Manage EAP directly or with Omada Controller
I just got my first EAP225 and am trying to decide whether to use the Controller. In looking at the documentation, it appears that some of the functionality available if managing directly is not available via the controller, for example Wireless QoS.
Is it true that you lose some functionality or am I just not looking in the right places in the documentation?
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
unmesh wrote
Is it true that you lose some functionality or am I just not looking in the right places in the documentation?
You gain more functionality when using a controller. :-)
But most of this additional functionality applies to larger networks only, so if you have just one EAP, running it in stand-alone mode has the advantage of a more easy configuration and setup. If you want to configure more than one EAP or if you need a portal for guests, running the EAPs in managed mode might be the preferred method for your wireless network.
See this post for information to make a decision of running the EAP in stand-alone or managed mode.
- Copy Link
- Report Inappropriate Content
unmesh wrote
Is it true that you lose some functionality or am I just not looking in the right places in the documentation?
You gain more functionality when using a controller. :-)
But most of this additional functionality applies to larger networks only, so if you have just one EAP, running it in stand-alone mode has the advantage of a more easy configuration and setup. If you want to configure more than one EAP or if you need a portal for guests, running the EAPs in managed mode might be the preferred method for your wireless network.
See this post for information to make a decision of running the EAP in stand-alone or managed mode.
- Copy Link
- Report Inappropriate Content
Thanks for the very informative link.
I have 4 APs at home though a number of them are repurposed WiFi routers that I'm thinking of gradually replacing with "real" APs. They are backhauled to the gateway router over Cat6. Also, I have a server running ESXi 24x7 and could easily run a VM with the Omada controller so I wouldn't need to buy an OC200 and administering the wireless network would become easier than it is today.
I'm leaning towards running a Controller, buying more EAPs and playing with things like Fast Roaming and a guest network with a token based portal. I suspect integrating the VLANs in the network will take a bit of work. The one thing I wish the EAPs had was DFS support on 5GHz.
- Copy Link
- Report Inappropriate Content
Hello unmesh, you're welcome.
Indeed it makes sense to use your existing 24x7 server for running Omada controller, not only to get more functionality, but also to save time in setting up 4 EAPs at once.
As for a VLAN config see this HowTo for a guest network (scroll down to »Method 2«). Steps are essentially the same for an IoT or any other network which should become isolated from the LAN.
The discussion about DFS in the U.S. regulatory domain pops up every then and when. See my opinion about DFS here (long story short) and in this thread (short story long :-)
- Copy Link
- Report Inappropriate Content
In Method 2, could I run VLAN 1 untagged instead of tagged? That way, I could plug in a non-VLAN aware device into the Ethernet wall jack where the EAP connects for, say, debugging?
The interest in DFS was to see if it would get me a "cleaner" 80MHz channel. I'm not near an airport but frankly have no idea whether the WiFi link would back off because of radar etc
- Copy Link
- Report Inappropriate Content
unmesh wrote
In Method 2, could I run VLAN 1 untagged instead of tagged? That way, I could plug in a non-VLAN aware device into the Ethernet wall jack where the EAP connects for, say, debugging?
A VLAN can't be »tagged« or »untagged«. Every VLAN needs a tag.
In »Method 2«, the OC200 (which is a non-VLAN-aware device) is connected to VLAN 1 on an untagged port while the EAP still uses a trunk port (tagged). All traffic in SSID »PrivateNet« is visible in VLAN 1 and if you add another untagged port to VLAN 1 you can plug-in any other non-VLAN-aware device. You also can change the port's assignment from VLAN 1 to VLAN 3 to debug traffic in VLAN 3 (SSID »GuestNet«).
The interest in DFS was to see if it would get me a "cleaner" 80MHz channel. I'm not near an airport but frankly have no idea whether the WiFi link would back off because of radar etc
The 5 GHz band is used for many services (e.g. live transmission links for media reporters, commercial wireless backhauls, earth-to-space satellite links, weather radars, military radars), not only Microwave Landing Systems at airports.
- Copy Link
- Report Inappropriate Content
Looks like I got thrown off by Cisco terminology where they allow one untagged VLAN per switch port in trunk mode.
In any case, I have 3 VLANs running with IDs 1,2 and 3 with different subnets and was able to configure the EAP225 with one wireless network on each. The gateway router runs Tomato firmware that has VLAN support. The Omada Controller was installed on an old laptop running Windows 10 and connected to VLAN 1. I set up the access control rule as per the instructions. Wireless clients would get the correct IP address. I even activated the Portal on one of the networks and it worked fine.
I then migrated the controller to a Windows 10 VM on VLAN1 and adjusted the access control rule to point to the new IP address. Wireless clients still have access but the Portal won't work any more, nor can I access the administration portal when not on VLAN1. This is true even when connected to a wired switch port on those VLANs. I should also point out that I can access other devices on VLAN1, just not the VM and am guessing it is the firewall on ESXi or the Windows VM itself being not set up to accept traffic from other subnets.
Will post an update if I figure it out.
Update:
I changed the ports the controller listens on and everything started working. Then I changed them back to the defaults and things are still working!
- Copy Link
- Report Inappropriate Content
@unmesh, glad it works for you.
Just for the record: no manageable switch (even not Cisco switches) have an »untagged VLAN«. They just have untagged traffic which – by default – gets assigned to a so-called »native« or »system« VLAN, most often VID 1. But internally this native VLAN still has a VLAN tag and it can have any VID, it just does not appear outside the switch.
Every fully manageable switch allows untagged traffic on egress on a trunk port, even for more than one VLAN (that's needed e.g. for asymmetric VLANs). So you always can decide whether traffic on a trunk is tagged or untagged for one or more VLANs. However, in case of trunk ports it does not make much sense to output untagged traffic for more than one VLAN and in my opinion it also makes no sense to have untagged traffic on a trunk anyway. Traffic tagged with VLAN 1 on a trunk port can reach each non-VLAN-aware device on a VLAN 1 access port if the native VLAN is assigned VID 1.
For example, if you set the »Management VLAN« of an EAP to VID 1 and connect the EAP to a trunk port, it can be reached by an OC200 connected to an access port which is an untagged member of VLAN 1. In this case (Mgmt VLAN set) you must send tagged traffic to the EAP over the trunk even for VLAN 1, else it will not work. OTOH, the OC200 must transmit untagged traffic over VLAN 1 since the OC200 is a non-VLAN-aware device.
As for the problem with access to the Omada controller's portal page from other VLANs you need either Inter-VLAN routing or a multi-homed server running the Omada SW controller.
- Copy Link
- Report Inappropriate Content
Thanks for drawing the distinction between untagged traffic and (the misnamed by me) untagged VLAN. I started building out my home network with unmanaged switches and have recently added my first managed switch (near the router).
And my cheap home router supports Inter-VLAN routing when programmed with Tomato firmware.
I will read up on multi-homed servers even though the network is up and running now
Thanks for helping me with my journey!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1544
Replies: 8
Voters 0
No one has voted for it yet.