M

24 Messages

 • 

330 Points

Thu, Jul 1, 2021 2:36 PM

Port/VLAN best Practice

Hi Everyone,

I have a SZ-100 setup with a single port group setup.  We have 46 APs currently and are expecting to add 30 more at another location on campus.

Currently, the primary wireless LAN lives on the same VLAN as the APs and the SZ-100 (the vendor that installed the equipment set it up this way).  I would like to break it up so the APs and the SZ-100 live on our "management vlan" and then have the primary WLAN live on its own.

I know out of the box we could have gone with a two-port group, is it worth going through the hassle of resetting everything and going this route, or stick with the current single port group and just adjust the SZ-100 & APs IP addresses and vlans accordingly?

I'm leaning towards the latter but I figured it was worth asking before I proceeded.

Thanks,

Matt

Responses

Accepted Solution

Official Solution

Official Rep

 • 

178 Messages

 • 

4.9K Points

3 m ago

Hi Matt,

The second port on the SZ-100 is to allow tunneling client traffic from AP's through the SZ and not directly out the AP local network.

If you wish for client traffic to be put into a different VLAN you need to change the VLAN configured in the Wireless LAN (WLAN)/SSID configuration:

Under advanced options you will see the Access VLAN configuration.  By default it is 1 which actually is the default VLAN of the AP and traffic is sent out the AP untagged and thus into the AP management VLAN.

By changing this VLAN to any other value you will be tagging the client traffic connected to that SSID/WLAN  when it leaves the AP.

If you are using local bridging on the AP that means you need to configure the switch port where the AP connects to accept and carry that VLAN ID as tagged.

You will also need to create a VLAN router interface for that VLAN and configure DHCP services on that VLAN in the Router or using DHCP relay to an external DHCP.

If you are tunneling the client traffic from the AP it will go from the AP to the SZ100 and egress the SZ100 port tagged.  The SZ100 port (second port if you enable it) would then need to carry that VLAN as tagged and connect to a VLAN router interface with DHCP services.

I hope this answers your question,

Thanks for selecting Commscope/Ruckus products

Albert Pierson

Principle Support Engineer

24 Messages

 • 

330 Points

I'm not tunning, thank you for clarifying that.

Right now the primary client VLAN is Untagged so both my SZ-100 and the primary WLAN are set to 1.  My plan is to change the untagged vlan to my management vlan so the SZ-100 will stay on vlan 1 but my WLAN will have to be updated with the proper (now tagged) vlan.

I think it's going to be a pretty simple swap other than me needing to tell the APs that the SZ-100 has a new address.  I did see a script I could run that would do most of that heavy lifting for me.

150 Messages

 • 

2.7K Points

if at all possible, I would try to avoid re-IP'ing the SZ

can you move the customer vlan instead?

24 Messages

 • 

330 Points

Not really the way things are currently setup.  Is there a reason other than getting the APs pointed in the right place to not change the SZ-100's IP?

150 Messages

 • 

2.7K Points

3 m ago

do you need to tunnel back to smartzone? otherwise just create  / change the vlan of the WLAN, set it us "local breakout" (no tunneling) and handoff to the switch directly. 

If you're not using tunneling, the smartzone doesnt even need any reachability to the traffic vlans.

Official Rep

 • 

178 Messages

 • 

4.9K Points

3 m ago

It is best NOT to change the management vlan (enable tagging) for the AP's.

This is done under Zone configuration or AP group configuration under advanced settings - AP management VLAN - default is "keep AP settings"

If you tag AP management you will need to always do a 2 step process when adding AP's or after factory defaulting AP's.  By default AP's send management traffic untagged.  If you enable tagging for AP management when a factory defaulted AP is added you would first have to connect it to an untagged port and then as soon as it gets it's configuration from the SZ it will loose contact until the AP is physically moved or the switch port is re-configured with the correct tagged VLAN.  This is messy unless really needed.  It is best to always have AP's connected to ports where AP to SZ management VLAN is native or untagged.

It is much easier and better practice to tag the WLAN/SSID and put client traffic into a different VLAN.

If you use the native/untagged VLAN at the AP port and SZ port it really does not matter what VLAN ID is since access/native ports ignore and stip vlan's by definition.  They can be any VLAN ID in the network, but it is always best to have AP's and SZ management untagged at the ports.

Simply tag the WLAN/SSID (called access VLAN in WLAN as it acts like an access port at the wireless client end) and create the VLAN infrastructure to carry this traffic outside of the AP to SZ management and avoid multicast and broadcast storm issues.  You can easily separate different WLAN's into different VLAN's to isolate traffic ie Guest vs internal clients and determine if they can intercommunicate in the VLAN router.

24 Messages

 • 

330 Points

I guess I didn't make myself clear.  I think were both n the same page, the management VLAN will remain untagged/VLAN 1 through the on the switch the untagged/tagged VLANs will change.  This will mean there will be a ip/netmask change on that VLAN but it will remain VLAN 1 as far as the SZ-100 is concerned.

The WLAN will change to the tagged VLAN ID.

Sorry if I confused things and thank you for your help.

437 Messages

 • 

5.5K Points

Basically what you want is to move SZ and APs into different VLAN (which is not VLAN 1 on switch), which  requeres the change of IP addressing.

As far as VLAN is untagged on port, the connected device (SZ or AP) has no idea about what is this VLAN ID in the switch, VLAN ID is a designation local to the switch, so the only thing visible for devices will be different IP addresses.

It is easy to be done, just needs some planning -- as your APs will lose connection to SZ, when it IP will be changed (I suppose that you use DHCP for AP addressing, so moving them into new segment will change they addresses automatically). You can use DHCP or DNS options to supply new SZ IP to APs, and nevertheless, this may be disruptive, and you can end up manually configuring part or all APs using SSH (which isn't that difficult, just take care that you know username/password for AP SSH connection - it is set in Zone configuration.

Anyway, I would say that it is only a half of the good setup -- I would recommend having APs on different VLAN from SZ. Of cause, having firewall or at least NAT router between AP VLAN and SZ will make setup much more secure, but if all this is localized in a few switches in your office, you don't really need that. If it is a big camus or public venue, than firewall is highly recommended.

User traffic must use different VLANs (tagged on AP, and not needed at all on ports, where SZ is connected), with separate DHCP/DNS setup.

What would be a very bad idea, to use tagged management VLAN on APs -- it makes AP preparation for deployment cumbersome and makes setup prone to problems during AP upgrades and reboots. With untagged management VLAN on AP you usually can connect to it even if the configuration is broken, you can factory reset it remotely and reconfigure. If you have full access to switch, you can do it  with tagged management VLAN also, but it takes much more effort, so don't use tagged management VLAN if you can avoid it...

(edited)

24 Messages

 • 

330 Points

Thanks for the input.  I really feel I haven't made myself clear, I do understand how VLANs work, that's not the issue.

Really what I was trying to figure out is if I needed to move to a two port group (which I clearly don't).

I'll get things swapped over.

Thanks again.

Important Announcement