VLANs Guest Access
I'm after some advice on setting up a VLAN for wireless guest access.
My network is currently flat with approx 600 devices, so there is quite a lot of broadcast traffic. I've been thinking about implementing VLANs for a while. I'm aware of how they work, but I'm not quite sure on the specifics of setting up the switches here to make it all work.
In the main we have 3com 4400 switches at the edge and 3com 5500g-ei switches at the core. I think this is all we need to make VLANs work across switches and with some kind of routing.
I would like to setup a VLAN for guest access with Ruckus and seperate VLAN for standard wireless. I'm aware ruckus can do guess access wihout VLANs but I don't like the idea of my DNS and DHCP being contaminated with devices I don't control.
Am I correct in thinking that this can be done by changing the ports used by WAPs to be members of multiple VLANs (a trunk port?) assigning the SSIDs to VLANS in ruckus, then trunking the uplink, and setting up the VLAN on the core switch.
Then to change the config on the core 3com 5500 switch; my understanding is:
- define the VLANs and what ip address ranges each have
- set the ports VLAN memberships
- setup dhcp forwarder
Do I need to setup rules (ACL?) to forward dns, etc?
Does anyone know of the CLI commands to set it up? I've downloaded the reference guide but I don't really want to experiment with the core switch.
I would also need to setup a dhcp range on the server and dns scopes
Have I missed anything?
Thanks for any assistance you can provide
Looks like you run allmost the same setup as we have.
You must do the following on your edge switches (4400's):
* Create VLAN's needed on that edge switch
* assign VLAN's to ports (untagged)
* assign vlans to your trunk ports (port connected to your core)... i assume vlan 1 is used for management so assign vlan 1 UNtagged to that trunk port. assign all other vlans tagged to that trunk port.
Now the core switch (here is all routing done):
* Create vlan's on the core switch like
*Create vlan interfaces on the core switch like :
description Default VLAN
* note the dhcp-server command used.. this is your dhcp-forwarder .. now enter the command were the dhcp server can be found:
ip address 10.200.0.2 255.255.0.0
ip address 10.202.10.1 255.255.254.0
ip address 10.202.12.1 255.255.254.0
*assign vlans to trunk ports
dhcp-server 1 ip 10.202.200.201
*now the ACL's are a different story and it depends on your network setup. If you want everybody to access every subnet then you do not need to do anything.. by default all traffic is allowed. If not then you need the create ACL's and assign the ACL's the the interfaces (use the packet-filter command).
port link-type trunk
port trunk permit vlan 1 2 3
broadcast-suppression pps 3000
Hope this helps somehow.
Thanks to bio for getting me started.
I've put some more time into this project and i've now:
- setup the core switch as above with the vlans ip etc
- setup a trunk port and can ping the core switch from vlan 2 via another uplinked switch
- setup additional dhcp ranges on the dhcp server
- set a route for 0.0.0.0 0.0.0.0 to go to the internet gateway so a PC on vlan 1 can now use the switch as a gateway and have internet access.
- I can ping the vlan 2 or 3 gateway addresses from a vlan 1 pc.
I can't seem to get DHCP working on the vlans though. When I connect a test pc to a untagged vlan 2 port I get a limited or no connectivity message because it receives no DHCP address. If I set a static address on the test computer, I can ping the core switch and the vlan 1 gateway address (also the core switch) but no further. Internet and other services don't work either.
So lots of questions:
Any ideas on what I've missed?
Do I need to restart the core switch to get the dhcp relay running? how can I find out where the DHCP fault is occuring?
Do I need to create DNS zones\ have seperate dns servers for the vlans?
When I split Ruckus into vlans should APs be connected to ports set as trunked or general tagged?
Thanks for any help you can provide, :confused: as I a bit stuck at the moment with what to try next.
I found a way to schedule the switch to restart so it isn't that.
I now think the problem is subnetting.
Vlan 2 has a subnet of 255.255.255.0 and vlan 1 has a subnet of 255.255.252.0.
So I think that I need to add routes into the switch to allow routing between these different subnets??. Just not sure what routes are needed.
Can anone advise is this could be why the dhcp doesn't work and devices are isolated in their own vlans.
If the switch has interfaces with IP address on the VLANs it will generate a routing table automatically.
Is the DHCP helper pointing at the correct DHCP server? Can you post the switch config?
DHCP IP is correct - not sure if this is the problem though. If I setup a static IP I can't ping further than the core switch, but can ping other vlan gateways on the switch. I can also ping within the vlan if I use static IPs. It's like the vlans are completely seperated from each other which would usually be useful, but not for what I'm trying to do..
Could it be the acl entries? they are switch defaults as far as I'm aware.
I've attached the backup files of the current switch config.
the core switch is a stacked 3com 5500 SFP Switch(unit1) and a 5500G standard switch (unit2)
I've connected it to another edge switch on port interface GigabitEthernet1/0/7
interface GigabitEthernet2/0/20 is the one I've been using to test as well as a port on the edge switch.
vlan 11 is the vlan I'm testing at present, although I've also tried vlan10 with the same problem.
Does your DHCP server have a route to the other VLANs - is it's gateway set to the switch IP (10.22.28.100)?
no not at the moment, I've just checked and it's still pointing to the internet router rather than the core.
I'll make sure all the servers gateways are set correctly as soon as they all go home.
Originally Posted by HCC
On your DHCP server you will need to create a scope for all your subnets i.e. vlans so when the dhcp is handing out address it knows which scope pool to provide ip address from.
I changed the default gateway on the DHCP server and the test PC got an address.:) Thanks James
The other servers became available as soon as I changed their gateways and the pings on the test computer now work as expected
Strange because I thought to change the main dhcp options gateway when I added the extra scopes just forgot about the servers static addresses. Must be all the snow distractions and teacher interuptions.
Now I've got to work out how to vlan Ruckus. I've put the controller and a test AP on as general untagged members of the new vlan (port is a member of multiple vlans). Setup a test ssid with vlan tagging in the advanced options but when I connect to it - limited or no connectivity:eek: I thought the ruckus bit would be easy.
Does anyone know the right settings for ruckus - should the switch port be configured as a trunk? and does it need tagging at the switch?
Almost there ..
Haven't configured Ruckus stuff but I suspect you'll want to have your wireless controller and AP untagged on ports with a common VLAN for management purposes and have the ports on the switch tagged for your extra SSIDs (where you're setting the VLAN tagging on the SSID).
I've now got Ruckus working with the VLANs by setting the switch ports on the APs and controller to general, untagged vlan1, tagged guest and wireless vlan.
Then the wireless clients got an ip in the right range and seem to be working.
During my testing two questions
At first I thought DNS wasn’t working because pings didn't resolve but then I remembered I've set the dhcp options for the vlan with no dns suffix. A ping with host.vlan1dnsdomain works.
Should I have a DNS zone just for guests? I tried to add a zone and different suffix to the vlan but it didn't seem to work. (The test computer added a reverse lookup dns entry but not a forward entry in the new zone.)
2. internet access on guest vlan
If I have a DNS suffix or not I can only get on the internet using our local smoothwall box on vlan1. I can't use our segfl proxy address like I can on any computer on vlan1.
While this doesn't really matter for what I want to achieve it confuses me why it doesn't work.
There is only one default 0.0.0.0 route on the routing table of the switch. Is one needed for each vlan?