Admin VLAN setup (router, controller and switches/EAP's)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Admin VLAN setup (router, controller and switches/EAP's)

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Admin VLAN setup (router, controller and switches/EAP's)
Admin VLAN setup (router, controller and switches/EAP's)
2023-06-08 16:44:14
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1.2

Hi!

I'm just getting to know Omada/TP-link products, just made a lab setup, using OC200, ER605v2, SG2008P and a couple of EAP's.

In my current production setup I have VLAN as this, looking to reproduce the same on Omada:

MGMT 10  – 192.168.10.0/24

OFFICE 20 – 192.168.20.0/24

GUEST 30 – 192.168.30.0/24

 

I've been reading a few of articles here (like this one) and seen a few videos, but I'm still not sure of the best way to setup the management VLAN.

There was also another article, a FAQ entry which seems to indicate I should/could change the default VLAN from 1 to the chosen management VLAN (or did I misread the article?).

 

Main question:

Should I keep the default VLAN untouched (at 1)? And then connect that to a switch port set to MGMT VLAN/PVID profile?

(Working with other vendors, I've learnt that some equipment really wants PVID 1 for trunks ports and whatever.)

 

The confusing part for me, then, is that I would usually configure my router/firewall to have the non WAN port(s) as trunk port (which is All in the switch configs if I have understood the Omada setup). But configuring the ER605 through Omada, it seems I can either:

A. Change just PVID for the port, or

B. Change the default VLAN

 

But the B option seems to change the meaning of the All profile for all switches (setting MGMT as PVID, instead of VLAN 1 PVID and the rest tagged).

I was kind of hoping I could set the desired switch profile for each WAN/LAN and LAN port, but I only see PVID option.

 

(All videos I've seen and articles I've read just use VLAN1 as management VLAN.)

Not sure if I'm missing something obvious, but I've struggled a bit getting stuff to work ...

 

On a side note (DHCP):

Setting DHCP reservations, it seems impossible to reserve IP's in different VLANs for the same mac address? (Getting an error that the mac address already exists, when I try to add the same mac address with a different IP in a different VLAN/IP range.)

  0      
  0      
#1
Options
8 Reply
Re:Admin VLAN setup (router, controller and switches/EAP's)
2023-06-08 17:07:36

  @flips01 

 

My recommendation is to leave the default management subnet AND VLAN alone for minimal fuss and bother in the future.  You can change them for sure, but it's more bother to do it for setup and again if/when you have to replace or reset a device.  In other words, if you don't need to change it, don't :)

 

As for your DHCP question, you'd be violating some basic rules having the same MAC mapped to two or more fixed IP's.  There is a single DHCP server running on the router, with different scopes for each defined subnet, and it has a single table of MAC->IP mappings across all of them.  What's the use case for having a known IP for every VLAN (SSID?) that the device can attach to?

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Admin VLAN setup (router, controller and switches/EAP's)
2023-06-08 17:40:32

@d0ugmac1 So you'd just use VLAN 1 for/as management VLAN?

Not sure I can, as I'd replace equipment in an existing setup. (When/if moving Omada into production from my lab setup, that is.)

 

(I experimented with the software controller in my existing setup, before setting up this lab, and it discovered new devices fine as long as I first plugged them into a switch port using the Admin VLAN.)

 

DHCP:

My other router runs separate dhcp servers for each VLAN, so never had an issue:

Use case: Make sure admin laptops/devices gets a fixed IP no matter which subnet/VLAN it connects to. (To make special firewall rules giving it access to certain IP's and ports/give it access to admin VLAN.)

 

Hope I make sense :) (English isn't my mother tongue.)

  0  
  0  
#3
Options
Re:Admin VLAN setup (router, controller and switches/EAP's)
2023-06-08 18:41:53

  @flips01 

 

Go for it then, you clearly have the technical chops to make the separate Mgmt VLAN work :)

 

Replicating the DHCP magic will likely require a change in paradigm though, at least in Omada land.  My solution was to create an Admin SSID (since I had ubiquitous coverage) and VLANs by default can route to each other, but I set up switch based ACL's to prevent the non-Management VLANs from talking to any other VLAN.  I am noodling on how you might replicate that from a port based solution in the Omada world...closest thing I can think of is to force your Admin laptops to tag their traffic with the management VLAN id, that way, as long as the port is a member of the management VLAN, those laptops will still be able to connect and get their predefined IP, but it won't allow you to 'experience' the local rules for a given VLAN like you would with a native IP.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#4
Options
Re:Admin VLAN setup (router, controller and switches/EAP's)
2023-06-22 19:50:39

d0ugmac1 wrote

First: My recommendation is to leave the default management subnet AND VLAN alone for minimal fuss and bother in the future.  You can change them for sure, but it's more bother to do it for setup and again if/when you have to replace or reset a device.  In other words, if you don't need to change it, don't :)

Later: Go for it then, you clearly have the technical chops to make the separate Mgmt VLAN work :)

 

I was hoping I was technically able to set it up.cool My main struggle has been trying to figure out how to configure the ER605 router ports.

With the switches, it's easy, I just apply the profile I want. But for the Router I can only define PVID. (Unless I'm missing something.)

I guess that means that the other VLAN's (than the PVID I define) are added as tagged VLAN's?

 

Scenario so far: If I change the default VLAN1 to something else, then setting Management VLAN for EAP's and switches to this VLAN doesn't seem to work.

 

If I leave the default VLAN at 1, and add MGMT VLAN as Interface in LAN setup, and then try to change just PVID for some of the ports on the Router to the same VLAN, nothing seems to work (no DHCP is handed out).

Put differently, I only managed to have the DHCP server work on the Default VLAN, none of the others ...

I'm pretty sure I'm missing something obvious ... cheeky

 
In Site Settings, Wired Networks, LAN, I assume I need to define as Interface (not VLAN) the networks that ER605 should provide/run DHCP server for? Then again, I'm unsure how to select LAN Interfaces.
 
For the default VLAN, all is selected, and that cannot be changed:
  • WAN/LAN1
  • WAN/LAN2
  • WAN/LAN3
  • LAN1
 
So, I cannot set Purpose: VLAN and create a DHCP-server. And I cannot set Purpose to Interface and not select any of the LAN Interfaces.
Are the interfaces selected here (in LAN Interfaces checkbox) only added as tagged interfaces (except for the default VLAN)?
(Hope I'm making sense. Trying to read docs, test options and write this post at the same time.)
  0  
  0  
#5
Options
Re:Admin VLAN setup (router, controller and switches/EAP's)
2023-06-22 20:06:34

  @flips01 

 

TPlink router ports are not switch ports.  Each LAN port always has default LAN untagged, and you can optionally add other VLANs as tagged interfaces.

 

You can see this for yourself in the Controller->Settings->Wired Networks->Profile

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#6
Options
Re:Admin VLAN setup (router, controller and switches/EAP's)
2023-06-22 23:13:50

d0ugmac1 wrote

  @flips01 

 

TPlink router ports are not switch ports.  Each LAN port always has default LAN untagged, and you can optionally add other VLANs as tagged interfaces.

 

You can see this for yourself in the Controller->Settings->Wired Networks->Profile

 

I believe you're just confirming what I had just found out when I stated:

"With the switches, it's easy, I just apply the profile I want. But for the Router I can only define PVID."

(if you meant Site->Settings->Wired Networks->LAN->Profile, if you meant something else, I can't find it) angel

 

Seems I sort of wasted some time trying to get DHCP offers from other VLAN's from the ER605's ports.

Seems the router will only deliver DHCP offers on these ports for default VLAN, no matter which PVID is set/chosen.

(I guess that means setting PVID only effects ingress/inbound, and it's using default VLAN untagged egress/outbound.)

 

Connecting through a switch, everything works fine, though. angel So, all is well. Now I'll dig into firewalling ...

  0  
  0  
#7
Options
Re:Admin VLAN setup (router, controller and switches/EAP's)
2023-06-23 13:46:30
Yes, PVID selects which VLAN ID inbound and untagged traffic is assigned within the device. Any untagged traffic from an AP would automatically get assigned to the default VLAN as a result. In order for clients to get a different subnet assigned, that would have to be done by the AP through tagging that user's traffic with the appropriate VLAN before it hits the router.
<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#8
Options
Re:Admin VLAN setup (router, controller and switches/EAP's)
2023-06-23 19:58:44

Yes, I'm used to defining a couple of admin ports, where I get DHCP for two different VLANs directly from different ports on the router. I'm making a note that in Omada routers this won't work, as I can't get untagged traffic from other VLAN's than the Default.

cool

  0  
  0  
#9
Options