Unifi AP Vlan pass through basic POE+ switch to Sophos Firewall

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

jang430

Active Member
Mar 16, 2017
264
22
28
51
Hi. I plan to buy a TP-Link TL-SG1005LP POE+ switch for use with my 2, soon to become 3 Unifi APs.


Currently, I have 2 Unifi APs (with 3 SSID each on their own Vlan). that connect to 2 ports on my Cisco SG500 switch, where VLAN tagging is done. The Cisco is connected to my Sophos XG firewall, where different rules apply to different Vlans. If I get the TP-Link POE+ switch, my APs will connect directly to this POE switch instead on the Cisco switch, and this POE switch will be connected to a single port on the Cisco switch, then Cisco switch to Sophos Firewall.

Will Vlan on each SSID still work this way?
 

coxhaus

Active Member
Jul 7, 2020
109
36
28
I don't know about TP-Link but I had in the past a Cisco SG300-28 L3 switch connected to a Cisco SG300-10MPP switch which I used to power my Cisco WAP581 wireless APs. I have 2 VLANs on each wireless AP. It all worked great. I only used the SG300-10MPP switch to power my POE+ stuff.

The only thing that comes to mind is there is a limit on the connection between the uplink between switches. But this is true for using more than 1 switch. A 1 switch backplane is faster than any uplink. Trying up the port speed does not help as the backplane just will be faster with faster ports. Maybe if you have a cheap switch this might not be true but I don't buy those.
 
Last edited:

coxhaus

Active Member
Jul 7, 2020
109
36
28
No. I extended the SG300-10MPP switch with a trunk port so the SG300-10MPP was doing tagging also. The SG300-28 switch was doing L3 only as there was no L3 on the SG300-10MPP switch with my setup even though it was an L3 switch.

I would stay with the Cisco SG500X switch and maybe buy another Cisco switch if it was me. I had a TP-Link business class router many years ago and the code was buggy. TP-Link never fixed the code before they out dated the hardware. I will never buy TP-Link again.
 
Last edited:

jang430

Active Member
Mar 16, 2017
264
22
28
51
@coxhaus Re-reading your comment, you seem to say the POE switch the APs are plugged into also need to support VLAN 802.1Q (VLAN Aware) to be able to pass the tagging to the switch (in my case, the Cisco SG500) with tagging, then finally, to Sophos Firewall, which is also VLAN Aware.

Is this correct?

I plan to plug a whole TP-Link POE+ switch to my Cisco port 9 (for example). Port 9 allows VLAN 10, 20 and 30. AP SSID 1 is assigned VLAN 10, SSID 2 is assigned VLAN 20, and SSID 3 is assigned VLAN 30. Port 1 of Cisco is connected to my Sophos Firewall, that has separate rules for VLAN 10, 20 and 30.
 
Last edited: