VLAN doesn't work correctly

Newbie815593 Lv1Posted 2024-Nov-25 09:49

Hi Everyone,

Need your expert advice to help me solve this problem I'm facing. I have an existing setup where I would like to implement VLAN to solve the network congestion in LAN. I setup VLAN20 in sub-interface and assigned it to zone LAN.

I face these issues:

1) VLAN20 only works on WIFI; devices on WIFI connection can ping devices on LAN, but devices on LAN network cannot ping devices on VLAN20 but can RDP to devices on VLAN20. Devices connected via Ethernet which are manually assigned the VLAN20 IP cannot communicate at all.

2) I have 2 APs. AP1 on LAN network with VLAN20 enable, and AP2 on VLAN20 network with VLAN20 enable. Both has different SSID to differentiate which device is connected to which AP. For example, WIFI device 1 is connected to AP1, and WIFI device 2 is connected to AP2, both getting VLAN20 IP through DHCP but unable to communicate to each other.

I have setup the policy in Application Control to allow communication between LAN and VLAN, but it seems like I'm missing something.

Below is my configuration:

NGAF M4500-i
ETH1 LAN 192.168.1.1
ETH1.20 VLAN20 192.168.20.1
ETH2 WAN

MANAGED SWITCH
LAN 192.168.1.200
All ports are in TRUNK mode and tagging VLAN20

Access Point 1
192.168.20.2

Access Point 2
192.168.1.2 with VLAN20 enabled

AR has solved this question and earned 20 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Hi.
To resolve the VLAN connectivity problems, follow these steps:

1. Managed Switch VLAN Tagging: Verify that trunk mode is enabled on the switch ports that link to NGAF, AP1 and AP2 access points, and other VLAN20 devices.
Verify that trunk ports are assigned to VLAN20.
Access ports, which are used to connect endpoints such as PCs, should be configured in VLAN20 access mode.
2. Configuring Access Points:
AP1: VLAN tagging for VLAN20 should not be enabled if it is meant to serve the LAN network. Unless specifically instructed differently, VLAN1 (the default LAN VLAN) should be used.
AP2: Verify that VLAN20 is appropriately tagged in its configuration. VLAN20 IP addresses should be assigned by the DHCP via the NGAF.
3. NGAF Configuration: Verify that the rules are configured to permit communication between LAN zones and VLAN20. If VLAN20 and LAN are in different zones, a certain inter-zone rule must be in place to allow traffic to flow in both ways.
If RDP is functioning but ICMP is not, this suggests that a firewall rule or policy may be blocking ICMP (ping). Verify that ICMP is expressly permitted in your Application Control policies.
4. DHCP and IP Assignment: Verify that NGAF's DHCP server is set up appropriately for VLAN20.
Check that VLAN20 devices are receiving IP addresses from the 192.168.20.0/24 subnet.
5. Troubleshooting Steps: Verify that the switch interfaces linked to the APs and the NGAF have VLAN tagging.
To confirm whether ICMP traffic is being dropped, use logs or packet captures.
VLAN20 devices can ping the VLAN20 gateway (192.168.20.1). If this doesn't work, the switch or NGAF VLAN settings may be the problem.
Verify that every device is capable of VLAN tagging; some Ethernet devices could not be.
Suggestions:
Disable VLAN20 tagging on AP1 unless specifically requested.
To make sure traffic between VLAN20 and LAN can move in both ways, check the inter-VLAN routing configuration in NGAF.
To keep an eye on traffic flow and VLAN membership, use a managed switch tool.

Is this answer helpful?
Enrico Vanzetto Lv4Posted 2024-Nov-25 16:36
  
Hi, given that devices on the LAN cannot communicate with VLAN20 but are still able to use RDP, the problem might lie in your firewall rules. It appears that these rules are permitting TCP traffic (RDP) but not ICMP (ping) or other required traffic types between VLANs. Ensure that your NGAF (Network Gateway and Firewall) has inter-VLAN routing configured correctly and that the firewall rules allow all essential traffic (ICMP, DHCP, etc.) between LAN and VLAN20.
Farina Ahmed Lv5Posted 2024-Nov-25 14:05
  
Since devices on the LAN cannot communicate with VLAN20 but can RDP to it, the issue could be that your firewall rules are only allowing TCP traffic (RDP) but not ICMP (ping) or other necessary traffic between VLANs. Make sure that inter-VLAN routing is properly configured on your NGAF (Network Gateway and Firewall) and that firewall rules allow all necessary traffic (ICMP, DHCP, etc.) between LAN and VLAN20.

I Can Help:

Change

Moderator on This Board

11
8
5

Started Topics

Followers

Follow

1
3
6

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
139
3

Started Topics

Followers

Follow

Board Leaders