E410 multiple vlans

GB_Automazione · April 3, 2023, 9:04am

Hi.
I have a network with 2 subnets. 10.10.2.0 and 10.10.3.0 . I would like to create two separate SSID from one E410, one for network 10.10.2.0 and one for 10.10.3.0
I have two separate DHCP servers on those networks.
When I configure only VLAN1 on static ip subnet 2, client can access internet and other clients in subnet 2.

If I add VLAN2 on static ip subnet 3, clients connecting to wifi assigned to VLAN2 cannot access internet nor see other clients.

If I do a connectivity test from E410, I can ping subnet 2 without problems, but not subnet 3.

Any suggestion?

MW_WISP · April 3, 2023, 9:08am

Perfect, easy.

This is where I don’t understand.
You’re talking about “static IP”: client’s static IP? AP’s static IP?

You only have to bring your vlans (network settings), according to your switch and network, and assign those vlans to differents SSID. No ip involved here.

GB_Automazione · April 3, 2023, 9:21am

I apologize.
I mean static ip on ap L3 interfaces. Our network has a router (with two ethernet interfaces 10.10.2.2 and 10.10.3.2) to route traffic between subnet 2 and 3. No vlan other than 1 is active (vlan 1 is active by default). All switches have no vlans other than vlan1 (default).

I setup the E410 ethernet port to Trunk multiple VLANs. Native vlan=1 and accepted vlan 1 to 128.
No tagged vlans are present in our network.

Normally on ap I have VLAN1 static ip 10.10.2.30/24
I tried to create a VLAN2 on ap, assign static ip to it (e.g. 10.10.3.30/24). But after doing this, and trying to ping router’s ip 10.10.3.2 from the ap connectivity tools, no response is given.

AP gateway is 10.10.2.2

Is this possible to do without changing vlan configuration?

majdawg · April 3, 2023, 4:24pm

This sounds like your LAN network is incorrectly set up to handle multiple VLANs.
You state, “No tagged VLANs are present in our network”, then how will you be able to separate the traffic?
The AP can support multiple VLANs on the GIG interface that is connected to the network switch.
interface eth 1
switchport mode trunk
switchport trunk native vlan 1
switchport trunk allowed vlan 2

Then the SSIDs can each use a separate VLAN - Office vlan 1, guest vlan 2.
However, on the switch the AP is connected to there must be the ability to handle Hybrid mode (untagged VLAN1, tagged VLAN2).

Then the router and DHCP from each VLAN should be reached by the STA connected to the appropriate SSID.

STA1 connects to Office, on vlan 1, should get IP from DHCP server, and should be given an IP with the appropriate Gateway IP. From there the Router and DNS should take over and the STA should be able to reach the internet.

STA2 connects to Guest, on vlan 2, and should get IP from DHCP Server servicing that VLAN, and again it should get an appropriate IP and GW and be able to reach the internet.

GB_Automazione · April 4, 2023, 6:24am

I’m sorry I didn’t clarify properly the network structure. We separate LANs by different IPs. We have a router that manages all traffic routing between the networks
Here’s a simple schematic.
network

DHCP servers are on the router, one for each subnet

E410 is connected to subnet 10.10.2.0 and should be able to handle one SSID for subnet 10.10.2.0/24 and another one for guests on subnet 10.10.3.0/24 .

We don’t have VLANs, so the traffic is routet between networks by the router. All the switches have only VLAN1 (default) so basically they’re like normal unmanaged switches right now.

Firewall rules are present on router to block traffic between subnet 1 and subnet 2 only.

MW_WISP · April 4, 2023, 7:16am

If you don’t use vlan, your DHPC will never works as expected.
Every dhcp packet, for every subnet/lan will be broadcasted to everybody and… everything will be… random.

You HAVE to use vlan if you want to separate traffic

GB_Automazione · April 4, 2023, 7:48am

We have firewall rules to block traffic between networks.

GB_Automazione · April 6, 2023, 10:39am

Referring to this configuration, we managed to get the E410 running with its DHCP server on the second wlan. We now have another subnet only for the accesspoint, and that could be ok.
Now I would like to use the router DHCP server, so we set DHCP relay agent to router’s ip. No address is being released.
We will try to completely disable the firewall on the router to prevent any broadcast/multicast blocking to see if it works.

We should be able to configure a network with multiple subnets without using vlans.

Unfortunately we cannot change vlan configuration in short time.

GB_Automazione · April 17, 2023, 2:54pm

We managed to get the access point work by configuring all VLANs in our network. I think it should have been possible without messing with VLAN configs.

I have a question:
now I have 3 different VLAN interfaces on the ap. It’s possible to remove the ip address from 2 (make them act as L2 bridge, without ip, only VLANID) of them and make the ap management gui accessible only from one?

I’ve already disabled the management gui options from 2 of the 3 interfaces.

CAM_TSK · April 18, 2023, 10:31am

@GB_Automazione

You can have only one VLAN interface and configure ethernet as Trunk to allow other VLANs. This will enforce you to access device via VLAN interface.
Please enable Mangement VLAN access as only wired, which will not allow wireless clients to access device.

*XV3-8-0858C8(config-vlan-1)# management-access*

*  all                  : Access allowed from both wired & wireless sides*
*  wired                : Access allowed from wired side only*