ZD3050 configuration for the controller and some (not all) APs on separate VLANs

  • 1
  • Question
  • Updated 3 months ago
  • Answered

We have a client with two locations. The Zonedirector and
many APs are at the main location, about 23 APs are at the secondary location. Currently, there is a dedicated ethernet circuit between the two sites. We are changing the connection to two separate internet connections with an SDWAN connecting them. Currently, the ZD and the APs are on the same VLAN (VLAN 1). We have to put the secondary site devices on VLANs that do not duplicate the VLANs at the primary site due to the connection type. Now, we are trying to figure out the correct configuration to get the secondary site APs to be on the separate VLAN (VLAN 200) and still work with the ZD at the main site. We have cisco switches at both locations (currently all APs are plugged into trunk ports) and meraki firewalls will be providing the new SDWAN connection. But as of right now (even with the still flat network) I cannot even get the secondary sight APs to communicate with the Zone Director when I move them to a new VLAN. We have tried numerous different settings in the AP policies and on the cisco switch ports.
Photo of Kevin Chaney

Kevin Chaney

  • 5 Posts
  • 0 Reply Likes

Posted 3 months ago

  • 1
Photo of Albert Pierson

Albert Pierson, Employee

  • 168 Posts
  • 143 Reply Likes
Hi Kevin,

If AP's are on a different IP subnet then the Zone Director then you need to provide some way for the AP's to discover the Zone Director. 

The Discovery mechanisms are:

  • AP's on the same IP subnet discover the Zone Director and join automatically.
  • You can configure the local DHCP server to provide the Zone Director IP using DHCP option 43
  • You can configure a local DNS to respond to zonedirector.local.lan  with the ZD IP.  local.lan will be the domain provided by DHCP
  • Manually configure each AP via AP CLI/SSH with the command: set director ip <zd_ip>
  • Depending on version, the AP GUI has a discovery option where you can configure the ZD IP into the AP.
All AP's initiate communication to the ZD's so AP's can work behind NAT, but you must be able to ping the ZD from the AP.  The AP control protocol is lwapp which uses ports 12223 and port 12222.  You also need port 21 (FTP) open to permit the AP to be upgraded from the ZD.  Https (443) and Http (80) may be needed if you have guest services or captive portal configured.

Hope this helps,

Cheers

Albert



Photo of Kevin Chaney

Kevin Chaney

  • 5 Posts
  • 0 Reply Likes
Thank you for the reply, do I also need to change the untag ID to 200 in the model specific control port settings?
Photo of Albert Pierson

Albert Pierson, Employee

  • 168 Posts
  • 143 Reply Likes
The untagged ID in the AP Model Specific configuration is only for the internal untagged/native VLAN used in the AP.  By default (like most switches) this is VLAN 1.  Since this VLAN is not sent (as it is untagged/native) it does not need to be changed unless you need to use VLAN 1 as tagged externally.  It does not need to match the native/untagged vlan on the Switch port.

It is always best to leave AP management as untagged and set the switch port native/untagged vlan if you wish to carry AP management in the switches on a specific VLAN.  If you tag the AP management vlan you will have issues with factory defaulted AP's which by default send traffic untagged, requiring manually configuring each AP before connecting or changing the Port settings to untagged then back to tagged after AP connects and gets configured.  Using the ZD settings to configure AP management VLAN is also a problem in a multi-site location where the AP management VLAN may be different.  Keep it simple and let your network manage the AP management VLAN's
Photo of Victor Cenac

Victor Cenac

  • 62 Posts
  • 19 Reply Likes
Correct! I have this exact problem! At first deployment, tagged VLAN 10 was chosen for management and now we are boxed in! Can't reset AP in the field (not easily), because if falls off the network. We have to make special arrangements to re-provision.
Photo of Victor Cenac

Victor Cenac

  • 62 Posts
  • 19 Reply Likes
Also don't forget to set the management vlan in ZD, under Access Points / Management VLAN to Keep AP's setting
Photo of Kevin Chaney

Kevin Chaney

  • 5 Posts
  • 0 Reply Likes
But I also have APs at the primary site on VLAN 1, which is set as the management VLAN. I cannot set two separate management VLANs, correct?
Photo of Albert Pierson

Albert Pierson, Employee

  • 168 Posts
  • 142 Reply Likes
As I commented above - it is best to use the native/untagged vlan for AP management and leave the ZD Configure AP setting to "keep AP settings" so the AP's do not tag management traffic.  You can configure the switch ports native/untagged VLAN to put this traffic into any specific VLAN for your network without having the complication of managing AP's to tag this traffic.
Photo of Victor Cenac

Victor Cenac

  • 62 Posts
  • 19 Reply Likes
Yes, that is why, if you use tagged management VLANs, the APs at the far site will have to be set by hand to use VLAN 200. Or maybe you can change the VLAN 200 in the switch to be the native one, untagged, in which case, it really doesn't matter. The AP can think it's suing VLAN 1, as long as it is untagged, it will work the same.
Photo of Kevin Chaney

Kevin Chaney

  • 5 Posts
  • 0 Reply Likes
going to try adding DHCP option 43 with the ZD IP on VLAN 200 and make the switchport of one of the APs native VLAN 200 and see if that works.

Photo of Victor Cenac

Victor Cenac

  • 62 Posts
  • 19 Reply Likes
I avoided the DHCP option 43 and I just placed an A record for zonedirector in our DNS (even the external DNS). A brand new AP will get its IP, Router (gateway) and domain from DHCP and then query for zonedirector. That is how it learns where the ZD is. It connects and downloads the config and provisions.
Photo of Kevin Chaney

Kevin Chaney

  • 5 Posts
  • 0 Reply Likes
seems like we are good to go now, thank you both for your help