Two SSID, Two VLAN, One Cable.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Two SSID, Two VLAN, One Cable.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Two SSID, Two VLAN, One Cable.
Two SSID, Two VLAN, One Cable.
2016-09-22 23:27:03
Model :

Hardware Version :

Firmware Version :

ISP :

Hi All, Guy's!
I install various EAP antennas (120 and 110) in a small industry, now i must create an Guest Wireless.
No problem with two SSID, but i must divide the network, because there's a lot of service in the business wireless.
So, i want the "Business WiFi" in a VLAN ID 100 and the "Guest WiFi" in VLAN ID 200.
My problem is separate the traffic of these two network, every antenna tag the packet from the SSID, but the switch can accept only one VLAN, right?
I want to connect the business wifi on the business network, with a server and more and the guest wifi directly on internet.

Thank You for every Answers!:D
  0      
  0      
#1
Options
12 Reply
Re:Two SSID, Two VLAN, One Cable.
2016-09-23 09:40:04
One port of switch could accept more than one VLAN if you configure Trunk or General port. You just configure the port connected to EAP as General port and allow VLAN100, 200.
  0  
  0  
#2
Options
Re:Two SSID, Two VLAN, One Cable.
2016-09-23 19:45:29

johnson wrote

One port of switch could accept more than one VLAN if you configure Trunk or General port. You just configure the port connected to EAP as General port and allow VLAN100, 200.


Thanks Johnson for your reply!
So, basically every ports accept only one vlan, and default is vlan1. If i set trunk on the port i can configure more than one vlan for each port!
But, when i do this, how i can separate the traffic tagget VLAN 100, from the traffic target VLAN 200?
  0  
  0  
#3
Options
Re:Two SSID, Two VLAN, One Cable.
2016-09-23 20:19:46

johnson wrote

One port of switch could accept more than one VLAN if you configure Trunk or General port. You just configure the port connected to EAP as General port and allow VLAN100, 200.

Johnson, thanks for your reply!
Only method for accept more than one VLAN on ethernet port is set in trunking mode, and assign on one port the VLAN 100 and VLAN 200.
By default, all ports is set on VLAN ID 1, untagged.
My problem is separate VLAN 100 traffic from VLAN 200 traffic, i want to create different path for each VLAN!
  0  
  0  
#4
Options
Re:Two SSID, Two VLAN, One Cable.
2016-10-13 20:31:46
Anyone can help me?
  0  
  0  
#5
Options
Re:Two SSID, Two VLAN, One Cable.
2016-10-14 01:29:38
You separate traffic by assigning a second port on your switch (or router) to VLAN 100 and a third one to VLAN 200.

For a sample setup of VLANs see the paragraph about Multiple SSIDs here: http://forum.tp-link.com/showthread.php?84173-VLAN-transfer-and-management-VLAN-introduction
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#6
Options
Re:Two SSID, Two VLAN, One Cable.
2016-10-14 23:23:44

R1D2 wrote

You separate traffic by assigning a second port on your switch (or router) to VLAN 100 and a third one to VLAN 200.

For a sample setup of VLANs see the paragraph about Multiple SSIDs here: http://forum.tp-link.com/showthread.php?84173-VLAN-transfer-and-management-VLAN-introduction


Yes, but i need to know how i can separate the tagged traffic from the EAP120, between VIP WLAN and GUEST VLAN.
I can set two different VID for each WLAN, but i need to separate traffic in the switch, how i can do this?

Sorry for my ignorance, and thank you for your reply!
  0  
  0  
#7
Options
Re:Two SSID, Two VLAN, One Cable.
2016-10-14 23:32:08




How i can separate the traffic in the switch?
  0  
  0  
#8
Options
Re:Two SSID, Two VLAN, One Cable.
2016-10-15 07:20:32
Your picture shows it very clearly: the EAP is connected to the switch over a trunk carrying both VLAN's traffic, this means data packets including the VLAN ID. The switch then can separate and forward all packets with VLAN ID 200 to a specific port (say, port 2) and all packets with VLAN ID 100 to another port (say, port 1). You connect the system running the Captive Portal to port 2 of the switch (the guest network) and the Internet router to port 1 (the private network). The switch will remove the VLAN IDs before passing data to ports 1 or 2.

To be able to do so, the switch needs to be a managed switch (a TP-Link EasySmart switch for example).

This is such an example setup:






If the captive portal is a software rather than a separate device it can also run directly on the router connecting to the Internet (which is missing at all in your picture!). Then, you would not use an external switch, but the built-in switch of the router, which can separate and forward data from different VLANs into different subnets.

In other words: if the Captive Portal, the Internet router and the switch from your picture above are running on the same device, then the trunk from EAP connects directly to the switch of this device.

For example, let's assume you have a router running some kind of Linux system (e.g. OpenWRT). You installed a captive portal such as wifidog or similar and you also have a VLAN-capable switch built into the router. You then create three networks wan, guest and private. You assign the VLAN ID 200 to the guest network and VLAN ID 100 to the private network.

One port of the router needs to connect to the Internet, it is assigned to the network wan. A second port connects to the EAP carrying both VLANs 100 and 200 (the trunk). If this port is assigned to both VLANs 100 and 200, the built-in switch of the router can separate the data (much like in the example with a standalone switch described above) and forwards it over kind of internal "wiring" into one of the networks corresponding to the VLAN ID, that's 100 for private and 200 for guest. The firewall then captures packets from the guest network and redirects them to the Captive Portal software. Data in the private network is just forwarded to the wan.

The functionality is the same as the scheme using an external managed switch, only the connections from ports 1 and 2 are now internal between the router's switch logic and the CPU. Anyway, data will end up in either the guest (ID 200) or the private (ID 100) network.

Did this better answer your question?
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#9
Options
Re:Two SSID, Two VLAN, One Cable.
2016-10-28 16:06:01

R1D2 wrote

Your picture shows it very clearly: the EAP is connected to the switch over a trunk carrying both VLAN's traffic, this means data packets including the VLAN ID. The switch then can separate and forward all packets with VLAN ID 200 to a specific port (say, port 2) and all packets with VLAN ID 100 to another port (say, port 1). You connect the system running the Captive Portal to port 2 of the switch (the guest network) and the Internet router to port 1 (the private network). The switch will remove the VLAN IDs before passing data to ports 1 or 2.

To be able to do so, the switch needs to be a managed switch (a TP-Link EasySmart switch for example).

This is such an example setup:






If the captive portal is a software rather than a separate device it can also run directly on the router connecting to the Internet (which is missing at all in your picture!). Then, you would not use an external switch, but the built-in switch of the router, which can separate and forward data from different VLANs into different subnets.

In other words: if the Captive Portal, the Internet router and the switch from your picture above are running on the same device, then the trunk from EAP connects directly to the switch of this device.

For example, let's assume you have a router running some kind of Linux system (e.g. OpenWRT). You installed a captive portal such as wifidog or similar and you also have a VLAN-capable switch built into the router. You then create three networks wan, guest and private. You assign the VLAN ID 200 to the guest network and VLAN ID 100 to the private network.

One port of the router needs to connect to the Internet, it is assigned to the network wan. A second port connects to the EAP carrying both VLANs 100 and 200 (the trunk). If this port is assigned to both VLANs 100 and 200, the built-in switch of the router can separate the data (much like in the example with a standalone switch described above) and forwards it over kind of internal "wiring" into one of the networks corresponding to the VLAN ID, that's 100 for private and 200 for guest. The firewall then captures packets from the guest network and redirects them to the Captive Portal software. Data in the private network is just forwarded to the wan.

The functionality is the same as the scheme using an external managed switch, only the connections from ports 1 and 2 are now internal between the router's switch logic and the CPU. Anyway, data will end up in either the guest (ID 200) or the private (ID 100) network.

Did this better answer your question?


Thanks a lot man!
So i need to set the "input" port (ap) as tagged member of vlan 100 and 200.
Set the "output" port for vip network as untagged member of vlan 100.
And set the "output" port for the captive portal as untagged member of vlan 200?

Another question, i can create a trunk between two switch on the main backbone? (SFP port)
For do this, i need to set (on both switch) the sfp port as tagged member of 100, 200 and 1 (for untagged traffic), right?

Thanks a lot for your help! :)
  0  
  0  
#10
Options
Re:Two SSID, Two VLAN, One Cable.
2016-10-29 19:12:25

Capobuf wrote

Thanks a lot man!
So i need to set the "input" port (ap) as tagged member of vlan 100 and 200.
Set the "output" port for vip network as untagged member of vlan 100.
And set the "output" port for the captive portal as untagged member of vlan 200?


Yes, this is how port-based VLAN separation works, but the ports are all "input/output" ports, because data can flow in both directions. The key here is tagged versus untagged port. Defining a port as untagged is the way to separate the data in the VLAN the port is a member of and also to combine (incoming) data on this port into a trunk by having the switch add the corresponding VLAN ID defined as PVID. Note that there are still other ways to achieve this, for example MAC-based VLANs or protocol-based VLANs, which are explained in detail in the switch's user guide.

Another question, i can create a trunk between two switch on the main backbone? (SFP port)
For do this, i need to set (on both switch) the sfp port as tagged member of 100, 200 and 1 (for untagged traffic), right?


Sure. You can define any port as a tagged (trunk) port and therefore use multiple trunks if the connected devices do support VLANs.

To be precise: tagged ports (trunks) can carry all or only some VLANs (according to their VLAN membership) and VLAN 1 is also a true VLAN, tagged with ID 1. Some switches just use VLAN 1 internally as a default VLAN even if you don't use VLANs at all, but traffic tagged with VLAN ID 1 is still tagged traffic, no matter wether it appears as tagged or untagged traffic outside the switch.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#11
Options

Information

Helpful: 0

Views: 2731

Replies: 12

Related Articles