VLAN for Guest Wireless
Having recently had a new wireless system installed at the school which I have to admit works a treat for the existing domain equipment, I am looking to branch out and set up guest wireless access for staff/students/visitors. The AP's have been configured with 2 SSID's one for Domain and one for Guests which are set on the AP's for the default VLAN and a GUEST VLAN. We have also had a new proxy installed for the internet access which can be set for open authentication so not requiring any link to AD accounts. Now that was the easy bit, now comes my problem of configuring the switches.
The network uses all HP Procurve managed switches with 2 x 5412zl switches forming a backbone between the main building (Cab B) and a new building with the servers and some classrooms (Cab A). The AP's are connected to the core switches and edge switches which are 2510G-24 models. The edge switches are linked back to Cab B by fibre which is currently trunked to give 2 Gig links.
Now I've started the ball rolling by creating a GUEST VLAN (VLAN 2) on all of the edge switches and the two main switches. My next step is to get my head around tagging and trunking. My understanding is that I need to tag all the ports connected to the AP's to VLAN 2 so that the traffic can be routed depending on SSID to one of the two VLAN's. My question is how to route the VLAN 2 traffic to a new proxy which we have had installed by the LEA which will act as DHCP for a private network and also give internet access, separate from the domain network.
I'm still in the research phase but as the holidays are slipping away any assistance would be much appreciated.
Unfortunately with no prior knowledge of VLAN's this is a major learning curve but an ideal opportunity to learn a new skill.
It sounds like you are on the right track. You need to "tag" the new vlan on all ports connecting either switch to switch (uplinks) or to the APs themselves. Put the new proxy on a port that is untagged on the new vlan. Think of the new vlan as a seperate network, when you tag a port you turn the cable into two one for each vlan, assigning a port as untagged makes it act as if it was on the seperate network.
Thanks robk. I have tagged all the switch ports that connect directly to the AP's to use VLAN 2. If I read you right do I also need to tagg the trunk uplink ports between switches to VLAN2 also.
Originally Posted by robk
At present looking at the switches the VLAN2 does not have any settings for IP address, does this option need configuring. If the VLAN2 is a separate network it will use its own subnet and gateway, would the new proxy be the gateway ?
Have manually set IP addresses for all the switches on the VLAN2 to the new private address range and subnet. Still can't see how the VLAN2 (Guest SSID ) traffic will route from the AP's to the new proxy. Still have some way to go yet me thinks but any sugestions welcome.
Ah, think of vlan 2 as a old unmanaged network. Your router will give the network addresses etc so you don't need to worry about switch addresses in this case.
Simple rule, if a port carries more than one van it needs to be tagged.
A port can belong to any one van in an untagged state.
Uplinks are normally tagged with all vlans that are needed on all switches.
Draw a simple map use different colours for each vlan.
Where you have two colours tag the appropriate vlans.
Originally Posted by m25man
Useful info, like the map idea.
Still unsure of routing GUEST traffic to our second proxy even though they are all now on the same VLAN.