Vlan – HP 1920-24G VLAN Configuration

When an isolated port transmits data, that data is mapped into an auxiliary VLAN. Data in the auxiliary VLAN will be mapped to the primary VLAN -only- for transmission to promiscuous ports. Promiscuous ports, in turn, transmit data into the primary VLAN. All ports can receive information in the primary VLAN.

Putting an otherwise isolated port into a community VLAN means that traffic it transmits will be mapped into both the auxiliary and the community VLAN. Community ports will receive data from both the primary and the community VLAN.

A given pair of ports will have bidirectional communication under the following conditions-

1. One or both are promiscuous, or...
2. Both are in the same PVLAN community.

VACL's are a completely different mechanism and provide some measure of per-packet (and usually protocol based) control of traffic bridged within a given VLAN. You might, for instance, block traffic on TCP/80 between all hosts within the VLAN while allowing all other traffic to pass.

It's possible to approximate the effects of PVLAN's by using a VACL but this tends to be somewhat fragile, difficult to manage and there are often inherent hardware limitations with which to contend (...highly dependent on platform).

Assuming you will use VL20 as your guest network, do the following:

1. Every switch that has guest devices on it should have VL 20 on it.

2. Configure the security profile on the WAG102 to use VL 20 for the guest SSID (check "enable 802.1 VLAN"). For the management profile, uncheck the Enable 802.1q VLAN box.

3. Make the AP ports on the switches VLAN 20 tagged and VL 1 untagged.

4. Make the port for the BT router VL 20 untagged.

5. If you have switch to switch connections, those ports should be set to VLAN 1 untagged and VL 20 tagged.

6. Everything else (your internal devices, management interface, etc) should be on VL 1 untagged ports.