HP VLAN help

[Presler]

Sup guys,

Got a question that's giving me trouble trying to configure something, please bear with me, always built hardwire LAN's, the need came up for a VLAN now and it's actually my first time setting up VLAN's where 2 networks need access to the same port.

HP Switches, 1920s's. VLAN options are include/exclude, Tagged/untagged.

I have 6 ports that needs access to two different networks, 5 of them will power AP's with 2 SSID's each, one for the secondary network VLAN attached to the Gateway.

My understanding is that it should be simple to set up, tag both Native VLAN and secondary VLAN to the first 5 ports, tag only port 6 to secondary VLAN for internet access, then leave all other ports untagged on both VLANs.

Doing that throws the AP's off the native VLAN. Since network 1 remains the native VLAN, I'm quite sure the AP's should remain online there correct? Also, the Include/Exclude options seems to confuse this all more. Leaving ports untagged should keep them invisible to the other VLAN, so what's the include/exclude options there for? Or am I missing something?

Thanx upfront!

 

[KiLLRoY]

Remember, your access port can only be tagged for a single VLAN. So the port that goes to the AP, should get "wireless VLAN". Access port traffic should also be untagged and not tagged, tagged is used for trunk ports. Then the port between the switch and the gateway should be tagged for all of the required VLANs, and you have to create the VLANs on your gateway from where you can control access to each other. Or you can do inter vlan routing on the switch itself.

 

[KiLLRoY]

So as an example:
gateway : 192.168.1.1
switch: 192.168.1.2
vlan1: native 192.168.1.x/24
vlan10 : wireless clients 192.168.50.x/24

Create the vlan on both the gateway's internal interface and the switch. TAG the port between the two for native vlan and vlan10 traffic (this needs to be a trunk)
Then on the switch, UNTAG the ports that the APs plug into for vlan10 only.
Now on the gateway you can allow those two vlans to reach each other.
Remember to choose where you want to do DHCP from, I suggest from the gateway

 

[Presler]

Should probably have mentioned this also, 2 different gateways.

1. Must the switch IP be on the same range as the native VLAN?
2. With 2 gateways then, should I tag the port for the gateway from vlan10 only to vlan10 and untag the ports where the AP's are plugged in, but include both vlan's in the 5 ports for the AP's?

 

[Sunshine]

I will draw you a picture later, but the above advice is incorrect. What brand of APs are you using?

 

[Presler]

Ubiquiti Unifi, so I can tell the controller to assign VLAN ID's to the SSID's as well

 

[KiLLRoY]

I'm interested to see now as well. I didn't read the part about two gateways properly in the initial message. Two gateways make me scratch my head a little. One gateway with two WAN links make sense, is that perhaps what you mean?

 

[idol]

I don’t know if this gents setup will help but I was impressed how he set it up. Clear instructions. Especially on the VLAN.

 

[Presler]

I don’t know if this gents setup will help but I was impressed how he set it up. Clear instructions. Especially on the VLAN.

Impressive, nicely done.

Mine was a bit more simple, once I realized the differences between include/exclude and tagged/untagged, everything started to make sense.

+1 for @Sunshine for clearing up the terminology for me and helping out.

In the simplest terms, Include/Exclude is basically making the port a member or not of a specific vlan, tagged untagged is making the port work for both vlan's. With Ubiquiti and Dlink switches this is easier, because the interface and terminology makes more sense. With the HP's, you first need to include the ports you want to the correct vlan, which automatically excludes them from their previous vlan(this caught me offguard as I wanted to include all the AP ports in both vlan's and the switch would only include it in one at a time and I couldn't brain for fuckall yesterday). Then, when you tag your secondary vlan to an included port, it automatically sets the port as "Include" on both vlan's.

So, my setup now is as follows

native vlan - 192.168.0.0/24
vlan20 - 10.20.28.0/23

pfsense port 1 gateway 192.168.0.1, plugged into switch port 48
pfsense port 2 gateway 10.20.28.1, plugged into switch port 24.

AP's port's 19-23.

19 include native, include vlan 20, tagged both
20 include native, include vlan 20, tagged both
21 include native, include vlan 20, tagged both
22 include native, include vlan 20, tagged both
23 include native, include vlan 20, tagged both
24 exclude native, include vlan 20, untagged both

Create the Wireless network in Unifi controller and set it to use vlan20.

Boom!!! Works like a charm.

Then figured out the trunk bit with Sunshine as well. create the trunk on an uplink port to another switch, then simply go tag both vlan's to it and voila, second and 3rd switches start passing through both vlan traffic and I could have separate locations handle it all the same. What I found interesting is that even when the ports are being configured and set as trunks, it never drops the native vlan offline, which was my biggest concern from the beginning, to not affect the entire operation while setting up a secondary wireless network.

All this seemed so daunting, but becomes fairly simple when you grasp the terminology and settings.

 

[Sunshine]

Please mind the shit drawing but it was a very quick job.

@KiLLRoY untagged doesn't mean it doesn't carry VLAN0, by default it just means the traffic does not have a VLAN assigned. You can tag as many VLANs as you like. The 1920s are layer 2 switches so they don't do any routing on the switch itself. This type of layout is called router on a stick (Configuration of Router on a stick - GeeksforGeeks) because traffic between VLANs and subnets have to be routed by the router.

 

[KiLLRoY]

TY @Sunshine , daar leer ek ook iets. We use Aruba 2620s throughout the office but with Cisco APs, the config on them is a bit different