Ruckus ZoneDirector 3000 setting VLANs problems

  • 1
  • Question
  • Updated 1 month ago
  • Answered

Hi All,

Recently I’ve setup different VLANs on my network and would like to split internal and guest WLANs to two different VLANs.

Ruckus ZoneDirector 3000 with ZoneFlex 7363 APs. Layer 3 switch does my routing, I’ve setup VLANs on my switches with correct gateway and IP Helper (I can connect to different VLANs and get an IP address from DHCP server and access the Internet). I would like to use VLAN 20 for internal laptops and VLAN 30 for guests. But I am having a lot of problems and hope that someone can point me in the right direction.

I have tried different settings combinations but my Zonedirector just cannot see any of my APs. Quick configuration overview:

Three VLANs – 10 (PCS), 20 (Internal Wireless), 30 (Guest Wireless).

On the controller:

Configure – System – Set an IP address for Zonedirector on VLAN 10 with correct Gateway and DNS, Access VLAN 1 (if I set an IP from VLAN 20 and/or set Access VLAN to anything apart from VLAN 1 – Zonedirector becomes inaccessible), port on the switch that Zonedirector connected to is set to VLAN 10.

Configure – WLANs -2 WLANs. Internal set NO to Isolate traffic, Access VLAN 20. Guest set NO to Isolate traffic, Access VLAN 30.

Configure – Access Points – All of previously (connected before I’ve set up VLANs) connected APs are showing. Access Point Group – just one group with all APs. In Port Setting option – set LAN3 connection to “Trunk Port” with Untag ID set to 1.

Monitor – Access Points- All Access Points show as Disconnected.

Ports on the switch that APs connected to set to Trunk, with VLAN 1 – Untagged; VLAN 10, 20 and 30 – Trunk.

I would really appreciate if someone can point me in the right direction. Thanks.





Photo of Sergei Yevseyev

Sergei Yevseyev

  • 9 Posts
  • 0 Reply Likes

Posted 2 months ago

  • 1
Photo of Paul McGuire

Paul McGuire

  • 22 Posts
  • 12 Reply Likes
Not 100% certain how you do this in zonedirector as I have the newer Virtual smartzone controller. On each SSID you configure the vlan it uses. Then the only thing else to change is make sure the switch ports have that vlan tagged or trunked on it. There is no need to change the ip of the AP or controller.
Photo of Sergei Yevseyev

Sergei Yevseyev

  • 9 Posts
  • 0 Reply Likes
Paul, thanks for your reply. Yes, I've got the same settings but still no luck. I am trying something different and if I change management VLAN on ZD, I get a message that my Access Point was connected for 4 seconds and then reset due to Management VLAN change but it does not appear again. I am very confused.
Photo of Victor Cenac

Victor Cenac

  • 45 Posts
  • 15 Reply Likes
OK, let's do this one step at a time:
1. It really does not matter what VLAN the ZD is on, since its port should not be trunked. So whatever you decide to use, the packets will not be tagged. Be careful though, the ZD can also be used to serve the webpage for a captive portal for guests, admins and tech support login etc.... so place it in accordingly.
Check the settings in Settings / AP General Settings and see what is set for Management VLAN.
2. The APs. The APs should be placed on a trunked port. Every trunked port also accepts untagged packets on its "default" or "native" VLAN (usually VLAN 1). It is best to use this VLAN for AP management (not client traffic). (use the same VLAN the AP is using now).
Let's go with this design for now. After setting up a test port on the switch, verify by connecting a laptop to that port and seeing if you get an IP via your DHCP on that default VLAN. The laptop will not know it's connected to a trunked port and will use it a regular access port. If this works, see if you can reach the ZD IP from that port and subnet. Once this is successful, verify that the AP management is set to that VLAN (1), and place an AP on this port. At this point, there is no change on the AP. It is still using untagged traffic and it is able to reach the ZD.
At this point you can start adding VLANS to the AP by changing the VLAN overrides for each WLAN. Under Wireless LANs click on a WLAN Group (make one if you don't have one) and change the Tag for each WLAN as needed.
This setting will obviously not affect the APs management. Connect a client to each WLAN and verify connectivity. You can also check the network setup by, again placing a laptop in place of the AP and, in a Windows laptop, you can change nic's properties to force it to use a VLAN or tagged traffic.
In Network Connections right click on the NIC and click on Properties. Under Connect using... the NIC is listed. Click on Configure... Under Advanced scroll down and fine Packet priority and VLAN. Change the value to VLAN Enabled. Find VLAN ID. Set the id to the value you want to test (10 20 30 etc.). These settings are dependent on the hardware supporting it.

OK, now scenario 2: You can't make the native VLAN work on your switch. Then the management VLAN of the AP has to be a tagged one (this my case, sadly).

I am assuming everything works now untagged. After verifying your trunked ports work ok and your subnets are set up ok.... you can take the plunge and change the management VLAN in Settings AP general settings. Once you made that change.... all your APs will get this new setting and reboot. They will only work again when placed on a trunked port with that management VLAN working... or after a reset.
This design also adds a provisioning issue. Let's say you buy a new AP, or reset one... It will only work on an access port, untagged. So you'll have to have some provisioning network. Once the AP boots up, looks for zonedirector in your DNS, finds it, connects to ZD, gets the config and stops working, because its management VLAN just changed, so after the first provisioning, it has to be moved to a trunked port... 

Please let me know if you have any questions! I can even be available for a skype call or something similar if you speak English..
Photo of Michael Brado

Michael Brado, Official Rep

  • 2955 Posts
  • 414 Reply Likes
Sergei, like Victor says, the best practice is to use (untagged) VLAN 1 for ZD and APs, then tag the other WLANs with client VLANs (10,20,30), assuming all the local VLANs are present where the APs are located.
Photo of Sergei Yevseyev

Sergei Yevseyev

  • 9 Posts
  • 0 Reply Likes
Hi Victor, wow its very thorough information. Thank you very much. I'll go through it and report back (it will take few days as I'm taking some time off as well). Thank you again.
Photo of Sergei Yevseyev

Sergei Yevseyev

  • 9 Posts
  • 0 Reply Likes
Hi Everybody, I'm back and the following setting are applyed: ZD port on the switch is set to VLAN1 - untagged, ports for APs are set to VLAN1 - untagged, VLAN20 - tagged (for internal laptops), VLAN30 - tagged (for guests). Still nothing, all AP are Disconnected on ZD :-( . I have deleted one AP from ZD and reset it to factory and  guess what - ZD found it, I've Approved it and it is running! Did the same on the second one it works as well. That is very good news but not sure why I have to remove and add APs all over again? Anyway there are only 24 of them and it's not a big job.
But as Victor mentioned about VLAN for ZD, as ZD has login/Accept T. and C. page for guests and though I can connect to Guest network I cannot access that page on ZD and cannot get to the Internet. So, one of the resons that I can see is that VLAN1 on my Layer 3 switch is down by default and is not routed, so I can not see it from Guest network, do I have to move my ZD onto a different VLAN? Do I have to put it on the same VLAN as Guest network (VLAN30)? Is it a good idea in terms of security?
And thank you for all your answers!
(Edited)