+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
Wired Networks Thread, VLANs onto existing subnets in Technical; I'm trying to build a seperate VLAN for our wireless system so we can add a guest vlan. Now the ...
  1. #1
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,351
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    29

    VLANs onto existing subnets

    I'm trying to build a seperate VLAN for our wireless system so we can add a guest vlan. Now the problem is we have a network system that is not best designed for this. Basically we have a large network with switch cabinets across the school, all the cabinets meet at one central cabinet in the server room where there are plugged into a L3 switch. On that switch each port is configured as a seperate subnet (192 ranges ) and routing is configured between them all. This was originally done so we could easily switch from the LEA's IP addressing to our own private ranges and effectively only had to change the firewall.

    This all works fine, 9 seperate subnets with 100's device on each all communicating happily. Each cabinet (effectively we have 'geographic' subnets) is is connected to the main one via fibre.

    The issue comes now with ruckus - we have AP's all over the school, all ultimately connected to local switches with the zone director in the main cabinet. Again this works fine but the problem is if I now want to add a guest WLAN to the APs using a seperate VLAN I can't see how to do it! If I assign a vlan to the AP's then they are plugged in the local switch which has no vlans assigned. If I assign a vlan to the main network (i.e VLAN 1) and add a new one to the AP's switch port then they effectively have 2 vlans on the same port - which will defeat the purpose of seperating the network - plus at the core switch each subnet will be carrying traffic for 2 vlans and I then need to route the WLAN guest VLAN off to a smoothwall box for internet access.

    Basically what I'm asking (badly!) is how do you deal with adding a WLAN with that is tagged with a VLAN to an existing system with no VLANs? Is this even going to be possible as the AP's are used on our main network so they also need to be accessible for the 'proper' networked devices.

  2. #2

    Join Date
    Jun 2010
    Location
    Berkshire
    Posts
    111
    Thank Post
    18
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    I might not be understanding this correctly but in ours I just added a new SSID on another subnet to thee AP ( I have aerohive) just for Guest and then added it as a vlan to each switch tagged all the way back to the layer 3 and then routed straight out. All of my switches have a default 'management' Lan called VLAN1 so I just added VLAN 100 to each switch as Guest but it depends if your ruckus aps support multiple SSIDs ( which I imagine they do). I think just because you havent added a VLAN to your switches you are effectively just running on VLAN 1 anyway .

  3. #3
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,541
    Thank Post
    362
    Thanked 263 Times in 215 Posts
    Rep Power
    100
    I don't fully understand what you're asking to be honest, but are you aiming to have two SSIDs whereby each provides a different client IP depending on which SSID you connect to, whereby connecting to Guest gives you an IP of say 172.18.77.x but connecting to the secure gives you an IP of 172.18.76.x for example? Where the IP range given by the guest is a secured vLan cut off from accessing the rest of the network? If not then I've completely misunderstood

  4. #4
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,351
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    29
    I didn't explain it very well at all! but @mrbios you pretty much have it there.

    I have no vlans as such now (apart from the default or 1 like sparker mentioned) and our AP's have several SSIDs on them currently for our normal devices - again with no VLAN assigned. If I add a WLAN that is tagged with a vlan, do I have to tag the switch port the AP is attached to with both VLANs, i.e 1 and 50 as the AP is serving both of them? And at the core switch end every port that is a subnet will need to be VLAN 1 and 50 as the AP's are across the entire network.

    I've set up vlans years ago but it was much simpler - this is complicated by the fact each subnet is physically a seperate port on the core switch, but the APs are on all of the subnets and I need to direct the 'guest' WLAN to our smoothwall box for dhcp/dns and direct internet access?

  5. #5

    Join Date
    Jun 2010
    Location
    Berkshire
    Posts
    111
    Thank Post
    18
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    You need to tag every switch including the one the AP is connected to and the AP should untag the traffic as it shunts it into the correct SSID. You just then add the VLAN to every switch that you want to have an AP with guest access on and make sure that the VLAN is on every switch that is on the route back to the core switch. Don't worry about your existing subnets as you are making a new virtual lan just for your Guest wifi and it is not connected in any way with your existing subnets except that they share hardware. You will need to then set up the new scope for the guest wifi DHCP and Internet but Smoothwall will no doubt tell you how to do that bit.

  6. Thanks to sparker from:

    Sheridan (20th March 2013)

  7. #6
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,351
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    29
    When you say I need to tag every switch, do I need to tag the individual ports on the switch at the AP end with both Guest/Normal VLANS, or just at the ports which are connecting the switches to the core switch?

    I.e I've got AP==Switch==fibre==core switch==smoothwall box (seperate port)

    So the AP is carrying a new WLAN which is assigned to VLAN 50. The immediate switch port need to be tagged with VLAN 50, but also with the default VLAN? And then the port at the core switch end also needs 50 adding to it as well? I've got myself tied up in knots with these vlans - it would be a lot easier if I was starting from afresh!

  8. #7

    Join Date
    May 2010
    Posts
    1,053
    Thank Post
    106
    Thanked 87 Times in 64 Posts
    Rep Power
    49
    You need to make sure the uplinks are tagged too, to carry the vlan packet iirc

    1 UUUUUUUUUUUUUUUUUUUUUUUU Default
    2 T_____ T_______ T___________T Vlan 2

    This is netgear smart switches, the last T there is the uplink, the other Ts are the tagged ports for the vlan (which the waps are plugged into)

    I did a post once with diagrams I think

  9. Thanks to caffrey from:

    Sheridan (20th March 2013)

  10. #8

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    797
    Thank Post
    180
    Thanked 61 Times in 58 Posts
    Rep Power
    35
    The ruckus we had at last place supports multiple SSID's and it was jus a matter of tagging the switch ports where the AP plugs in for the extra vLAN's.

    We jus had all the management on the default vLAN so we did not tag the port for the default vlan. It may be better to set the Wireless Management to a different vLAN and there is that facility but we didn't bother.

    It worked very well, guest devices joined guest SSID and were put on the correct vLAN in the different IP address range.

  11. Thanks to Davit2005 from:

    Sheridan (20th March 2013)

  12. #9
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,351
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    29
    Great advice from all thanks. It's starting to make sense, and I'll hopefully be able to get this moving in the holidays.

    It was the doubt about whether I need to tag the wap switch ports with the default vlan as well as the guest vlan I was getting confused about, as the switch port will have both domain and guest vlan traffic going through it, but the tagging will allow the guest vlan to pass through to the core switch if I'm reading this all right!

  13. #10
    ass17's Avatar
    Join Date
    Feb 2013
    Posts
    343
    Thank Post
    5
    Thanked 38 Times in 35 Posts
    Rep Power
    27
    Our setup is 90% geographic.

    All switch to switch uplinks are tagged
    Other ports for other devices are untagged VLANs with the exception of our VoIP phones that piggy back onto the PCs to share one network port. We VLAN tag the switch port for VoIP and also untagged it with a different VLAN for the PC.

    I'm not 100% sure wether you actually need to tag port for an AP, you may be able to untag it to a VLAN. We have ACL's to allow VLANs to talk to each other on our core switches.

  14. #11
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,351
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    29
    I think I'll just start by tagging the uplink ports and take it from there - I'll have to wait until a quiet period as our Netgear kit is notorious for causing connectivity problems when you're tinkering around through the web interface!

  15. #12
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,541
    Thank Post
    362
    Thanked 263 Times in 215 Posts
    Rep Power
    100
    Quote Originally Posted by Sheridan View Post
    I'll have to wait until a quiet period as our Netgear kit is notorious for causing connectivity problems when you're tinkering around through the web interface!
    Next time you're buying switches go for HP Procurves Stability of Cisco and the simplicity of netgear combined into one easy package.

  16. #13
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,351
    Thank Post
    123
    Thanked 95 Times in 65 Posts
    Rep Power
    29
    Yeah - I liked the look of the HP kit. To be fair, we bought the Netgear stuff because it was cheap, came with a lifetime warranty (which has been honoured many times) and had the same functionality of the more expensive kit. It has its quirks but otherwise its ok - it seems to be the bigger stacked units that throw a wobbly when changes are applied through the web interface!

  17. #14

    Join Date
    May 2010
    Posts
    1,053
    Thank Post
    106
    Thanked 87 Times in 64 Posts
    Rep Power
    49
    I found using an old version of firefox works best (I use version 2), get it from oldversion.com. I've crashed the netgear interface too many times with IE.
    Tagging doesn't cause any downtime here (GS724T)

  18. #15

    Join Date
    Dec 2009
    Posts
    914
    Thank Post
    98
    Thanked 184 Times in 159 Posts
    Rep Power
    54
    It isnt best practice but i'd just tag every port in the switch, it makes it much easier going forward if you want to add more WAP's around the school as its just plug and play. It also saves the headache of not being able to just swap a WAP from one port to another without more config.

    I just found it made life much easier when we did our Ruckus install.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Moving Existing Servers Onto Xen Server
    By clarky2k3 in forum Thin Client and Virtual Machines
    Replies: 0
    Last Post: 13th August 2009, 04:00 PM
  2. Wake on LAN across VLANs/subnets - 3Com Layer-3 Switch 5500
    By SSTechIII in forum Wireless Networks
    Replies: 17
    Last Post: 28th April 2008, 09:09 PM
  3. New Netgear switch into existing VLAN
    By mullet_man in forum Wireless Networks
    Replies: 0
    Last Post: 20th September 2007, 02:32 PM
  4. VLANs/ Subnets help
    By Ste_Harve in forum Wireless Networks
    Replies: 19
    Last Post: 25th June 2007, 12:42 PM
  5. How do you seperate your networks. Subnet / Vlan
    By drjturner in forum Wireless Networks
    Replies: 16
    Last Post: 28th September 2006, 07:24 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •