×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Tagged vs Untagged vlan ID in WLC

Unanswered Question
Feb 14th, 2014
User Badges:

  I have WLC 2106 with 10 APs and two internet lines (one for internal (top) and one for guest wifi (below)). Internal users use main SSID (users) and guests use different SSID (guest). When I looked at port 3 of WLC, it connected with one 8 ports netgear switch and then D-link router. I know that WLC supports auto MDI-X so I did not worry about cross cable. (Actually I tested with cross cable for test). But every time when I disconnected netgear switch, no matter what cable I used, WLC couldn't ping D-link router.


WLCDiagram.jpg


So, when I looked at Controller interface I saw that VLAN identifier was 14. So I did "show vlan b" at Core switch to find out whether this vlan was used by any access switch, but none of switch used this vlan. Core switch was connected through all access switches, but access switches did not have this vlan 14. Also all APs are connected through trunk port (which is not right, unless we used H-REAP mode). Anyhow I changed vlan ID as untagged and took out netgear switch, then it worked.

WLC2.jpg


  I guess that previous engineer made a vlan 14 in Core (He did not even make vlan 14 at any access switches connected to APs) and put trunk ports toward APs (which is not a best practice unless we used H-REAP mode). So he might think that this vlan was connected from WLC to every AP, so AP can send guest SSID.


Now these are my questions.


1. Is vlan 14 necessary in core switch? vlan 14 doesn't have any IP address (show ip int b --> no interface IP address, also even access switches do not have this vlan 14) So it seems like that someone in my company made a vlan 14 in core switch and made vlan Id 14 in WLC with extra netgear switch to make it work.


2. Why was this netgear dummy switch neccessary to make it work with tagged ID vlan 14 between WLC and D-link router? WLC had a tagged vlan 14 connected with Netgear switch, Does this netgear switch make untagged before it reaches to D-link router? 


3. Usually dynamic vlan (data vlan) needs to be tagged like below (tag 16 for internal user). If this vlan (guest) was not tagged like below, does it make any problem because management and AP manager have same untagged vlan. 


WLC3.jpg


Thanks for your feedback and knowledge.


(update) for question 3) Actually this D-link router is connected at Port 3 (Not Port 1 which is connected to mamangement interface). I guess that is why untagged vlan ID works.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Stephen Rodriguez Fri, 02/14/2014 - 10:55
User Badges:
  • Purple, 4500 points or more


1. Is vlan 14 necessary in core switch? vlan 14 doesn't have any IP address (show ip int b --> no interface IP address, also even access switches do not have this vlan 14) So it seems like that someone in my company made a vlan 14 in core switch and made vlan Id 14 in WLC with extra netgear switch to make it work.


Well tagging the VLAN allows for QoS between the AP and the WLC.  We would need to know the configuration of the switchport that the netgear is connected too, to know why it didn't work when you removed it.  But I would hazard that the port is configured with switchport trunk native vlan 14, and the netgear was removing the tag.  If put the VLAN tag back on the WLC and set the connected switchport to use a different vlan as native it should work.

Kyujin Choi Fri, 02/14/2014 - 11:00
User Badges:

  Thanks for your reply. Basically there is no switch involved between WLC and D-link except dummy Netgear switch like below. So there is no trunk (or native vlan setup) below.


WLC port 3 -----------  Netgear 8 ports switch -----------------  D-link router ---  Comcast (for guest wifi)



  I agree that somehow Netgear switch was removing the tag (14) when it reaches to D-link router.

Rasika Nayanajith Fri, 02/14/2014 - 10:59
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Kyujin,


Pls find my responses to your queries


1. Is vlan 14 necessary in core switch? vlan 14 doesn't have any IP address (show ip int b --> no interface IP address, also even access switches do not have this vlan 14) So it seems like that someone in my company made a vlan 14 in core switch and made vlan Id 14 in WLC with extra netgear switch to make it work.


No, it is necessary if you are giving DHCP or SVI defined on the core switch. I believe in your case all guest users will get IP from D-Link router.


2. Why was this netgear dummy switch neccessary to make it work with tagged ID vlan 14 between WLC and D-link router? WLC had a tagged vlan 14 connected with Netgear switch, Does this netgear switch make untagged before it reaches to D-link router? 


Since WLC it tagged with vlan14 who ever receiving that pakcet should be able to understand that. Since Dlink router is not capable of tagging/untagging, Netgeare switch may have done that function.


3. Usually dynamic vlan (data vlan) needs to be tagged like below (tag 16 for internal user). If this vlan (guest) was not tagged like below, does it make any problem because management and AP manager have same untagged vlan. 


Best would be move your management & AP-manager interfaces onto a tagged vlan.


HTH

Rasika


**** Pls rate all useful responses *****

Kyujin Choi Fri, 02/14/2014 - 11:07
User Badges:

Thanks for your reply.


   1. "No, it is necessary if you are giving DHCP or SVI defined on the core switch. I believe in your case all guest users will get IP from D-Link router."


   (update from me) You are right if users get a DHCP IP from D-link router. However, our guest wifi users are getting an IP from WLC (Internal DHCP Scope).




   2. "Since WLC it tagged with vlan14 who ever receiving that pakcet should be able to understand that. Since Dlink router is not capable of tagging/untagging, Netgeare switch may have done that function."

 

    (updated from me) thanks for this information. They are not capable of understanding.



  3. You are right, we've better used a tagged vlan for management.

Rasika Nayanajith Fri, 02/14/2014 - 11:11
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi


 However, our guest wifi users are getting an IP from WLC (Internal DHCP Scope).

Since Guest traffic flows from WLC to D-Link router, there is no need that traffic goes to your core switch. So it is not necessary to have this guest VLANs on your core switch (in a situation you tagged guest wlan traffic)


HTH

Rasika


**** Pls rate all useful responses ****

Kyujin Choi Fri, 02/14/2014 - 11:18
User Badges:

  I agree with your explanation.


  This is a rough guess that why my previous engineer put a vlan 14 at core switch.


  When you look at APs, APs are not connected directly WLC (only twos). So rest of APs are connected through access switches and Cores then go to WLC. So he might think that this vlan traffic is needed. But he still forgot to make a vlan in each access switch.


  So, bottom line is this. He planned guest wifi users could get an IP from WLC (Internal DHCP scope), so he thought that this vlan is needed at Core. Reality is that through CAPWAP even though there is no such a vlan at each access and core switch, end user can get a IP from WLC.

blenka Thu, 02/20/2014 - 05:15
User Badges:

Tagged - means trunk link


untagged - means access port

Actions

This Discussion

Related Content