Hi forums,
Just touching base to see if any one has noticed some unusual Behaviour with the Dynamic VLAN assignment on Unifi APs.
vlan1 is where all my servers, including the NPS server is located.
Vlan 2 - Workstations group #1
Vlan 3 is where my cloud key and APs are located.
Vlan 4 - workstation group #4
Vlan 5 - workstations group #5
Switches HPE 2930f
Routing between Vlans is fully transparent for this example.
For the cloud key and APs I have vlan 1, 2, 4, and 5 tagged on the HP switches and Vlan 3 untagged.
I can see the devices that need to, get dynamically assigned VLAN 1 through NPS, however they are being assigned on an IP from the Vlan 3 range.
All other dynamic assignments work correctly and receive the correct range.
As a trial, I set all the APs to have a “management vlan” of 3 and set there ports as Vlan 1 untagged and the rest tagged.
The APs get the correct IP address from Vlan 3 and now devices assigned VLAN 1 get their correct IP addresses.
However, I’d prefer if the APs were natively on Vlan3 for the sake of adoption and management etc.
Am I right in assuming that when the APs are natively on Vlan3 instead of having the management vlan option enabled in the APs, that they are stripping the VLAN 1 dynamic tag as they assume their native VLAN is vlan 1?
Hope to hear from you soon
Regards,
Josh
Yes, internally the AP uses VLAN1 as an assumed-untagged VLAN - if you don’t set a management VLAN, the IP is assigned to VLAN1. The AP’s port is basically programmed as “switchport mode trunk; switchport trunk native vlan 1” in Cisco terminology. Lots of equipment does this. It is a best practice in enterprise networks to not use VLAN1, either tagged or untagged, for anything, due to different hardware behaviors across vendors. When you set the untagged VLAN to 3 on your HP switches, the switch is stripping off the VLAN3 header, and then the AP is adding on a VLAN1 header (and the opposite on transmit).
Thanks for the reply.
The issue I’m having is that if I natively set the HP switch ports to VLAN 3 Untagged, and leave the Management VLAN blank on the APs. It’s stripping the VLAN1 header and any devices intended for VLAN1 are being assigned an address on the Untagged VlAN3 range.
Although I suspect this is by design, because as you said, they assume the native VLAN is 1.
Once I’m back at the office, I’ll have to try setting the ports to VLAN3 Untagged and leaving the Management VLAN setting as 3… However I’m not sure if that will work because there’s no need to tag traffic on an untagged port.
And yes - couldn’t agree more.
I’m in the process of moving everything off VLAN for that very reason.
The site was originally a flat network, and it was a proper cluster…
The AP internally has a bridge - a software implementation of a switch. This bridge has physical interfaces (the ethernet port(s), and the wireless radios), and a virtual interface for the OS. What you are controlling with the “management VLAN” setting for the AP is the virtual OS interface, and blank equals 1. Any SSID that doesn’t have a VLAN on it also defaults to VLAN 1. Within the AP, there is no such thing as an untagged packet. The bridge on all the ethernet ports has the equivalent of “switchport trunk native vlan 1” on it. So if you have a wireless client in VLAN 1, on egress from the bridge the VLAN header will be stripped.