FLEX100 + GS1200-5HP v2 and VLAN
hi,
I have a Flex 100 firewall. On one port, there is a trunk, including VLAN55, going to GS1200-5HP2 switch. The switch has two relevant ports for this question: one of them is in trunk mode, where the trunk includes VLAN 55, connected to NWA1123 -AP. The other port is untagged, and set for VLAN55.
Now: traffic flows nicely to the untagged port, and also the client for the AP in VLAN55 works nicely. The problem is that I cannot get the wired client in the untagged switch port to see the wireless client in the same VLAN.
Here an image:
FLEX100
||
GS1200-5HP v2 —- Wired client
||
\===NWA1123 AP—-Wireless client
where == is trunk mode, and — untagged.
Any ideas?
All Replies
-
No, it is not. The wireless clients are smart home appliances, such as lightbulbs and power switches. They connect to the cloud nicely, but the controller in the LAN does not see them. And I checked that it is not about OS, as I was able to ping a lightbulb from a different VLAN (with security policy allowing that in place).
0 -
Does the wired client get a IP by DHCP?
From what I can tell you have a VLAN tag for AP to FLEX by switch meaning the wired device being untagged can't get to FLEX for a IP?
0 -
Yes, the wired client gets an IP by DHCP, from the correct VLAN, and can connect to internet and I can ssh to it from another VLAN. The switch adds the tag for VLAN55 for packets incoming from the wired client.
0 -
You could try to switch the port settings for the connection between Switch an AP.
I assume currently you have on that Port PVID1 and the Tag 55 added to it, same goes for the AP.
You could set PVID to 55 and add the Tag 1 to the ports. Starting with the AP. So all traffic on VLAN 55 becomes untagged.
A word of warning: changing the PVID will disconnect a device until the other end has the same setting. PVID 1 is the "native" VLAN-ID and is also used as default VLAN on such ports.
0 -
How about ping from wireless client to wired client ICMP inbound allowed ? does that work?
0 -
hi,
indeed, the port settings for the AP port in the switch are
PVID 1
VLAN ID 1 ”Untag Egress member”
VLAN ID 22 ”Tag Egress member”
VLAN ID 55 ”Tag Egress member”
and a couple of other VLANs. The FLEX gives the AP its address on VLAN22, and VLAN1 is nonexistent in the network (there is no such VLAN in the FLEX)
The port with the wired client has
PVID 55
VLAN ID 55 "Untag Egress member"
and nothing else.
0 -
I hadn't tried, but tried now. As expected, "Destination Host Unreachable"
0 -
How many WLANs do you run? Is there a dedicated WLAN with VLAN-ID 55?
0 -
Yes, I have. I have five different SSID:s for different purposes. (guest, two for active use, one for a specific legacy device — and this fifth for this building service technology purpose (which connects to VLAN55)).
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight