[NEBULA] DHCP not passing through on primary VLAN
Problem
When connecting to the primary SSID no IP address is issued to the client.
When connecting to the secondary SSID (guest) a correct IP is issued.
Configuration
I'm configuring a Nebula managed system comprising of:
NSG100, GS1920-24, GS1920HP-24, WAC6303D-S
There are three VLANs defined:
VLAN10 = main data for physical and wireless; DHCP server issuing on 192.168.80.x
VLAN20 = guest wireless access, DHCP server issuing on 192.168.85.x
VLAN30 = telephony access, DHCP server issuing on 192.168.110.x
Management VLAN is 1, default
All VLANs come back to Port Group 1 on the NSG
The GS1920HP-24 is configured with
- Ports 1-12 allowing VLAN 1, 10, 20 and PVID 10
- Ports 13-24 allowing VLAN 1, 30 and PVID 30
- Ports 25-28 allowing all VLAN and used for uplink
The non-HP unit is 1-24 allowing VLAN 1, 10, 20 and PVID 10, and 25-28 allowing all, used for uplink
Physical connections
If I use a wired connection into ports 1-12 I get issued a correct address
Into ports 13-24 I get issued a correct address
So DHCP is passing through from the NSG to the switches correctly.
SSID configuration
Both SSIDs are configured with the appropriate VLAN id.
I am totally baffled as to why the guest network on VLAN 20 is issuing address correctly, but the primary isn't, but only when via wireless.
Any help much appreciated.
Accepted Solution
-
Hi @GingerMonkey ,
I would like to explain again for your configuration and hope it would be more easily to understand.
In your original configuration, the traffic of VLAN 10 and 30 are untagged out to the AP due to the PVID setting.
The packet flow will be like below: (From left to right are NSG > SW > AP > Wireless Client)
After you correct the PVID, the packet flow will be like this:
The reason why you see there is no problem when you use wired connection is the packet flow will be like below without any issue: (NSG > SW > Wired Client)
Same is VLAN 30.
Hope it helps.
Jason
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community6
All Replies
-
Hi @GingerMonkey ,
Welcome to Zyxel Community!
Thanks for your clear information.
I think there is misconfiguration on your Nebula Switch.
The PVID of port 1-12 and 13-24 on GS1920-24HP, and the PVID of port 1-24 on GS1920-24 should be all configure as PVID 1, or the traffic for VLAN 10 and VLAN 30 from NSG will be untagged out to your APs.(It should be tagged out to APs)
Hope it helps.
Jason
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community0 -
Thanks for the response.
I originally had the PVID set to 1 throughout, but found:
- if I made a wired connection on any port the device would pick up the underlying LAN1 IP range, not the appropriate VLAN range. Changing the PVID to be the 'default' VLAN for that port meant that the right IP is assigned when wired
- the AP didn't even show up online (although I think that may be due to the original firmware being hugely out of date)
It's important at this site that the VLAN is determined by the physical connection (or SSID) and does not have to be manually set on each client device. PVID of 1 throughout seemed to run contrary to that, but I may have been missing something.
Supplementary, if I switch it all back to PVID 1:
- On the AP, in the IP configuration (Access Point > Status > LAN IP) should that be set to Untagged or Tagged (and presumably PVID to 1 also)?
0 -
In fact, having just done some reading, I'm convinced that the PVID on the switch ports needs to be set to the desired VLAN, as the documentation indicates that the PVID is what the switch will add to any untagged traffic - as the whole system will be running off DHCP, all initial traffic will be untagged, so the infrastructure has to maintain the appropriate VLAN memberships.
I can see how it might need tweaking on the AP, although I would have thought that the AP would be sending tagged traffic because the VLAN ID is embedded in the SSID.
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=007222&lang=EN
0 -
You could use the LAN 1 interface as Management VLAN and don't need to create a VLAN 1.
If you don't want to use LAN 1, make sure that the uplink port on the switch (connecting to the NSG) has a PVID that is different than 1, 10, 20 or 30, which are VLAN interfaces you create, it could be 100 for example. In this case, the untagged traffic from LAN 1 will be encapsulated in VLAN100. Then you could set the PVID as you mentioned.
For the IP settings, if you use LAN 1 for management, you could leave it as Untagged. If you want to keep VLAN 1, you need to set it as Tagged.
"You will never walk along"0 -
Hi @GingerMonkey ,
I would like to explain again for your configuration and hope it would be more easily to understand.
In your original configuration, the traffic of VLAN 10 and 30 are untagged out to the AP due to the PVID setting.
The packet flow will be like below: (From left to right are NSG > SW > AP > Wireless Client)
After you correct the PVID, the packet flow will be like this:
The reason why you see there is no problem when you use wired connection is the packet flow will be like below without any issue: (NSG > SW > Wired Client)
Same is VLAN 30.
Hope it helps.
Jason
See how you've made an impact in Zyxel Community this year!
https://bit.ly/Your2024Moments_Community6 -
Thanks @Jason that helps.
There are a couple of other wrinkles I needed to solve, but I understand your point now, and have reconfigured the system accordingly. Along with help from one of your colleagues on the support team on some related issues, all is now working.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight