Can vlan 1 be explicitly tagged on a WLAN?

  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi,

When my network was initially set, our internal network was set up on VLAN 1. The ruckus was configured on VLAN 10 (no management interface). I now want to set up a WLAN directly on VLAN 1 so I can use the DHCP server there and my wireless clients can be on the same subnet. Now, on 9.1.2.0.8, I wasn't even allowed to set the VLAN field to 1. Yesterday I upgraded to 9.6.0.0.267. I can now set a 1 there, but it seems to be the default and I still seem to be on VLAN 10 as that is where the DHCP server that is giving me an IP address resides.

Other Configuration info:
1) Ruckus Zone Director is on VLAN 10. No management interface is configured.
2) DHCP server is disabled, I've been using independent DHCP servers on each VLAN
3) Switch config for access points are untagged VLAN 10 and tagged everything else
4) Switch config for zone director is tagged everything, although I have tried untagged for VLAN 1.

As I've had no issues setting up WLANs on other VLANs, I'm wondering if there's something special about VLAN 1? Should my internal network not be there? Did I miss something in the user guide? Is there some other setting in the Ruckus somewhere I need to change? Did I just make a boneheaded error several times?

I think my next step is to see if I can do this via dynamic VLANs as I do intend to use RADIUS there anyway.
Photo of Joshua Rusch

Joshua Rusch

  • 1 Post
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Joshua Rusch

Joshua Rusch

  • 1 Post
  • 0 Reply Likes
OK, I got the same results with dynamic VLAN. I think perhaps I may be a little confused about how the untagged setting works on the switch so I'm doing a little reading on 802.1Q. But even considering that, I'm still confused as to how I'm getting the DHCP server that is explicitly on VLAN 10. More reading, LOL.
Photo of Bittu

Bittu, Employee

  • 43 Posts
  • 13 Reply Likes
Hello Joshua,

with reference to your post, I understand the following:
-- The ZD and AP are on VLAN 10 and you would like to have a WLAN tagged with VLAN 1.
-- Although the WLAN was tagged with VLAN 1 they still get an IP address from VLAN 10.
-- ZD is on VLAN 10 and AP's are connected to ports where VLAN 10 is untagged.

Kindly correct me if I am wrong.

The issue here is when you connect you ZD and AP's to access ports on the switch where VLAN 10 is untagged, our devices still consider themselves to be on VLAN 1, since by default the Ruckus devices are on VLAN 1. Hence when packets hit the switch port they are passed anyways through VLAN 10 and will be able to reach the devices.
Also since the AP's are connected to ports where the VLAN which is untagged is VLAN 10, hence all clients will automatically get the IP address from VLAN 10 since this is the native VLAN on this port.

To resolve this issue you need to follow the below procedure:
-- First you need to place the devices on management VLANof 10 (ZD and AP), when any information with respect to VLAN is entered on the ZD , it means that the devices understand only tagged information.
-- Now on the ZD you will need to change the AP's VLAN, this can be done under Configure > AP > AP Policies > VLAN > Tag 10 here, the moment you hit Apply all the AP's will disconnect.
-- Now under Configure > System > IP Setting > VLAN > Tag VLAN 10 > Hit Apply. The ZD will restart for the changes to take effect.
-- We will then have to change the port configurations, the ZD needs to be connected to a trunk port allowing the Native VLAn along with VLAN 10 as tagged. Similar configuration needs to be done for the AP's.
-- Once this is done all the AP's and ZD will be managed on VLAN 10 and this is a tagged VLAN.

Now you can tag the WLAN with VLAN 1 and this will allow your clients to receive an IP address from the appropriate DHCP server/scope.

Kindly let me know if you have any questions. If you need further assistance is setting this up, kindly contact support and we will be able to help you set this up.

Hope this helps.,All the best.
Photo of Joshua Rusch

Joshua Rusch

  • 1 Post
  • 0 Reply Likes
Thanks so much for your help! Will try to work through your instructions right now.

But at a glace, I do have some questions (maybe they will answer themselves when I try this out)

I'm using HP switches, and I think the term trunk is used differently here. I think you're using it in the cisco sense? I just need to set all my VLANs to tagged on this port to make it a trunk, right? Nothing untagged?

The zone director has always had VLAN 10 in it's IP configuration. It's just the APs that are on untagged VLAN 10 ports. This is the way it was set up for me.

I also found the "untag ID" in access point groups that I can set by model. I was unclear what it means in this context. Whenever I changed it from anything other than 1 (I tried 10), the access points could not talk to the ZD, it didn't matter. Even if I don't need this setting, it would be great if you could explain that one a little better for me than the user guide :)

Anyway, off to follow your instructions as best I can :) Thanks again.

PS, I have a ZD1100, forgot to mention that, not sure if it matters.
Photo of Bittu

Bittu, Employee

  • 43 Posts
  • 13 Reply Likes
Joshua,

Can we have a discussion before you try this , the reason being I dont want to miss out on any steps and can better understand how your network is actually setup. Can i have your contact number for me to give you a call.
Photo of Joshua Rusch

Joshua Rusch

  • 1 Post
  • 0 Reply Likes
I actually already went through with it. I think my mistake was confusing "Management VLAN" with "Management Interface"
I had read earlier that APs still talk on the main interface even if you add management interfaces, and that confused me. I never messed around with that settings for the AP because I assumed it was irrelevant.

I now have ZD and all APs on ports with every VLAN tagged, nothing untagged and they're talking to each other fine. I factory reset the AP while it still on an untagged port - I had messed them up earlier so I already had configured my DHCP server with the ZD IP in it and have done lots of factory resets today without issue. As soon as the AP reconfigured itself with the new settings it dropped off the map. I went and changed its port to VLAN 10 tagged and it found the ZD again in less than 30 seconds.

I think I understood VLANs well enough, I was just confused about the ruckus settings :) I thought everything was already on VLAN 10 as well.

Now I can't see the Authentication server on VLAN 1, but I never did understand how I could see it to begin with. Now I do. So yeah, I think I have a few routing issues to fix on either the switch or my firewall, but I'm fairly confident that the Ruckus is configured correctly now, VLAN wise.
Photo of Joshua Rusch

Joshua Rusch

  • 1 Post
  • 0 Reply Likes
I am still curious about the "Untag ID" in the AP Groups settings.

If I have other questions, should I start a new topic?
Photo of Joshua Rusch

Joshua Rusch

  • 1 Post
  • 0 Reply Likes
Hmm, not sure what happened but after I got off the phone nothing was working except ZD talking to APs. That authentication test doesn't work any more either. I think I'm going to restore my original config and give this a try again next week.
Photo of Joshua Rusch

Joshua Rusch

  • 1 Post
  • 0 Reply Likes
Hah, strike that.

I think what happened before is that I bounced access points and I still had one plugged into a switch port that wasn't its normal port - so one AP had a misconfigured port.

Radius authentication is the only thing I haven't gotten working at this point. Time to make a new backup of the config...I like where I'm at.

Thanks again for all your help!
Photo of Joshua Rusch

Joshua Rusch

  • 1 Post
  • 0 Reply Likes
FYI, I just solved my issue with the authentication server. I had added a management interface to the same network that the RADIUS server is on. Ruckus was contacting my RADIUS server from the new IP on the same subnet, as it should. I added the new management IP to my RADIUS server and I now have everything set up exactly the way I want it :)
Photo of Jeff Roback

Jeff Roback

  • 25 Posts
  • 8 Reply Likes
For what it's worth, I'd STRONGLY reccomend staying away from VLAN 1. We've had many long nights of problems with it. Even when traffic seems to be flowing normally, you'll have all sorts of odd problems like DHCP breaking, different behaviors between Cisco and HP, etc....

Not worth the drama, easier to change it up front,...

And yes, tagging/trunking mean very different things in HP & Cisco worlds. A trunk in Cisco networks is a link with multiple VLANs traversing it. In HP land it is a bundle of links acting as one for bandwidth purposes.

Jeff
Photo of Joshua Rusch

Joshua Rusch

  • 1 Post
  • 0 Reply Likes
Thanks for the suggestion. In the future I am definitely going to go that route.

It appears everything is working as I want it to now, although I do need to do a lot more testing. My "trunks" are simply ports with all VLANs tagged except for the native VLAN (1), which is untagged. I also discovered that you can change the "primary" (native) VLAN via the command line interface in HP switches, that could prove useful in the future. Most of my troubles stemmed from some confusion about what I read and my Ruckus' initial config - it wasn't properly off of the native VLAN. I had someone else set up the Ruckus for me so I wasn't terribly familiar with how it worked until I started reading the manual, posting here, and spoke with Bittu on the phone.

But had I known how many hours I was going to put into this in advance, I probably would have moved my data VLAN off of the primary/vlan 1, which I had considered doing before I started. After several hours went into it I got stubborn and wanted to get it working as is :)
Photo of Simon Eng

Simon Eng

  • 8 Posts
  • 1 Reply Like
We go through the same procedure Bittu outlined above on *every* install, which is a bit time consuming. Since we also use a VLAN for network management, say 10 for arguments sake:
1. Plug in fresh ZoneDirector on switchport with VLAN 10 *untagged* (HP) or *native* (Cisco)
2. Configure ZoneDirector, change VLAN to 10.
3. Reconfigure switchport to VLAN 10 *tagged* or move ZoneDirector to apprpriately tagged switchport.
4. Configure the "Access Point Policy" to use VLAN 10 for management.

For access points, similar procedure:
1. Plug in access point on switchport with VLAN 10 *untagged*.
2. After the access point is accepted and configured, it will disconnect.
3. Wait an appropriate amount of time before connecting the access point to a tagged port *or* tagging the port it is connected to. (This step is a bit hair raising because you lose visibility once the access point resets for the first time, and you don't know what it's doing, especially if you're doing a deployment with remote hands without central staging.)
4. If you manage to get the timing right and you don't disconnect the access point in the middle of a firmware update, congratulations, the AP should be online.
5. Rinse and repeat 1-4 a few hundred times. :-)

I am sure there would be an easier way to do this using RADIUS, NAC, and GVRP but since we do a lot of small to medium sized networks (10 - 250 APs) it is not something that we have really investigated.

Is there an easier way?
Photo of Jeff Roback

Jeff Roback

  • 25 Posts
  • 8 Reply Likes
We find it much easier to leave the zone director and AP's using untagged managment traffic and just tag the wireless client traffic.

So if VLAN 10 is the management VLAN:
We set up the switch ports for the AP and the zone director to be untagged (Default vlan) 10. Then we allow the tagged traffic for the Wifi client vlans onto the AP ports.

So setup looks like this: (paraprasing from above)
1. Plug in fresh ZoneDirector on switchport with VLAN 10 *untagged* (HP) or *native* (Cisco)
2. Configure ZoneDirector IP address but leave VLAN (from zone director's perspective) to VLAN 1 (ie untagged)

For access points, similar procedure:
1. Plug in access point on switchport with VLAN 10 *untagged*.
2. AP boots up, pulls DHCP for IP addres, uses DNS to find zone director.
3. Add ZP to zone director.
4. assign WLANs' to AP
5. allow tagged traffic for VLANs across AP ports.
Photo of Matthew Ausmus

Matthew Ausmus

  • 1 Post
  • 0 Reply Likes
I know this is old but I just found this thread because I was having the same issue. I walked into a client where they used vlan 1 for production because it was easy and they didn't know any better. Now, I'm implementing a management vlan & a guest vlan and the client doesn't want me to move production off vlan 1.

The issue here is that the ZD "assumes" that if the access vlan is set to 1 then it's untagged/native. Ruckus software doesn't provide a method of saying "I want vlan 1 tagged" or "I want to use vlan 10 and I want it untagged".

So, if this is your scenario:
vlan 1: production and will be used for trusted client Wifi
vlan 10: Management vlan since vlan 1 is already taken
vlan 20: Guest vlan

You end up with this configuration:

WLAN Production: vlan 1.
- Switch ports for APs will need this vlan untagged/native(pvid).
- On ZD, WLAN Access Vlan set to 1.

WLAN Guest: vlan 20:
- Switch ports for APs will need this vlan tagged.
- On ZD, WLAN Access Vlan set to 20.

AP Management: vlan 10.
- Switch ports for APs & ZD will need to have this vlan tagged.
- On ZD, Access Point configuration will need to stipulate Access Vlan as 10.
- Zone Director Device IP Setting has Access Vlan set to 10.

Hope this helps anyone else running across this.