VLAN Example: Share VLAN aware multi-SSID access point between 2 networks

By | November 12, 2017

This post is inspired by a question from Joe on my post about How To Set Up VLANs When You Don’t Understand VLANs.  Joe wanted to use a multi SSID VLAN aware wireless access point to provide wireless access to 2 different networks which are themselves separated from each other by a router.

I have made slight modifications to Joe’s network to simplify the layout. To see Joe’s actual question and my answer go to http://disq.us/p/1ihiaam.

Joe made this network with 5 devices:

  • The WAP: A multi SSID, VLAN aware wireless access point.
  • Switch 1: a 24 port VLAN aware switch for the guest network.
  • Switch 2: a 48 port VLAN aware switch for the private business network.
  • POE switch: a 10 port VLAN aware POE (power over Ethernet) switch to connect the access point to the other 2 switches.
  • Router: a 4 port router to allow firewalled interconnection between the 2 networks and the Internet.

In my setup, the “internal” network will use VLAN 200 and IPs 192.168.20/24 and the “external” network will use VLAN 100 and IPs 192.168.10/24. Substitute your address ranges and VLAN ids as appropriate. Joe’s network will look something like this:

Multi SSID WAP VLAN Joe

 

That diagram might be all you need to set up the network, but keep reading for more details.

Configure the access point

Set up both networks on the access point, including the SSID, IP address, and VLAN id for each network. The cable connecting the access point to the switch will be carrying traffic for multiple VLANs so the traffic on this cable must be tagged so it can be properly sorted. You probably also want to make the admin interface only accessible from the secure VLAN.

Configure POE Switch

This switch will be part of both networks. The WAP will connect to port 1, switch 1 (for the guest network will connect to port 2, and switch 2 (for the business network) will connect to port 3. Any traffic coming from the WAP into port 1 will be sorted to the proper VLAN and then the VLAN tag will be stripped before being sent out port 2 or 3. Any traffic coming in port 2 or 3 and destined for the WAP will be tagged with the VLAN id before being sent out on port 1.

Port 1: Tagged (trunk or possibly general) in both VLANs for the access point connection. This port will accept traffic for both VLANs from the WAP.

Port 2: Untagged (access) in VLAN 100 and excluded in all other VLANs to connect to GUEST lan switch. Only traffic tagged with VLAN 100 will be sent out this port (after the VLAN tag is removed). Any traffic entering on this port will be tagged as VLAN 100.

Port 3: Untagged (access) in VLAN 200 and excluded in all other VLANs to connect to the PRIVATE lan switch. Only traffic tagged with VLAN 200 will be sent out this port (after the VLAN tag is removed). Any traffic entering on this port will be tagged as VLAN 200.

Configure switch 1 and switch 2

Since we did all of our VLAN sorting in the POE switch and these switches only serve their individual networks, no VLAN configuration is necessary.




If you find this site helpful, please consider supporting my efforts by clicking My Amazon Affiliate Link and buying whatever you would normally buy or maybe Try Amazon Prime 30-Day Free Trial.

  • Pingback: How To Set Up VLANs When You Don’t Understand VLANs – Jason's Web Site()

  • Mike

    Hi, great post, but just wondering how it work in the following scenario;

    Netgear AP > Netgear Switch > SonicWALL

    2 SSID’s on 1 AP. Corporate and Guest. Corp is VLAN 1 and Guest is VLAN 99.
    Need to send traffic via managed switch to Firewall, to give internet access to both SSID’s but not able to access each other.

    Any advice? Thanks.

    • It can be done, but how to do it depends on the exact capability of your switch and SonicWALL.

      First, you set up both networks in your AP, then connect the AP to a port on the switch that is tagged in both VLANs.

      After that you need some routing functionality, which may involve creating a third VLAN. It is possible this can be taken care of inside your switch if it has Layer 3 capability. It’s also possible that you SonicWALL device may have VLAN capability and the ability to create an interface for each of your networks and perform the routing inside. If neither your switch nor your SonicWall has the capability you could get a separate router (Something like this: http://amzn.to/2Cn8Yim). One port (untagged) from each switch VLAN will go to a router port. The SonicWall will connect to a third router port. The router can then be configured to do the routing you require.

      Sorry I can’t be more helpful than that without knowing more about your switch and SonicWALL.