Okay so I'm a little new to VLANS, so forgive me if this is a silly question. I have a firewall set up with a few VLANS:
ID 1: This is the primary, and set to untagged. This will be used as a management VLAN ID 30: 'Guest' for the less trusted devices ID 40: 'iot' for our it devices. I wan them segregated for QOS and security reasons ID 50: 'Trusted' for staff to access specific resources on the LAN.
My question is this. The majority of devices connecting to VLAN 30 and 50 will be standard workstations, with NICs that don't understand VLAN tagging. If I set port-based VLAN, I still have to have it as a tagged VLAN, as that's how it's set on the firewall (The firewall is running a 'bridge' port to pipe all 4 VLANS over to the layer 2 switch), and of course, will only allow one of those VLANS to come back untagged. If I set it as a tagged VLAN, the workstation doesn't understand it and gives a 169 IP. if I set it to an untagged, same deal - I assume as the firewall is only expecting tagged traffic from those VLANS. What am I missing here?
Context: My firewall is a Watchguard, my switch is an HP Aruba
There is a few things that aren't quite clear here in the question, and comments, so I'm hopefully going to clear up how I would expect a system link this to work (with hp aruba switches).
On the link between the firewall and the switch (the configuration on both sides):
Have VLAN 1 configured as untagged.
Have VLAN 30/40/50 configured as tagged.
On the switch ports that are leading to 'guest' devices, you would configure those ports as 'untagged' on VLAN 30.
Assuming the ports for 'guest' are ports 1-10 (and the firewall is port 50), the commands would be something like:
The same goes for ports used by trusted staff, these would be 'untagged' on VLAN 50.
The command
untagged, basically means: Any traffic arriving on a port that is not otherwise tagged, will be assigned this VLAN.