Network Management

Hi,  I hope I'm posting this in the correct community - I can't find a more likely one!

I'd like to configure a guest wifi network that is separate from the main network at our office.

We don't anticipate that the guest network will have a huge amount of traffic at any one time, so figure that it can share the single cable connection from the router, but be on it's own VLAN.

I'm a bit confused about whether I'm approaching this in the correct way and hope that I can get some insights from someone out there please.

We have broadband coming in to a router, that connects to (Main switch) Aruba 2530-24G (J9776A) on switch port 3.

This Main switch then connects from port 25 to port 25 on another 2530 (2nd switch).

In turn the 2nd switch then connects from port 24 to port 23 on another 2530 (3rd switch)

We also have a couple of Netgear unmanaged GS324 switches around the network.

Finally we have 12 Draytek access points already working with the main wifi.

I've setup a VLAN20 on the router with it's own separate LAN range offering DHCP and DNS.

I've added a second SSID to each of the APs and this SSID is tagged in a VLAN20.

I am now unsure about how to carry out the tagging for this VLAN on the 2530 switches.

The 2530s still have their default untagged ports setup, currently being used for everything.

Having never dealt with VLANs before, I've spent the last couple of weeks between other jobs, researching this and seem to have got myself confused over how to set this up!  I think I'm trying to set up a very simple VLAN arrangement, but I guess I'm concerned that if I do this without more understanding, I'll cause myself big problems.

Here are my questions;

Do I just need to add the VLAN20 tag to the router port 3 and main switch port 25?

Then also to the other connecting ports (listed above) between each switch?

I haven't found an answer to whether the existing un-tagged ports 1-24 can all stay working correctly for the existing network, if I tag any of them as VLAN20? Will the port still allow traffic from the un-tagged and tagged VLAN at the same time without me having to do anything else?

I don't think that I'll need to use trunks with this setup, because I read that on the Arubas, I can simply tag the necessary ports instead - is that correct?

Do I still need to identify which exact switch ports each AP is connected to - or will the VLAN tagged ports setup on each 2530 take care of that when the switch sees that their guest traffic is on the VLAN20?

Seen quite a few posts suggesting that the CLI is the way to actually configure these switches due to the poor GUI on the 2530s.

Is that the way you'd recommend that I pursue this?

My apologies for what may be very naive questions, but I'm hoping that you can tell me how best to accomplish this.

Thanks in advance for your guidance.

There is a lot to unpack here but to put as simply as possible, you would want to tag that new VLAN on every physical interface it traverses. This includes the ports of your access points and from the Edge to your Router. What ever default VLAN is Untagged will stay untagged. Your are just "adding" a .Q tag.

But also, it sounds like your are utilizing a router provided by your ISP? Is that provisioned for a second VLAN/Subnet? [VLAN/Tag - Route - NAT]?

Hi,  I hope I'm posting this in the correct community - I can't find a more likely one!

I'd like to configure a guest wifi network that is separate from the main network at our office.

We don't anticipate that the guest network will have a huge amount of traffic at any one time, so figure that it can share the single cable connection from the router, but be on it's own VLAN.

I'm a bit confused about whether I'm approaching this in the correct way and hope that I can get some insights from someone out there please.

We have broadband coming in to a router, that connects to (Main switch) Aruba 2530-24G (J9776A) on switch port 3.

This Main switch then connects from port 25 to port 25 on another 2530 (2nd switch).

In turn the 2nd switch then connects from port 24 to port 23 on another 2530 (3rd switch)

We also have a couple of Netgear unmanaged GS324 switches around the network.

Finally we have 12 Draytek access points already working with the main wifi.

I've setup a VLAN20 on the router with it's own separate LAN range offering DHCP and DNS.

I've added a second SSID to each of the APs and this SSID is tagged in a VLAN20.

I am now unsure about how to carry out the tagging for this VLAN on the 2530 switches.

The 2530s still have their default untagged ports setup, currently being used for everything.

Having never dealt with VLANs before, I've spent the last couple of weeks between other jobs, researching this and seem to have got myself confused over how to set this up!  I think I'm trying to set up a very simple VLAN arrangement, but I guess I'm concerned that if I do this without more understanding, I'll cause myself big problems.

Here are my questions;

Do I just need to add the VLAN20 tag to the router port 3 and main switch port 25?

Then also to the other connecting ports (listed above) between each switch?

I haven't found an answer to whether the existing un-tagged ports 1-24 can all stay working correctly for the existing network, if I tag any of them as VLAN20? Will the port still allow traffic from the un-tagged and tagged VLAN at the same time without me having to do anything else?

I don't think that I'll need to use trunks with this setup, because I read that on the Arubas, I can simply tag the necessary ports instead - is that correct?

Do I still need to identify which exact switch ports each AP is connected to - or will the VLAN tagged ports setup on each 2530 take care of that when the switch sees that their guest traffic is on the VLAN20?

Seen quite a few posts suggesting that the CLI is the way to actually configure these switches due to the poor GUI on the 2530s.

Is that the way you'd recommend that I pursue this?

My apologies for what may be very naive questions, but I'm hoping that you can tell me how best to accomplish this.

Thanks in advance for your guidance.

Hi, thanks for the reply and advice!

We are a small school that have a router from our local authority.

I have no access to that but they have configured a VLAN10 for us, with a separate gateway IP and DHCP pool for devices connecting to this new LAN. They also made DNS available on it.

I  think I can tag the necessary ports now from what you've said.

What I'm still unsure of is if I need to do anything at all about tagging or untagging the VLAN1 ports when I tag the VLAN10 ports?

There is a lot to unpack here but to put as simply as possible, you would want to tag that new VLAN on every physical interface it traverses. This includes the ports of your access points and from the Edge to your Router. What ever default VLAN is Untagged will stay untagged. Your are just "adding" a .Q tag.

But also, it sounds like your are utilizing a router provided by your ISP? Is that provisioned for a second VLAN/Subnet? [VLAN/Tag - Route - NAT]?

Hi,  I hope I'm posting this in the correct community - I can't find a more likely one!

I'd like to configure a guest wifi network that is separate from the main network at our office.

We don't anticipate that the guest network will have a huge amount of traffic at any one time, so figure that it can share the single cable connection from the router, but be on it's own VLAN.

I'm a bit confused about whether I'm approaching this in the correct way and hope that I can get some insights from someone out there please.

We have broadband coming in to a router, that connects to (Main switch) Aruba 2530-24G (J9776A) on switch port 3.

This Main switch then connects from port 25 to port 25 on another 2530 (2nd switch).

In turn the 2nd switch then connects from port 24 to port 23 on another 2530 (3rd switch)

We also have a couple of Netgear unmanaged GS324 switches around the network.

Finally we have 12 Draytek access points already working with the main wifi.

I've setup a VLAN20 on the router with it's own separate LAN range offering DHCP and DNS.

I've added a second SSID to each of the APs and this SSID is tagged in a VLAN20.

I am now unsure about how to carry out the tagging for this VLAN on the 2530 switches.

The 2530s still have their default untagged ports setup, currently being used for everything.

Having never dealt with VLANs before, I've spent the last couple of weeks between other jobs, researching this and seem to have got myself confused over how to set this up!  I think I'm trying to set up a very simple VLAN arrangement, but I guess I'm concerned that if I do this without more understanding, I'll cause myself big problems.

Here are my questions;

Do I just need to add the VLAN20 tag to the router port 3 and main switch port 25?

Then also to the other connecting ports (listed above) between each switch?

I haven't found an answer to whether the existing un-tagged ports 1-24 can all stay working correctly for the existing network, if I tag any of them as VLAN20? Will the port still allow traffic from the un-tagged and tagged VLAN at the same time without me having to do anything else?

I don't think that I'll need to use trunks with this setup, because I read that on the Arubas, I can simply tag the necessary ports instead - is that correct?

Do I still need to identify which exact switch ports each AP is connected to - or will the VLAN tagged ports setup on each 2530 take care of that when the switch sees that their guest traffic is on the VLAN20?

Seen quite a few posts suggesting that the CLI is the way to actually configure these switches due to the poor GUI on the 2530s.

Is that the way you'd recommend that I pursue this?

My apologies for what may be very naive questions, but I'm hoping that you can tell me how best to accomplish this.

Thanks in advance for your guidance.

Good to hear they have that configured that for you. 

Tagging additional VLANs (on an AOS-S 2530) does not impact the untagged vlan. If the port is untagged on vlan 1 (default) and you run ("tagged vlan 20") on that same interface. Traffic on VLAN 1 will not be impacted. Does that answer your question? 

Hi, thanks for the reply and advice!

We are a small school that have a router from our local authority.

I have no access to that but they have configured a VLAN10 for us, with a separate gateway IP and DHCP pool for devices connecting to this new LAN. They also made DNS available on it.

I  think I can tag the necessary ports now from what you've said.

What I'm still unsure of is if I need to do anything at all about tagging or untagging the VLAN1 ports when I tag the VLAN10 ports?

There is a lot to unpack here but to put as simply as possible, you would want to tag that new VLAN on every physical interface it traverses. This includes the ports of your access points and from the Edge to your Router. What ever default VLAN is Untagged will stay untagged. Your are just "adding" a .Q tag.

But also, it sounds like your are utilizing a router provided by your ISP? Is that provisioned for a second VLAN/Subnet? [VLAN/Tag - Route - NAT]?

Hi,  I hope I'm posting this in the correct community - I can't find a more likely one!

I'd like to configure a guest wifi network that is separate from the main network at our office.

We don't anticipate that the guest network will have a huge amount of traffic at any one time, so figure that it can share the single cable connection from the router, but be on it's own VLAN.

I'm a bit confused about whether I'm approaching this in the correct way and hope that I can get some insights from someone out there please.

We have broadband coming in to a router, that connects to (Main switch) Aruba 2530-24G (J9776A) on switch port 3.

This Main switch then connects from port 25 to port 25 on another 2530 (2nd switch).

In turn the 2nd switch then connects from port 24 to port 23 on another 2530 (3rd switch)

We also have a couple of Netgear unmanaged GS324 switches around the network.

Finally we have 12 Draytek access points already working with the main wifi.

I've setup a VLAN20 on the router with it's own separate LAN range offering DHCP and DNS.

I've added a second SSID to each of the APs and this SSID is tagged in a VLAN20.

I am now unsure about how to carry out the tagging for this VLAN on the 2530 switches.

The 2530s still have their default untagged ports setup, currently being used for everything.

Having never dealt with VLANs before, I've spent the last couple of weeks between other jobs, researching this and seem to have got myself confused over how to set this up!  I think I'm trying to set up a very simple VLAN arrangement, but I guess I'm concerned that if I do this without more understanding, I'll cause myself big problems.

Here are my questions;

Do I just need to add the VLAN20 tag to the router port 3 and main switch port 25?

Then also to the other connecting ports (listed above) between each switch?

I haven't found an answer to whether the existing un-tagged ports 1-24 can all stay working correctly for the existing network, if I tag any of them as VLAN20? Will the port still allow traffic from the un-tagged and tagged VLAN at the same time without me having to do anything else?

I don't think that I'll need to use trunks with this setup, because I read that on the Arubas, I can simply tag the necessary ports instead - is that correct?

Do I still need to identify which exact switch ports each AP is connected to - or will the VLAN tagged ports setup on each 2530 take care of that when the switch sees that their guest traffic is on the VLAN20?

Seen quite a few posts suggesting that the CLI is the way to actually configure these switches due to the poor GUI on the 2530s.

Is that the way you'd recommend that I pursue this?

My apologies for what may be very naive questions, but I'm hoping that you can tell me how best to accomplish this.

Thanks in advance for your guidance.

Hi Zak, yes I think I'm nearly there now.

One thing though if I may - when you said  "tag that new VLAN on every physical interface it traverses" - do you mean that I 

need to (VLAN10) tag on EVERY port on each switch - not just the ports that connect to other switches please?

Good to hear they have that configured that for you. 

Tagging additional VLANs (on an AOS-S 2530) does not impact the untagged vlan. If the port is untagged on vlan 1 (default) and you run ("tagged vlan 20") on that same interface. Traffic on VLAN 1 will not be impacted. Does that answer your question? 

Hi, thanks for the reply and advice!

We are a small school that have a router from our local authority.

I have no access to that but they have configured a VLAN10 for us, with a separate gateway IP and DHCP pool for devices connecting to this new LAN. They also made DNS available on it.

I  think I can tag the necessary ports now from what you've said.

What I'm still unsure of is if I need to do anything at all about tagging or untagging the VLAN1 ports when I tag the VLAN10 ports?

There is a lot to unpack here but to put as simply as possible, you would want to tag that new VLAN on every physical interface it traverses. This includes the ports of your access points and from the Edge to your Router. What ever default VLAN is Untagged will stay untagged. Your are just "adding" a .Q tag.

But also, it sounds like your are utilizing a router provided by your ISP? Is that provisioned for a second VLAN/Subnet? [VLAN/Tag - Route - NAT]?

Hi,  I hope I'm posting this in the correct community - I can't find a more likely one!

I'd like to configure a guest wifi network that is separate from the main network at our office.

We don't anticipate that the guest network will have a huge amount of traffic at any one time, so figure that it can share the single cable connection from the router, but be on it's own VLAN.

I'm a bit confused about whether I'm approaching this in the correct way and hope that I can get some insights from someone out there please.

We have broadband coming in to a router, that connects to (Main switch) Aruba 2530-24G (J9776A) on switch port 3.

This Main switch then connects from port 25 to port 25 on another 2530 (2nd switch).

In turn the 2nd switch then connects from port 24 to port 23 on another 2530 (3rd switch)

We also have a couple of Netgear unmanaged GS324 switches around the network.

Finally we have 12 Draytek access points already working with the main wifi.

I've setup a VLAN20 on the router with it's own separate LAN range offering DHCP and DNS.

I've added a second SSID to each of the APs and this SSID is tagged in a VLAN20.

I am now unsure about how to carry out the tagging for this VLAN on the 2530 switches.

The 2530s still have their default untagged ports setup, currently being used for everything.

Having never dealt with VLANs before, I've spent the last couple of weeks between other jobs, researching this and seem to have got myself confused over how to set this up!  I think I'm trying to set up a very simple VLAN arrangement, but I guess I'm concerned that if I do this without more understanding, I'll cause myself big problems.

Here are my questions;

Do I just need to add the VLAN20 tag to the router port 3 and main switch port 25?

Then also to the other connecting ports (listed above) between each switch?

I haven't found an answer to whether the existing un-tagged ports 1-24 can all stay working correctly for the existing network, if I tag any of them as VLAN20? Will the port still allow traffic from the un-tagged and tagged VLAN at the same time without me having to do anything else?

I don't think that I'll need to use trunks with this setup, because I read that on the Arubas, I can simply tag the necessary ports instead - is that correct?

Do I still need to identify which exact switch ports each AP is connected to - or will the VLAN tagged ports setup on each 2530 take care of that when the switch sees that their guest traffic is on the VLAN20?

Seen quite a few posts suggesting that the CLI is the way to actually configure these switches due to the poor GUI on the 2530s.

Is that the way you'd recommend that I pursue this?

My apologies for what may be very naive questions, but I'm hoping that you can tell me how best to accomplish this.

Thanks in advance for your guidance.

Not every port. But in your case (if I understand your design correctly):

 - The Ingress and Egress ports for your switch inter-connects

 - The interfaces connecting your APs

 - Potentially the interface to your router. Unless they have given you a different physical interface for this new network. Then it would be an untagged port on this new vlan. 

Hi Zak, yes I think I'm nearly there now.

One thing though if I may - when you said  "tag that new VLAN on every physical interface it traverses" - do you mean that I 

need to (VLAN10) tag on EVERY port on each switch - not just the ports that connect to other switches please?

Good to hear they have that configured that for you. 

Tagging additional VLANs (on an AOS-S 2530) does not impact the untagged vlan. If the port is untagged on vlan 1 (default) and you run ("tagged vlan 20") on that same interface. Traffic on VLAN 1 will not be impacted. Does that answer your question? 

Hi, thanks for the reply and advice!

We are a small school that have a router from our local authority.

I have no access to that but they have configured a VLAN10 for us, with a separate gateway IP and DHCP pool for devices connecting to this new LAN. They also made DNS available on it.

I  think I can tag the necessary ports now from what you've said.

What I'm still unsure of is if I need to do anything at all about tagging or untagging the VLAN1 ports when I tag the VLAN10 ports?

There is a lot to unpack here but to put as simply as possible, you would want to tag that new VLAN on every physical interface it traverses. This includes the ports of your access points and from the Edge to your Router. What ever default VLAN is Untagged will stay untagged. Your are just "adding" a .Q tag.

But also, it sounds like your are utilizing a router provided by your ISP? Is that provisioned for a second VLAN/Subnet? [VLAN/Tag - Route - NAT]?

Hi,  I hope I'm posting this in the correct community - I can't find a more likely one!

I'd like to configure a guest wifi network that is separate from the main network at our office.

We don't anticipate that the guest network will have a huge amount of traffic at any one time, so figure that it can share the single cable connection from the router, but be on it's own VLAN.

I'm a bit confused about whether I'm approaching this in the correct way and hope that I can get some insights from someone out there please.

We have broadband coming in to a router, that connects to (Main switch) Aruba 2530-24G (J9776A) on switch port 3.

This Main switch then connects from port 25 to port 25 on another 2530 (2nd switch).

In turn the 2nd switch then connects from port 24 to port 23 on another 2530 (3rd switch)

We also have a couple of Netgear unmanaged GS324 switches around the network.

Finally we have 12 Draytek access points already working with the main wifi.

I've setup a VLAN20 on the router with it's own separate LAN range offering DHCP and DNS.

I've added a second SSID to each of the APs and this SSID is tagged in a VLAN20.

I am now unsure about how to carry out the tagging for this VLAN on the 2530 switches.

The 2530s still have their default untagged ports setup, currently being used for everything.

Having never dealt with VLANs before, I've spent the last couple of weeks between other jobs, researching this and seem to have got myself confused over how to set this up!  I think I'm trying to set up a very simple VLAN arrangement, but I guess I'm concerned that if I do this without more understanding, I'll cause myself big problems.

Here are my questions;

Do I just need to add the VLAN20 tag to the router port 3 and main switch port 25?

Then also to the other connecting ports (listed above) between each switch?

I haven't found an answer to whether the existing un-tagged ports 1-24 can all stay working correctly for the existing network, if I tag any of them as VLAN20? Will the port still allow traffic from the un-tagged and tagged VLAN at the same time without me having to do anything else?

I don't think that I'll need to use trunks with this setup, because I read that on the Arubas, I can simply tag the necessary ports instead - is that correct?

Do I still need to identify which exact switch ports each AP is connected to - or will the VLAN tagged ports setup on each 2530 take care of that when the switch sees that their guest traffic is on the VLAN20?

Seen quite a few posts suggesting that the CLI is the way to actually configure these switches due to the poor GUI on the 2530s.

Is that the way you'd recommend that I pursue this?

My apologies for what may be very naive questions, but I'm hoping that you can tell me how best to accomplish this.

Thanks in advance for your guidance.