I'm trying to build a seperate VLAN for our wireless system so we can add a guest vlan. Now the problem is we have a network system that is not best designed for this. Basically we have a large network with switch cabinets across the school, all the cabinets meet at one central cabinet in the server room where there are plugged into a L3 switch. On that switch each port is configured as a seperate subnet (192 ranges ) and routing is configured between them all. This was originally done so we could easily switch from the LEA's IP addressing to our own private ranges and effectively only had to change the firewall.
This all works fine, 9 seperate subnets with 100's device on each all communicating happily. Each cabinet (effectively we have 'geographic' subnets) is is connected to the main one via fibre.
The issue comes now with ruckus - we have AP's all over the school, all ultimately connected to local switches with the zone director in the main cabinet. Again this works fine but the problem is if I now want to add a guest WLAN to the APs using a seperate VLAN I can't see how to do it! If I assign a vlan to the AP's then they are plugged in the local switch which has no vlans assigned. If I assign a vlan to the main network (i.e VLAN 1) and add a new one to the AP's switch port then they effectively have 2 vlans on the same port - which will defeat the purpose of seperating the network - plus at the core switch each subnet will be carrying traffic for 2 vlans and I then need to route the WLAN guest VLAN off to a smoothwall box for internet access.
Basically what I'm asking (badly!) is how do you deal with adding a WLAN with that is tagged with a VLAN to an existing system with no VLANs? Is this even going to be possible as the AP's are used on our main network so they also need to be accessible for the 'proper' networked devices.
I might not be understanding this correctly but in ours I just added a new SSID on another subnet to thee AP ( I have aerohive) just for Guest and then added it as a vlan to each switch tagged all the way back to the layer 3 and then routed straight out. All of my switches have a default 'management' Lan called VLAN1 so I just added VLAN 100 to each switch as Guest but it depends if your ruckus aps support multiple SSIDs ( which I imagine they do). I think just because you havent added a VLAN to your switches you are effectively just running on VLAN 1 anyway .
I don't fully understand what you're asking to be honest, but are you aiming to have two SSIDs whereby each provides a different client IP depending on which SSID you connect to, whereby connecting to Guest gives you an IP of say 172.18.77.x but connecting to the secure gives you an IP of 172.18.76.x for example? Where the IP range given by the guest is a secured vLan cut off from accessing the rest of the network? If not then I've completely misunderstood
I didn't explain it very well at all! but @mrbios you pretty much have it there.
I have no vlans as such now (apart from the default or 1 like sparker mentioned) and our AP's have several SSIDs on them currently for our normal devices - again with no VLAN assigned. If I add a WLAN that is tagged with a vlan, do I have to tag the switch port the AP is attached to with both VLANs, i.e 1 and 50 as the AP is serving both of them? And at the core switch end every port that is a subnet will need to be VLAN 1 and 50 as the AP's are across the entire network.
I've set up vlans years ago but it was much simpler - this is complicated by the fact each subnet is physically a seperate port on the core switch, but the APs are on all of the subnets and I need to direct the 'guest' WLAN to our smoothwall box for dhcp/dns and direct internet access?
You need to tag every switch including the one the AP is connected to and the AP should untag the traffic as it shunts it into the correct SSID. You just then add the VLAN to every switch that you want to have an AP with guest access on and make sure that the VLAN is on every switch that is on the route back to the core switch. Don't worry about your existing subnets as you are making a new virtual lan just for your Guest wifi and it is not connected in any way with your existing subnets except that they share hardware. You will need to then set up the new scope for the guest wifi DHCP and Internet but Smoothwall will no doubt tell you how to do that bit.
When you say I need to tag every switch, do I need to tag the individual ports on the switch at the AP end with both Guest/Normal VLANS, or just at the ports which are connecting the switches to the core switch?
So the AP is carrying a new WLAN which is assigned to VLAN 50. The immediate switch port need to be tagged with VLAN 50, but also with the default VLAN? And then the port at the core switch end also needs 50 adding to it as well? I've got myself tied up in knots with these vlans - it would be a lot easier if I was starting from afresh!
The ruckus we had at last place supports multiple SSID's and it was jus a matter of tagging the switch ports where the AP plugs in for the extra vLAN's.
We jus had all the management on the default vLAN so we did not tag the port for the default vlan. It may be better to set the Wireless Management to a different vLAN and there is that facility but we didn't bother.
It worked very well, guest devices joined guest SSID and were put on the correct vLAN in the different IP address range.
Great advice from all thanks. It's starting to make sense, and I'll hopefully be able to get this moving in the holidays.
It was the doubt about whether I need to tag the wap switch ports with the default vlan as well as the guest vlan I was getting confused about, as the switch port will have both domain and guest vlan traffic going through it, but the tagging will allow the guest vlan to pass through to the core switch if I'm reading this all right!
All switch to switch uplinks are tagged
Other ports for other devices are untagged VLANs with the exception of our VoIP phones that piggy back onto the PCs to share one network port. We VLAN tag the switch port for VoIP and also untagged it with a different VLAN for the PC.
I'm not 100% sure wether you actually need to tag port for an AP, you may be able to untag it to a VLAN. We have ACL's to allow VLANs to talk to each other on our core switches.
I think I'll just start by tagging the uplink ports and take it from there - I'll have to wait until a quiet period as our Netgear kit is notorious for causing connectivity problems when you're tinkering around through the web interface!
Yeah - I liked the look of the HP kit. To be fair, we bought the Netgear stuff because it was cheap, came with a lifetime warranty (which has been honoured many times) and had the same functionality of the more expensive kit. It has its quirks but otherwise its ok - it seems to be the bigger stacked units that throw a wobbly when changes are applied through the web interface!
I found using an old version of firefox works best (I use version 2), get it from oldversion.com. I've crashed the netgear interface too many times with IE.
Tagging doesn't cause any downtime here (GS724T)
It isnt best practice but i'd just tag every port in the switch, it makes it much easier going forward if you want to add more WAP's around the school as its just plug and play. It also saves the headache of not being able to just swap a WAP from one port to another without more config.
I just found it made life much easier when we did our Ruckus install.