Hi Jack,
sorry for coming back late, but I was a little busy last days.
So, I checked my configuration again for you.
Frist thing to mentioned, I use different VLAN ID for Management, because ID 1 is already used as Management VLAN for the switches.
So, you should keep an eye on that, because it is important to propagate the AP Management VLAN to all APs, otherwise the configuration of the APs will no longer work.
The next important step is to create the VLANs as networks. Similar to the SSID networks.
You can then assign this VLAN ID in the SSID networks. In addition, the APs must be connected via trunk.
The crucial point now is that the trunk ports on the switch are configured so that an untagged VLAN (this MUST be the AP management VLAN) and the other VLAN IDs (those of the SSIDs) are propagated as tagged. Not all switches can do this (caution - assumption).
What else is important. In my case, the firewall is always the default GW in each VLAN/SSID and the firewall then acts as a DHCP server for each VLAN/SSID (DHCP proxy would probably also work). This means that I don't use the firewall functionalities that Aruba offers in the APs, I do everything via the firewall (because it's simpler and, in my opinion, more elegant).
The uplink port on the AP is then operated as untagged and you then set which SSID this AP should make available.
If a client connects to an SSID, the AP ensures that the respective packet is tagged correctly before it is sent to the switch.
That's all I can think of to explain. If anything is still unclear, only screenshots can help.
Best wishes
------------------------------
Ryder Hook
------------------------------
Original Message:
Sent: 12-19-2023 04:52 PM
From: Jakob Schauberger
Subject: AP25 SSID to VLAN Mapping
Hi Ryder,
thanks for your reply and sorry for any confusion. (Not a native speaker myself.)
My designated outcome would be as follows:
RJ45 connection to the AP with multiple tagged VLANs.
VLAN 1 for Mgnt. to reach the Web interface.
SSID 2 for internal use sending the traffic to VLAN 2
SSID 3 for IoT sending the traffic to VLAN 3
SSID 4 for guests sending the traffic to VLAN 4
I would like to avoid NATting to support broadcasts between LAN and Wi-Fi.
Therefore a DHCP Server on VLAN 2 should receive the DHCP request from a Client within SSID 2.
What I was reading from your post, this seams quite like a similar setup.
Did I get that right?
If so, a very good starting point for me and kudos for your setup ;-)
Thanks in advance,
Jack
------------------------------
Jakob Schauberger
Original Message:
Sent: 12-19-2023 01:40 PM
From: RH74
Subject: AP25 SSID to VLAN Mapping
I did not really understand your question (sorry I'm not an english native speaker)
Yes the mentioned AP has this functionality.
Form my understanding. You must asign the VLAN to a different SSID. IT makes no sense without that.
Important the AP must use a trunk on the uplink Interface.
I use a setup with a centralized Firewall and a Star Network. The Firewall and the APs uses Trunks each AP offers 5 SSID with different VLAN and different IPs.
Ryder
------------------------------
Ryder Hook
Original Message:
Sent: 12-17-2023 06:02 PM
From: Jakob Schauberger
Subject: AP25 SSID to VLAN Mapping
Hi there,
I was wondering if you could help me; is something is possible on the AP25.
My goal is to have different SSID with firewall separated networks on one (,or need be more) AP(s).
I have a firewall already in place and DHCP Service is running in the designated VLAN.
To my knowledge the AP25 is capable of handling VLANs but I don't know if it can map them to SSIDs.
There is a similar Post regarding this topic:
https://community.arubainstanton.com/communities/community-home/digestviewer/viewthread?GroupId=13&MID=1936&CommunityKey=4736ee52-dc5c-4a73-b8cf-0a44640d7ff7&tab=digest viewer
The post is about 3 years old (, different model) and I don't really know if it was the same constellation or if OP war satisfied with the NAT mode.
Does anyone have a similar setup, or is maybe all knowing in this regard ;-)
Thanks in advance,
Jack