DHCP on VLANS with EAP670
Hi
I have a network with several subnets using VLAN. My main network is on VLAN1 (I know this isn't the best choice, but it is what it is). I also have a Guest network on VLAN99 and a Training network on VLAN100. I have a managed switch from Cisco and the ports that has the EAPs (I have 6) are all configured as trunk port with VLAN1 untagged and the other VLANs tagged. All wireless networks have VLAN configured.
When I connect a smartphone to the SSID that has VLAN1, all is working well, but when I try to connect to the other SSIDs I do not get an IP-address. I'm sure the DHCP-servers are working correctly because I have physical machines connected to all networks without issues. I have physical machines connected to other identically configured ports on the switch, without issues.
What can I do to debug this issue?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
It should work. It must be some other issue down the line. I had it configured like that once between EAP660 HD and CISCO CBS350 and it worked. However at the end, I have settled on using the General port mode instead of the Trunk mode, because I have also NETGEAR switches and wanted to keep it consistent.
- Copy Link
- Report Inappropriate Content
Thanks for your reply Kris. At home, I have a comparable setup, but with EAP245 and a TP-link switch and that works well. I don't think switching to General port mode will have an effect since I will only have 1 untagged VLAN, but I'll give it a try when I'm back in the office.
- Copy Link
- Report Inappropriate Content
If configured properly, it should not make any difference. What's your DHCP server? How is it connected to the network? The whole path from the server to the AP is important.
- Copy Link
- Report Inappropriate Content
I'm not a trained network professional but I think this simplified drawing explains the setup I've configured:
LAN DHCP is working on all ports of the 48-Port switch. Ports going to workstations are all access ports with VLAN1 untagged. There's also an extra switch connected to an access port with VLAN20 untagged, and all of our training computers are connected to that extra switch. DHCP for TRAINING does work in the wired network.
EAP670 has 3 SSID's configured, one for each VLAN. Connecting to the LAN ssid works. DHCP is handing out IP addresses. TRAINING and GUEST do ask for the wireless password key, but after that, no IP-address is handed out by any DHCP.
I really don't trust the Sophos XG135 firewall and plan to replace it with a pfSense VM in Proxmox, but I wanted to get wifi going before I go down that rabbit hole.
In this topic, it is stated that all SSIDs should have a VLAN assigned: https://community.tp-link.com/en/business/forum/topic/596664 My LAN SSID is untagged at the moment. Could that be the problem? Also, I see there are a lot of issues with EAP6xx and VLANs. Maybe we've switched too soon?
- Copy Link
- Report Inappropriate Content
If your Sophos firewall handles out DHCP addresses in each VLAN and you have trunk connections from it all the way to the AP, it should work. It doesn’t really matter if those devices are Sophos, TP-Link or CISCO. I’m yet to see a 802.1Q incompatible device. However, my CISCO switches offer several tagging options. You may like to check that on your switch. Dot1q tagging is what you want.
Also, sometimes things are just not the way we think they are. We all make silly mistakes from time to time and, for whatever reasons, we can't see it. A cable can be plugged into a wrong port or the VLAN ID is 2 instead of 20. I’ve seen that happening. Omada Controller can lie, too. You may like to do some troubleshooting. Define an access port to each VLAN on each switch and check if DHCP works there.
- Copy Link
- Report Inappropriate Content
@KJK The Sophos is DHCP server for the guest network only. The other networks are handled by the respective Domain Controllers. I admit I never understood the logic behind Sophos firewall configuration. I have pfSense in my homelab and that feels much more natural to me, which is one of the reasons I plan on switching to pfSense in production too.
I'll double-check all settings and test with an access port on the switch when I'm back at the office, but I have gone through those a million times in the past few days. I do not think I missed one, but it won't hurt to go over them once more.
Thanks for your help!
- Copy Link
- Report Inappropriate Content
Turns out, I made a wrong assumption about the ports the APs used on the Cisco switch, so the ports were misconfigured after all. My bad, but happy with the "easy" fix.
Thanks for all the help!
Merijn
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 981
Replies: 7
Voters 0
No one has voted for it yet.