management VLAN on EAP225

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

management VLAN on EAP225

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
management VLAN on EAP225
management VLAN on EAP225
2020-12-01 22:34:31 - last edited 2020-12-07 11:49:05
Model: EAP225-Outdoor  
Hardware Version: V1
Firmware Version: 1.20.0 build 20200422 rel. 70543(4555)

I have an EAP225 access point connected to my layer3 switch. The trunk port to which it is connected is an untagged member of VLAN 70. The port is also a tagged member of the management VLAN 99. I have my management laptop connected to the management port which of course is an untagged member of the management VLAN 99 and is also a tagged member of VLAN 70. Everything works fine. Assigning SSID’s to other VLANS works fine. And I can access the management web page of the EAP225 from the management laptop and from other clients.

Now I want to limit access to the management web page to hosts on my management VLAN only. So I enabled the Management VLAN tick box in the web interface and filled in VLAN ID 99. But when I save this I cannot access the AP anymore in any way.

Anyone having a clue what I’m doing wrong?

  0      
  0      
#1
Options
2 Reply
Re:management VLAN on EAP225
2020-12-08 10:37:01

Dear @Peavey,

 

I have an EAP225 access point connected to my layer3 switch. The trunk port to which it is connected is an untagged member of VLAN 70. The port is also a tagged member of the management VLAN 99. I have my management laptop connected to the management port which of course is an untagged member of the management VLAN 99 and is also a tagged member of VLAN 70. Everything works fine. Assigning SSID’s to other VLANS works fine. And I can access the management web page of the EAP225 from the management laptop and from other clients.

Now I want to limit access to the management web page to hosts on my management VLAN only. So I enabled the Management VLAN tick box in the web interface and filled in VLAN ID 99. But when I save this I cannot access the AP anymore in any way.

 

What's the model number of your layer3 switch? Did you configure the PVID of the management port that is connected to your management laptop?

 

Usually, the switch will have PVID 1 for all ports by default settings, thus all untagged traffic that arrives at the port will belong to default VLAN1. For your case, please ensure the PVID of the management port is 99 to make the laptop communicate with the EAPs in VLAN99.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:management VLAN on EAP225
2020-12-08 21:04:15 - last edited 2021-01-02 09:38:51

@Fae 

 

Hi Fae,

 

The switch is a Cisco SG250-08. The PVID of the management port is 99. VLAN 1 is not on any port anymore. I configured other VLAN's on each port. Unused ports have dead end VLAN's configured.

 

I tried to view VLAN tags in the ethernet frames with Wireshark but that doesn't work on my windows PC, even when I configured mirrored ports on the switch. I will install Linux on a laptop to see if this helps.

 

If I mirror VLAN99 traffic on the switch, I do see only data from VLAN99 so it looks to me that the VLAN99 tag is in the frames.

 

So everything seems to work like it should except for the limiting to the management VLAN on the EAP225.

 

Edit: I managed to view VLAN tags on the interface where the EAP is connected. There are VLAN99 tags in the traffic from my management laptop.

 

My setup is very similar to the one supposed to be the correct setup according to this thread: https://community.tp-link.com/en/business/forum/topic/180390

The only difference is that in that setup the EAP is on the management VLAN. So then the management VLAN is the native VLAN of the trunk interface. AFAIK there won't be VLAN tags for the management VLAN then. So it doesn't seem logical to limit AP management based on the VLAN tag. The thread also states: "If you don't use a Management VLAN for the EAP itself, it needs to be tagged, too" which is according to my setup, in which case the management VLAN is tagged on the trunk interface for the EAP.

 

So it seems I'm doing the right thing but it doesn't work. Any other ideas what's going wrong?

  0  
  0  
#3
Options