As part of deploying a replacement XG firewall, I wanted to do two things: 1) move my APs to the new firewall, 2) move the management of the APs to a new VLAN. My as-is configuration had an AP55 and APX530 operating on VLANs 5 and 6. VLAN5 for management and guest access (so bridge to my WiFi VLAN), VLAN6 for bridge to a trusted subnet (LAN). XG provided the DHCP. After configuring my PoE Switch to the new management VLAN (default PVID for connected port), my APs would get the DHCP address, but not display the APs for registration on the new XG.
Resolution
In short, the AP / APX were coming from a prior configuration state in which the AP VLAN ID was set to VLAN5. The boot of the AP started a DHCP request that received the default VLAN of the connected PoE switch port (VLAN8). So, yes, the AP got a VLAN8 DHCP address. Next step was for the AP to issue a magic IP packet. But, did so on its last known AP VLAN ID (still VLAN5 from its as-is configuration). In other words, my 10.1.8.x AP address was trying to magic ip, but tagged to VLAN5. Only 10.1.5.x addresses on VLAN5. Even if the XG was able to receive the magic ip on a VLAN trunk, it had no way to respond to the AP due to XG interface to AP mismatch of IP address-VLAN. Until I could change the AP VLAN ID, I needed a working session between the XG and the AP on the existing VLAN ID.
Easy fix was to
- return my AP to a PoE switch port with a VLAN5 PVID (default vlan for untagged traffic) to get an IP consistent with the existing AP VLAN ID.
- register the AP on my XG (this is the new XG); ensure the VLAN5 interface is wireless enabled.
- Change the AP VLAN ID for the now-registered AP
- Return the AP to a PoE switch port with the target PVID for management (VLAN8)
The thing to keep in mind is the DHCP will come from the PVID of the PoE switch port. Management traffic from the AP will use the configured AP VLAN ID. Mismatching the two is...bad.
This thread was automatically locked due to age.
