Hi all, looking for a little help please.
I have had two separate wired lan’s with associated wireless lan’s running for a long time now.
One is for internal use, the other for guest use.
They work fine, they use two different IP pools, hard wired port separation, different SSID’s etc.
The issue is that we have a few black spots for Wi-Fi reception so I have bought, a while ago, two AP-900’s.
The router is a 2860Vn-plus, the FW is fully updated, the AP-900’s are also running the latest firmware.
So I basically already have two vlan’s it’s just that they are hard separated by ports & IP pools in the 2860.
I have struggled like heck to get the AP-900’s running and offer the both wireless SSID’s.
Basically, I am looking to run two IP pools down one ethernet cable.
I believe I can do this with VLan tagging?
So, I follow the Draytek instructions, I already have the router set up for physical VLan’s and that is working fine.
So, I just need to add on the AP-900’s set them to replicate the 2 SSID’s and it should work?
I am just doing one at a time!
When I set up a VLan tag, I loose hardwired connection down the single guest hard wired port, and I cannot get wi-fi access at all through the AP-900.
The 2860 feeds into a D-Link DGS-1210-24P, which feeds a DGS-1210-24 which has the AP-900 connected to it.
The hard wired port that fails is one of the 2860’s own ports.
This feeds a single desktop computer.
I can get from one port on the -24 switch to the AP-900, and the 2860, the 2860 is delivering IP addresses to all clients, and the 2860 sees the AP-900 through the two D-Link switches.
I can get to the 2860 & the AP-900 via the -24P & the -24 switches.
I do have Strict IP bind to MAC enabled on the 2860, and that has been working fine, and that is set up to give the AP-900 IP address, and all is OK with that.
I also have MAC address white listing on the wlan’s.
Everything works fine, until I enable the vlan tag on the guest network, the “internal” network remains un-tagged.
The vlan tag kills the guest network on the 2860 port 6.
Then I still need to get the AP’s running the 2 wi-fi SSID’s.
Is there any way to get the Access Control MAC address list which I have saved in the 2860 uploaded into the AP-900, or can I use the 2860 to control the access through the AP-900?

Thanks

Hi Sidewinder,

It sounds like you have a very complex installation/setup. I don;t understand why you have the setup you do so diagnosing your problem directly will be difficult.

However I do used VLANs, I have four VLANS complete with bridging between some of them for business purposes, including a guest/internal use wifi through multiple access points.

To try and track down your problem, I notice you say you use hardwired VLANS, but you want to run both VLANS through one cable (as per my installation).

So my first question is, Do your networks switches support VLANS and have you configured them with your vlan settings? Both your router and switches need to be set correctly to get the VLANS working correctly.
Iain

Hell Iain,

Thank you for answering.
I didn't think it was that complicated a set up! ;)

The switches do support V-Lan's, they are D-Link DGS-1210's.

What is throwing me is why as soon as I enable V-Lan tagging I loose external access on the wired guest network port which is directly from the Draytek.

What I have is the 2860 as the VDSL modem/Virgin media hub connection to the outside world.

One of the ports of this is set to the guest LAN, and there is a guest wifi SSID which is part of the guest IP pool this forms the guest VLan which is working fine, and has done for years.

The remainder of the hard wired ports are for the internal lan, which also has a wifi SSID associated with it, this is also working fine.

The internal network is connected to the 2860 via a single port which runs to a DGS-1210-24P switch.
From this are several direct connections to devices, & links to the other two switches, a DGS-1210-24 & a DGS-1210-10MP.
This is also working fine.

The issue is that we have several wifi black spots for both guest & internal wifi networks, so I am trying to plug these with AP-900's slaved to the 2860.

The VLan tagging idea is to be able to extend the wifi ssid's, both the internal & guest via a single cable to the AP's thus broadcast 2 separate SSID's from the AP-900's, and this seemed to be the way that the Draytek white papers describe it.
I am hoping to use the AP-900's as PoE to save putting power supplies & network cables to their locations, as we already have wired network points there.

It seemed from the Draytek info that it would be simply a case of adding the tag to the second guest VLan and that would be that, over and above the existing port & SSID based VLan system that is in place, which should then allow both VLans to be transmitted to the switches and onward to the slave access points which are the AP-900's.

I get that I will have to configure the switches to pass the Vlan tagged packets, and that seems quite easy.

I am confused why adding the tagging kills the external access on the physical port on the 2860, I can understand that the switches need to be set up to pass through the VLan tagged packets, but I've not got that far down the network tree yet as it were, or is it the switches that are killing the access even though they are not part of the transmission path that is failing.
Adding the VLan tag to the 2860 does not kill the internal wired, or wifi network. Just the guest hard wired port, I've not tried the guest wifi yet as I have always been told to fault find one thing at a time, and make one change at a time until you find what the issue is!
This might not be true with networks perhaps?

Hi Sidewinder,

First let me explain I am no expert on VLANs, but I had to set one up as I process credit cards and needed to segregate the traffic from other types of traffic..

Therefore I started with the basics. On the draytek, I configured 4 Vlans and ENABLED 'Allow untagged traffic on P1' so I could still access the router, now it's stable I have switched this off as all my traffic is tagged and I want the extra protection of everything tagged correctly or rejected by the router.

BUT it's not enough to have your switches support VLANs, you HAVE to configure the switches. This was the hardest part of the set up and why I can't be specific about your configuration. Windows does not appear to support VLAN tags (well it does, but only if you have an appropriate network card which most don't) so each port with a windows PC you have to manually configure a tag for that port on your switch, same for any other device that does not support VLANs.

I suspect what you are seeing is that the AP you have configured correctly with the VLAN tag and your switch is passing them correctly so you can access the internet. But perhaps your switches defaults to tagged traffic or assigns a default if no tag is detected and your 2860 does not recognise the default tag and rejects the traffic.

The first thing I would try though is just enable untagged traffic on P1 and route all your traffic via port 1 to see if that sorts it out. If it doesn't you are probably going to have to manually configure your switche(s). If it's any help, it took me about 4 hours to go from complete beginner to being able to configure a VLAN, so its not that difficult you just have to spend a little time.
Iain

Would be easier for us if you could show your network setup as a diagram in something like Visio or even Powerpoint to help us pinpoint your problem(s). VLANs can be quite complicated to setup and as previously mentioned there will be config needed on your switches as well with the physical ports being added to VLAN groups and the setup of trunk ports which transport all data packets (useful when linking 2 switches or the link between a switch and an access point - possibly relevant to your problem).

hopkins35 wrote: Would be easier for us if you could show your network setup as a diagram in something like Visio or even Powerpoint to help us pinpoint your problem(s). VLANs can be quite complicated to setup and as previously mentioned there will be config needed on your switches as well with the physical ports being added to VLAN groups and the setup of trunk ports which transport all data packets (useful when linking 2 switches or the link between a switch and an access point - possibly relevant to your problem).

I can do that, I didn't realise that you can upload diagrams, give me a couple of hours, I've a job to finish, then I'll draw something up in Visio.

Thanks all.