This post is inspired by a question from Joe on my post about How To Set Up VLANs When You Don’t Understand VLANs. Joe wanted to use a multi SSID VLAN aware wireless access point to provide wireless access to 2 different networks which are themselves separated from each other by a router.
I have made slight modifications to Joe’s network to simplify the layout. To see Joe’s actual question and my answer go to http://disq.us/p/1ihiaam.
Joe made this network with 5 devices:
- The WAP: A multi SSID, VLAN aware wireless access point.
- Switch 1: a 24 port VLAN aware switch for the guest network.
- Switch 2: a 48 port VLAN aware switch for the private business network.
- POE switch: a 10 port VLAN aware POE (power over Ethernet) switch to connect the access point to the other 2 switches.
- Router: a 4 port router to allow firewalled interconnection between the 2 networks and the Internet.
In my setup, the “internal” network will use VLAN 200 and IPs 192.168.20/24 and the “external” network will use VLAN 100 and IPs 192.168.10/24. Substitute your address ranges and VLAN ids as appropriate. Joe’s network will look something like this:
That diagram might be all you need to set up the network, but keep reading for more details.
Configure the access point
Set up both networks on the access point, including the SSID, IP address, and VLAN id for each network. The cable connecting the access point to the switch will be carrying traffic for multiple VLANs so the traffic on this cable must be tagged so it can be properly sorted. You probably also want to make the admin interface only accessible from the secure VLAN.
Configure POE Switch
This switch will be part of both networks. The WAP will connect to port 1, switch 1 (for the guest network will connect to port 2, and switch 2 (for the business network) will connect to port 3. Any traffic coming from the WAP into port 1 will be sorted to the proper VLAN and then the VLAN tag will be stripped before being sent out port 2 or 3. Any traffic coming in port 2 or 3 and destined for the WAP will be tagged with the VLAN id before being sent out on port 1.
Port 1: Tagged (trunk or possibly general) in both VLANs for the access point connection. This port will accept traffic for both VLANs from the WAP.
Port 2: Untagged (access) in VLAN 100 and excluded in all other VLANs to connect to GUEST lan switch. Only traffic tagged with VLAN 100 will be sent out this port (after the VLAN tag is removed). Any traffic entering on this port will be tagged as VLAN 100.
Port 3: Untagged (access) in VLAN 200 and excluded in all other VLANs to connect to the PRIVATE lan switch. Only traffic tagged with VLAN 200 will be sent out this port (after the VLAN tag is removed). Any traffic entering on this port will be tagged as VLAN 200.
Configure switch 1 and switch 2
Since we did all of our VLAN sorting in the POE switch and these switches only serve their individual networks, no VLAN configuration is necessary.