port 9 to untagged temporarily when adopting a new EAP, then set it back to tagged again to complete configuration after adoption.
First solution does not need this trick.
I can't edit VLAN1 on the bottom SG1016DE. It is locked. The WebUI won't let me enter "1" as a value when picking which VLAN to edit, and the Easy Smart Config Utility will let me make the change, but not accep the change when I hit "Apply."
I'm using Firmware v: 1.0.1 Build 20131023 Rel.33236. Would that matter?
On the upper switch, the Easy Config shows that 1, 9 & 15 are tagged, not untagged. (something funky going on here?)
Should I change everything that was VLAN1 and create a VLAN10 to replace it across the board?
Re: The EAP settings...Does that not default to VLAN1 if not specified? Or do I now live in a world where everything is assigned a vlan?
- Copy Link
- Report Inappropriate Content
CoKro wrote
1. I'm using Firmware v: 1.0.1 Build 20131023 Rel.33236. Would that matter?
2. Should I change everything that was VLAN1 and create a VLAN10 to replace it across the board?
3. Re: The EAP settings...Does that not default to VLAN1 if not specified? Or do I now live in a world where everything is assigned a vlan?
- Yes, it matters. In old firmwares TP-Link did force a port membership to VLAN 1 for Easy Smart switches. If you want to know why this is a bad idea, see this thread. You can even find many more threads about the famous VLAN 1 bug. Long story short: TP-Link finally changed this in TL-SG108E/PE and TL-SG105E, but it lastet nearly a year to convince R&D let users remove ports from the Default VLAN 1.
- Yes. I suggest to not use the Default VLAN 1 at all (except for assigning it unused ports) if one of your switches don't let you remove ports from VLAN 1. Otherwise you have to deal with leakage from VLAN 1 into other VLANs caused by non-IP frames. There are more protocols than only IP.
Just use VLAN 2 or 10 or any other VLAN except VLAN 1 for your LAN.
- No, traffic from an EAP does not default to any VLAN. An EAP with no VLAN settings always sends untagged traffic. So, if you just use a single SSID, assign switch port 9 to VLAN 20 and set its PVID to 20. You want EAP's traffic to use VLAN 20 rather than VLAN 1, won't you? Make sure that port 9 is in VLAN 20 only.
From your setup (port 9 member of VLANs 1 and 20) I got the impression that you want to use the Multi-SSID feature of the EAP which requires VLANs in order to isolate the wireless networks. If you only want to isolate the IoT network inside your wired network (from switches to ER-X) and use only one SSID on the EAP, you can tag frames arriving from EAP on the switch's port 9.
- Copy Link
- Report Inappropriate Content
R1D2 wrote
CoKro wrote
1. I'm using Firmware v: 1.0.1 Build 20131023 Rel.33236. Would that matter?
2. Should I change everything that was VLAN1 and create a VLAN10 to replace it across the board?
3. Re: The EAP settings...Does that not default to VLAN1 if not specified? Or do I now live in a world where everything is assigned a vlan?
- Yes, it matters. In old firmwares TP-Link did force a port membership to VLAN 1 for Easy Smart switches. If you want to know why this is a bad idea, see this thread. You can even find many more threads about the famous VLAN 1 bug. Long story short: TP-Link finally changed this in TL-SG108E/PE and TL-SG105E, but it lastet nearly a year to convince R&D let users remove ports from the Default VLAN 1.
- Yes. I suggest to not use the Default VLAN 1 at all (except for assigning it unused ports) if one of your switches don't let you remove ports from VLAN 1. Otherwise you have to deal with leakage from VLAN 1 into other VLANs caused by non-IP frames. There are more protocols than only IP.
Just use VLAN 2 or 10 or any other VLAN except VLAN 1 for your LAN.
- No, traffic from an EAP does not default to any VLAN. An EAP with no VLAN settings always sends untagged traffic. So, if you just use a single SSID, assign switch port 9 to VLAN 20 and set its PVID to 20. You want EAP's traffic to use VLAN 20 rather than VLAN 1, won't you? Make sure that port 9 is in VLAN 20 only.
From your setup (port 9 member of VLANs 1 and 20) I got the impression that you want to use the Multi-SSID feature of the EAP which requires VLANs in order to isolate the wireless networks. If you only want to isolate the IoT network inside your wired network (from switches to ER-X) and use only one SSID on the EAP, you can tag frames arriving from EAP on the switch's port 9.
@R1D2 Thank you for your detailed response.
1&2) Did some more reading and I see that I am stuck with the static VLAN1 without upgrading the switch, so for now, I'm going to copy / recreate everything with a 1 as VLAN10. PVIDs too, I presume? (Guess I'll find out as soon as I hit "apply")
3) Yes, I want to use multi-ssid. My end-goal is to have a VLAN for IoTwifi, a VLAN for my cameras (PoE, not wifi), VLAN for a Guest Wifi (which I could just use the guest mode of the EAP for, since I know the people that come to my house. I'm protecting against an accident, not a hack), an SSID and wired VLAN for my family's wifi, and possibly a VLAN for my streaming devices, but I'd need that VLAN to be able to talk to some of my other devices. I don't know enough to know if it makes sense to isolate a Google Mini, a Roku, an Amazon FireTV, etc, or if it causes more problems than its worth.
But before I get to 5 VLANs, I need to get the first one working and understanding how and why it works.
- Copy Link
- Report Inappropriate Content
CoKro wrote
1&2) PVIDs too, I presume?
PVID is the Port VLAN ID (I prefer the term Primary VLAN ID, but note that other vendors use this term already for another type of VLANs). In my terminology, this primary VLAN is the VLAN a port belongs to. Any port always belongs to at least one VLAN.
If the port is member of only one VLAN and the device connected to it isn't VLAN-aware (needs untagged frames), the port is an Access port and the PVID matters.
If the port is member of two or more VLANs, it is a Trunk port and the connected device needs to be VLAN-aware. In my switch setups, a trunk port always processes tagged frames, so its PVID doesn't matter. Of course, the PVID of a trunk indeed matters if you carry untagged traffic over a trunk, too.
If you want to use Multi-SSIDs, the port an EAP is connected to must be a trunk port. PVID of a trunk port doesn't matter as long as you don't use untagged frames on this port – that's why I use the Management VLAN setting for traffic to the EAP itself (not to the wireless networks). If your traffic to the EAP itself is untagged, PVID of this port matters.
3) Yes, I want to use multi-ssid. [...] I don't know enough to know if it makes sense to isolate a Google Mini, a Roku, an Amazon FireTV, etc, or if it causes more problems than its worth.
In my opinion, isolating IoT or streaming devices makes sense even if you don't restrict their traffic in some way. Rule of thumb: any device which should not be able to access a service in your LAN should be isolated in a separate network. If such a device has a security problem, it does not affect your LAN. In addition, broadcasts from those devices don't reach the LAN.
But beware of too much SSIDs. Every SSID adds another SSID beacon which needs to be sent using the lowest possible speed (1 Mbps for 802.11b, 6 Mbps for 802.11n) which affects radio airtime and therefore reduces overall throughput. So keep the numbers of SSIDs as low as possible and set WiFi modes to 802.11n-only for 2.4 GHz and to 802.11ac-only for 5 GHz if possible.
- Copy Link
- Report Inappropriate Content
Thank you, again, for such a thorough explanation that a noob can understand.
The ubiquiti forums were helpful in navigating their products and unique terminology, but less helpful in understanding the basics.
Your time and effort is tremendously appreciated. THANK YOU.
- Copy Link
- Report Inappropriate Content
@CoKro, you're welcome. Glad that my answer was helpful for you.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1871
Replies: 7
Voters 0
No one has voted for it yet.