Everything Instant On

I've just purchased an AP22 to be able to use WIFI6. It replaces a slightly older TP-Link EAP245. I was very surprised to see that the AP22 does not support setting a VLAN for the management interface. I have found this related post:

https://community.arubainstanton.com/t5/Instant-On-Wireless/Setting-management-VLAN-on-APs/m-p/2838#M747

Solution is to set the switch to untag the management vlan on the switch port to allow management from the (wired) management VLAN. Is there any way to create a feature request to support setting a management VLAN ? In my opinion this should be avaiable on a product as (semi) professional as this.

I would expect an HPE Aruba to support this feature if even a TP-Link AP supports this feature. I would really like to be able to change the management VLAN and send tagged traffic on switch egress and not revert back to untagged traffic for something like a management interface.

@Atheonblue To manage the AP's is via the portal and not the IP address of the AP's separating management data from user data. Each site must be in a default VLAN for all AP's and switches and if you need to have multiple VLAN for different SSID you can select the network they belong to in bridge mode or you can use NAT mode. On the switch, you can set to ports to be untagged for the VLAN you wish to have traffic traverse.

@GThiesen 

First of all: Thank you for your quick reply.

I'm not really sure that I understand your answer so I'm going to describe my network topology and switch config, then apply what I think is your suggestion.

let's say I currently have 3 VLANS: 20 for management devices, 30 for devices not allowed to manage stuff and 40 for IOT stuff hanging around. I used to have three different WIFI networks with the same VLAN tags. The AP is connected via a managed switch to the rest of the network. The VLAN id's are also configured on the wired network. The switch used to be configured to send tagged network traffic to the AP. Because I had management VLAN of the old AP set to 20, devices in that VLAN could manage the AP.

What I think you are saying is that the AP just needs internet connection for management. There is no web interface so the AP being in the same VLAN as the management devices is not necessary. I can follow you here.

However, the AP needs an IP address. There is no DHCP server listening on VLAN1, so I need the AP set to VLAN 20 or set the PVID of the switch port to 20 to allow the AP to get an IP-address. This PVID setting however, also means that the VLAN 20 traffic will be *untagged* on egress of the switch. Given the fact that I have devices on the VLAN 20 WIFI, how are wired devices able to communicatie with the WIFI devices. They cannot. I therefore have to turn off the VLAN ID of the management WIFI as well. Correct ?

Another option would be to create yet another DHCP server to allow the AP to get an IP address without a PVID on the switch port, but this would require me to also reconfigure the router to allow traffic from that range to reach internet. Correct ?

I am a bit confused as it took me some time the have the iPhone app discover the AP after connecting it as my network topology did not allow it to get an IP-address (see my tagged 20,30 and 40 remark combined with not having a DHCP server listening on VLAN1).

@Atheonblue From your ISP/firewall/gateway that is providing your VLANS and DHCP to the 1930 switch here is what I could look like. On the 1930 that is the uplink to the gateway make sure you allow all networks (should be the default). On the gateway make sure you have VLAN 20 as the primary VLAN but allowing VLAN 30 and 40 to traverse that link. Then under networks create wired networks VLAN 30 and 40. At this point, the Switch and AP’s will be on VLAN 20 and get an IP address from DHCP. Now when you create the SSID for devices (VLAN30) and IOT (VLAN40) go into each of them and under options and same as a local network (default) is selected click on the assigned network and select  VLAN 30 and 40 respectively to the SSID. At that point, the clients that connect to device and IOT will get DHCP from those VLANs. And for wired clients, they could be in the default VLAN 20 or you can go into each port and specify an assigned network VLAN 30 or VLAN 40.  I think this is what you are trying to accomplish in your network.

@GThiesen 

And again thank you for your quick reply.

I do not have a 1930 switch. My router is an Edgerouter X which handles VLAN and DHCP. My switches are mostly Netgear (managed of course) but that's not really relevant for this as the AP is directly connected to the Edgerouter.

I've managed to get things working by:

• Adding a DHCP server on VLAN1 with a separate range
• Allowing that range to reach internet
• Setting PVID on ETH1 to 1 (Edgerouter to AP) 
• Setting VID's of ETH1 to 20, 30 and 40
• Having all WIFI networks tagged with their respective VLAN ID's (20,30 and 40)
• And some firewall stuff to block some traffic between VLANs but again: that's not really relevant here

The AP22 now gets an IP address (say) 192.168.0.1 from the VLAN1  DHCP server. The VLAN 20, 30 and 40 have their own ranges. Devices can ping/reach other devices on the same VLAN. AP22 is still managable by the Aruba Instant On Portal and App.

So essentially the only thing that is different from my old config is that the AP itself, now has a different IP than the previous AP that was located in the same subnet as the management devices because it had to be managed by web interface on the device itself instead of SAAS.