Unifi APs and VLANs

[trevm999]

I have some Unifi APs that advertise 3 wireless networks. Two networks have vlan tagging turned on at the Unifi controller. The firewall then deals with the tagged traffic accordingly. The problem is that I have to connect the APs directly into the firewall for this to work. If I connect them to one of our switches, then the vlan tag is stripped. The switches are managed switches with jumbo frame enabled. No VLAN configurations have been set up on the switches, but I suspect the problem is because they are managed switches. With the switches (DGS-1210-48) I can tag a port with a VLAN, but that wouldn't work because the traffic on that port isn't all supposed to be tagged with one VLAN ID.

Is there some way I should be able to get this to work, or should I get an unmanaged switch for the APs? (or possibly better managed switches)

EDIT: Or do I need to be doing some more reading on how VLANs work?

 

[BlackLabTechs]

I'm no VLAN expert by any means. Haven't even graduated to VLAN noob yet. But can't you assign one switch port to be tagged with all 3 vlan's?

 

[trevm999]

I'm no VLAN expert by any means. Haven't even graduated to VLAN noob yet. But can't you assign one switch port to be tagged with all 3 vlan's?

I think you're right...I probably need to do more reading up on VLANs

 

[trevm999]

So then I should tag the ports connected to the APs and the port that goes to the firewall with all the VLAN IDs?

 

[Tech Savvy]

Yes, they are called trunk ports. They allow all packets to pass no matter what the vlan tag is.

Access ports are the ones that go directly to the end user device, or to a network device that supports only one vlan i.e. If your VLans are broken up by department having switch for that particular department would get an access port instead of a trunk port.

So if it only accesses one vlan, it's an access port, if it has more than one, it's a trunk port.

 

[AndyM]

If the Unifi AP's are configured with 3 VLAN's, then the Switch Port has to also be enabled for all three VLAN's, and the Port that is running from the switch to the router has to be tagged with all the VLAN's and any untagged traffic.

Andy

 

[Nerm]

Yes, as others have mentioned the switchport your AP's are connected to has to be configured as a trunk port.

 

[MarkSTS]

Just another point to mention: The unmanaged switch wouldn't help as it won't pass along the tagging. This article helped me when I did it for a client. I only had two vlans but they operated off of the same APs. One guest and one for everything else. https://help.ubnt.com/hc/en-us/articles/205146150-UniFi-VLAN-switch-configuration

 

[NETWizz]

Because you are working with untagged traffic, also remember the cardinal rule, "untagged frames received on trunk are assumed to be part of the native VLAN"

 

[NETWizz]

Yes, they are called trunk ports. They allow all packets to pass no matter what the vlan tag is.

Access ports are the ones that go directly to the end user device, or to a network device that supports only one vlan i.e. If your VLans are broken up by department having switch for that particular department would get an access port instead of a trunk port.

So if it only accesses one vlan, it's an access port, if it has more than one, it's a trunk port.

This information may be helpful to some extent, but it is not completely factual.

Trunk Ports only carry the tagged traffic that is allowed on the trunk. They deal with Ethernet-type frames NOT packets - that is 802.1Q (i.e. dot1q in Cisco lingo); specifically, this is Layer-2 stuff NOT Layer-3 Stuff.

switchport trunk encapsulation dot1q

switchport mode trunk

switchport trunk allowed vlan 1,5,10,35,52,121


Most of the time you do not feed another switch downstream from an access port even if it has only one (1) tagged VLAN though I admit this is possible because what happens is traffic sent from a native VLAN to a native VLAN is carried untagged... Keep in mind that the native VLAN can be configured on a per port basis or even disabled! The native VLAN is NOT the default VLAN.

switchport trunk native vlan 50

Where it will confuse you:

You
have two switches connected via a trunk port... you create VLAN 10 on both switches and on one end of the trunk you modify the NATIVE VLAN to be VLAN10... what will happen is if the the first switch (with NATIVE VLAN 1 on the trunk) receives a frame from VLAN1 and decides it needs to send the frame on the trunk port, it will see that the frame was issued from VLAN1 which is the NATIVE VLAN on the trunk port it will send the frame out the trunk port UNTAGGED. Now when switch 2 receives the frame, it sees it is untagged and it will associate the frame with its NATIVE VLAN which is VLAN10.

 

[trevm999]

Thanks, this has been helpful. I haven't done the change yet since I plan to do it after hours.