Native VLAN Challenge - Ruckus AP & ESXi

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

cyanchan15

New Member
Jul 6, 2022
10
1
3
edit1:
I rethink it over and find that the problem arises when ESXi puts different tagged VLAN traffic to different VMs; native traffic is discarded and never able to reach DHCP server which is in a VM.

Could it be solved if I run say a Windows server with DHCP that handles DHCP for all VLANs directly on Dell server? No more ESXi and I can then put VMs in its hyper v and do the rest. Apparently it will be some bad $$.

Original post:
I'm about to move in to a new house and currently in the process of buying networking equipments. Not a complete newbie but the following bothers me a lot.

Basic setup:
4* IP cameras for entry gate, yard and etc.
7* Ruckus R710 running Unleashed
1* ICX7150 or similar basic L3 gear for switching and powering the above
1* Dell R240 in the rack connected to the switch on 10G SFP+ port, running ESXi for a few VMs:
1. OpenWRT for firewall, PPPOE and DHCP stuff, this VM gets a passthrough NIC to connect to the ISP modem;
2. Debian for some development fun;
3. Blue Iris for IP cameras playback and recording and
4. freeNAS or similar for personal storage.
Lots of devices for work and entertainment, wired or wireless

Planned VLANs and switch port configs are:
VL10 for wired home users and home wireless SSID, tag ports to APs and Dell server, untag ports to end user devices like PCs, stream boxes, gaming consoles and etc.
VL20 for guest wireless SSID, tag ports to APs and Dell server
VL30 for IP cameras, tag port to Dell server, untag ports to IP cameras
VL99 for TRANSIT traffic between the switch and OpenWRT, tag port to Dell server

ICX7150 will serve as gateway in each of the VLANs and handle all traffic unless going for Internet. On the server, ESXi's virtual switch will distribute the incoming traffic according to the 802.1q tag to respective VMs, i.e. VL10/20 DHCP requests flow to OpenWRT VM, VL99 Internet traffic flows to OpenWRT VM, VL30 IP cameras' video stream flows to Blue Iris VM, VL10 file transfer traffic flows to freeNAS VM. So far so good.

Now here's the catch that makes me scratching my head:
Ruckus Unleashed APs only send and receive management frames (getting IPs and etc.) untagged or in native VLAN 1, while ESXi (for my use case) insists that all arriving at host traffic must be tagged, resulting APs' management frames can't get to OpenWRT VM and therefore no IPs can be served or no management interface.

VMWare article says no native VLAN or untagged traffic
Ruckus says Unleashed APs management traffic is untagged

Is there any workaround so that management data from AP that's untagged gets VL10 added going into the switch port, so that it gets to the ESXi and further into OpenWRT VM? I searched a ton and read about dual mode. Do I simply configure ports to APs VL10 and VL20 tagging with dual mode VL10 and viola? From what I read, this should add VL10 tag to any untagged traffic into these ports and preserve any already-VL10/20-tagged packet going in and out? To me it still sounds problematic because when data going to those dual mode ports the switch cannot know if a packet is normal home net traffic or AP management traffic so it can't decide if it needs to strip away the VL10 tag. If the VL10 tag is in it, then APs are not going to take it as management data, but only as wireless traffic for home wireless SSID.

Sorry for the long question but any help from you geniuses here is very much appreciated.
 
Last edited:

ms264556

Well-Known Member
Sep 13, 2021
322
261
63
New Zealand
ms264556.net
Unleashed has supported vlan tagging the management interface since 200.10.
The APs will still have their IPs on vlan 1, but the management interface you setup (the one which follows the master AP) will have the IP and tag you select.
And all client traffic can be assigned a vlan per SSID easily in the wlan advanced settings.
So your client traffic will be tagged, and your management traffic will be tagged.
The only thing you couldn't do last time I looked is setup the ethernet ports as access ports with a vlan tag. Unless you have an H series AP, they're all trunk ports.
 

cyanchan15

New Member
Jul 6, 2022
10
1
3
Unleashed has supported vlan tagging the management interface since 200.10.
The APs will still have their IPs on vlan 1, but the management interface you setup (the one which follows the master AP) will have the IP and tag you select.
And all client traffic can be assigned a vlan per SSID easily in the wlan advanced settings.
So your client traffic will be tagged, and your management traffic will be tagged.
The only thing you couldn't do last time I looked is setup the ethernet ports as access ports with a vlan tag. Unless you have an H series AP, they're all trunk ports.
Oh thanks that solves part of the problem. However, with this new feature I still don’t think APs can get IP from DHCP server since the DHCP server is a VM in ESXi, which does not take native untagged traffic. Any thoughts?
 

Scarlet

Member
Jul 29, 2019
86
38
18
Plug another network cable into your ESXi host that is connected to a port on your switch that has vlan 1 untagged.

Alternatively use the DHCP Server on your ruckus unleashed APs :)
 

ms264556

Well-Known Member
Sep 13, 2021
322
261
63
New Zealand
ms264556.net
Since the only untagged traffic from the AP will be dhcp/etc, then you can untag the appropriate vlan for this traffic on the 7 switch ports you'll plug your APs into.
 
Last edited:

cyanchan15

New Member
Jul 6, 2022
10
1
3
Plug another network cable into your ESXi host that is connected to a port on your switch that has vlan 1 untagged.
I get the idea of untagging but ESXi will discard VL1 native traffic arriving at the host. VMWare calls it VST mode if I want different VLAN reaches different VM.

Alternatively use the DHCP Server on your ruckus unleashed APs :)
It is the APs themselves that need to get IPs on VL1.
 

ms264556

Well-Known Member
Sep 13, 2021
322
261
63
New Zealand
ms264556.net
I can't check right now but, assuming the icx switch works like my other managed switches (and the ruckus documentation)... if you e.g. configure a port with vlan 30,40,50 tagged & vlan 10 untagged, then untagged inbound packets will have a vlan 10 tag added, outbound vlan 10 packets will have the tag removed, vlan 30/40/50 tagged packets will retain their tags, and other vlans will be dropped.

In older ruckus switch firmware you had to enable dual mode for this behavior, but this isn't required anymore.