cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1566
Views
0
Helpful
9
Replies

VLAN tagging with WAP371 and SG200

mathiasdegroof
Level 1
Level 1

Hello,

I currently have the following configuration:

2 SG-200 switches, connected via link aggregation
1 WAP371 access point
1 modem/switch/gateway cable device provided by my ISP

Everything works fine, but I would now like to add a guest WiFi network. The devices connected to the guest network should only be able to access the gateway but none of the other devices on the network. The WAP371 supports guest networks and uses VLAN tagging to accomplish this. The problem is that the gateway provided by my ISP does not support VLANs at all (it's a consumer model).

I was thinking of creating 2 VLANs. VLAN1 would be the main network, and VLAN2 would be the guest network. The ports on the switches would be set to "access" and VLAN1 except for the port to which the WAP371 is connected, this port would be configured as a trunk port containing both VLAN1 and VLAN2.

Now I was wondering how I should configure the gateway port. Should I set this to trunk? I don't think this will work: egress frames will reach the gateway, but ingress frames will always be sent to the native VLAN (VLAN1). Could I connect 2 ports of the gateway to the switch and configure one port as VLAN1 and the other as VLAN2 or will this create a loop in the network?

Any ideas on how to accomplish this are welcome.

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

I am assuming the switches are only L2 and not L3 capable ?

You can't make the existing connection to the gateway a trunk if the gateway doesn't support vlan tagging.

If so then your suggestion is the best one if the gateway supports it ie. use another connection.

But that assumes the gateway supports multiple L3 interfaces ie. not just an internal and external L3 interface.

Does it ?

Jon

Thank you for your reply.

The switches are SG-200 (small business). They are L2 switches like you correctly assumed.

The gateway doesn't support multiple L3 interfaces. It's a basic consumer modem/router/gateway provided by my ISP. It does have 4 connections, but these are all on the same interface (just like all consumer routers). If I make 2 connections to this gateway from my switch, one on VLAN1 and the other on VLAN2, will this work or will I create a network loop? Or is there another way to get this to work (maybe set the port as general)?

The problem is if those connections on the gateway are not L3 then making another connection doesn't work because you need to be able to use a different IP subnet and default gateway for your guest wireless.

But you can't do that because they all in effect terminate on the same L3 interface which presumably only supports one IP address.

If it supported secondary IPs then you may be able to use another connection in a different vlan but then you would also need to able to control access between those subnets using an acl for example.

It really all comes down to just how much functionality your gateway can provide because even though you can segregate the traffic within your switches using vlans it is the L3  aspect that is the challenge.

Jon

Thanks again. The way I see it I don't need a different IP subnet or default gateway for my guest VLAN. If the guest network is on a different VLAN it will not be able to see the devices on the main VLAN even if they are on the same L3 network: the switch will not forward frames from one VLAN into the other.

So I just need a way to configure the ports so that the devices on the guest VLAN can only access the gateway, and the devices on the main gateway can access everything.

Sorry, it has just clicked with me that you were proposing to use the same IP subnet for both vlans.

I see what you are saying now.

The problem is you are joining two vlans together and the gateway has no idea these are separate vlans.

So a broadcast would be passed between the two vlans via the gateway for example.

In addition I cannot see how it would segregate traffic because if the gateway does not understand vlans then that would mean it is just a simple switch which means every client whether main network or guest would be able to communicate with each other via the gateway switch as far as I can see.

Of course that is just guesswork as I haven't used any of your equipment myself.

Jon

I see what you mean. So connecting the managed switch twice to the gateway won't work for the reasons you mentioned.

What about connecting the managed switch to the gateway once and setting that port as "general", with both the guest VLAN and the main VLAN? Is there a way to forward the untagged ingress frames to both VLANs, or will they always be sent to the native VLAN only?

I don't think it will work but as I say I haven't used any of your kit so it may be worth a try.

I'm not sure what a "general" port is but in answer to what I think is the question if the switch receives an untagged frame it can only assume that is meant for the native vlan ie. there is no way for the switch to know anything else in terms of vlan membership.

I am struggling to think of a way to do this with what you have especially as I don't know what the capabilities of the gateway are.

Bear in mind this forum deals primarily with Catalyst and Nexus switches and not your switch models but there is another forum on here that does.

But if it is L2 only and has no L3 capabilities it's difficult to see how the switches can help.

Jon

A general VLAN port according to the manual is a port that is fully 802.1Q compliant. It can be an untagged memeber of multiple VLANS, whereas a trunk port can only be the member of 1 untagged VLAN.

The gateway capabilities are close to none. It's just a NAT router, like a Linksys EA4500 for example.

I'm currently thinking of another setup: what if I add a second NAT gateway in before the main gateway, to which I connect the guest VLAN. I can then give the guest VLAN its own IP (sub)net. I can then set all the ports to "access" mode except for the AP port which I set to trunk.

Maybe I'll ask the question in the small business forum as well, but you have already helped me a lot!

For anyone who is interested in this matter: my last setup worked. I deployed it today and it works perfectly. I wrote  a small article on how to set it up here: http://javaskeleton.blogspot.be/2015/11/creating-separate-guest-network-using.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: