M and MSM Series
1748148 Members
3782 Online
108758 Solutions
New Discussion юеВ

Re: 765zl - multiple guest vlans?

 
Tom Leach
Advisor

765zl - multiple guest vlans?

Hi, I'm trying to create a setup similar to the corp/guest doc in the KB, but with guest/guest VSCs instead. I have two classes of guest, one with slightly less restrictions. I want both VSCs to be access controlled and all data for both VSCs sent over the client tunnel. I plan on creating two vlan's and setting the egress mapping of the VSCs to the separate vlans. The restrictions will be applied via ACLs on the IPs assigned to the vlans on the Internet side of the MSM.

So far, everything is clear, my problem is with the configuration of the 5412zl switch and the vlans for the Internet port (5412 slot/port C1). During my initial tests, C1 was just untagged in the 5412 Default vlan and the VSC egress was just set to . Now that I've set the VSC egress to one of the guest vlans, I'm not clear how I should config the 5412 vlans.

Do I leave C1 in the default vlan as tagged and also tag it to the Guest1 vlan? Do I remove it from the default vlan and set it as untagged in the Guest1 vlan?
So far, everything I've tried has terminated access to the MSM.
I guess what I'm looking for is a setting that would be set on SeviceController>Network/Ports/InternetPort where I could assign it a vlan tag. That way, I could still access the MSM but have both guest vlans be controlled via ACLs.

The Lan port (5412 slot/port C2) is in a RADIO vlan and only contains the APs. The rest of the network should be accessible via the Internet port (C1).
Thanks!
Tom
6 REPLIES 6
Fred!
Trusted Contributor

Re: 765zl - multiple guest vlans?

You need to setup 2 VLANs for your Guest1 and Guest2 VSCs inside the controller. Go to Service Controller >> Network page and you should see below the port table a VLAN table. Add your 2 VLANs there with the proper names (Guest1 and Guest2 for example) tags, and IP connectivity (and whether you want your users to be NATed after being access controlled or not).

Then you can assign these VLANs into your corresponding VSCs as the egress interface.

Now in your switch I kind of guess that you are using the untagged interface to manage the product through the internet port. You will need to maintain that untag path to the product if you plan on continuing managing the product that way. Then you will need to create 2 VLANs within your switch to match the egress mapping of the VSCs (Guest1 and Guest2).
Tom Leach
Advisor

Re: 765zl - multiple guest vlans?

As a followup, I wasn't clear in my post on where the vlans were created.
In ServiceController>Network>Ports, I have two vlans, DEFAULT_VLAN on the Internet port with an ID of 1 and no IP address, and a Guest1 vlan on the Internet port with an ID of 1011 and a static IP address assigned in my public IP space.
The IDs and names match with the 5412 vlans.
VSC Guest1 has all three egress vlans assigned to Guest1 vlan.

Also, in case it matters, I manage the MSM via a system connected on the Internet port.
Tom
Tom Leach
Advisor

Re: 765zl - multiple guest vlans?

Fred, the key was to leave the port untagged in the switch default vlan and tagged in the guest vlans. I've got that setup now, but as a test, I need to route the two guest vlan directly (no acls yet) to the default vlan. The problem is that all 3 of the vlans on the switch are in the same public IP subnet (I only have one subnet that would be very difficult to break up). The problem is that the guest vlans need to have public IP addresses so they can go onto the internet past my router.
Tom
Shadow13
Respected Contributor

Re: 765zl - multiple guest vlans?

create another Vlan and o the LAN port, dont assing an ip address to it.

This vlan put it as ingress in the Guest vsc and tag the ports of the AP and the Controller in this vlan.

In the group where you have the binding to the VSC edit the binding the check use egress vlan and put the ID of the new created vlan (used in ingress of the VSC)

Now in the guest1 vlan that has the public IP address and you assigned it as egress, enable NATING,

This should work.

Make sure you uncheck (Wireless security filters) and enable the DHCP server in the controller
Fred!
Trusted Contributor

Re: 765zl - multiple guest vlans?

To Shadow13: The issue is that I believe Tom is using the data tunnel to force the guest traffic through the network (he posted that on a separate thread). Having VLANs on the LAN port will not necessarily help because the traffic will be encapsulated inside that data tunnel carried on what is most likely the untagged interface

To Tom: I see several things. First I think the default VLAN ID 1 that you have created inside the controller does not do anything. I understand that you probably want to match this configuration with your switch configuration. But the problem is that most switches fake/use VLAN ID 1 internally for what is actually untagged traffic. In other words, the untagged traffic received on the switch port will be internally mapped inside the switch to the group VLAN ID 1 (At least that's what it is doing on Cisco switches and a couple of others - I don't know about the 5412). The reason why I'm saying that it does not do anything is that you don't have any IP address assigned to it. So clearly that is not the interface used to manage you product. I would guess that if you delete that default VLAN ID 1 from the MSM controller, you won't see any difference.

Now, you need to understand that the MSM controller is a router primarily. It routes traffic from the LAN to the Internet port side and vice-versa. Therefore it kind of needs different subnets to be able to have different/unique routes and to properly route traffic from one side of the network to the other side of the network. By playing with the egress of the VSC you can force traffic to be routed on particular route, but if all your VLANs are on the same subnet I'm afraid you will have hard time making this work. The VLANs are really used to segment the broadcast domains and the network into different subnets. For a L2 switch product having VLANs on the same subnet does not matter much, but for a router (which is what the MSM controller is, primarily), it is a problem as the routes are not clearly segmented.

If I understand correctly, for your test you want all traffic to go untagged on the Internet port. Therefore, to do your test, you will have to select "default" as your egress mapping for the VSC. This means that all traffic will be routed using the default routing table. In theory, the untagged interface will be the first in the list of routes (unless you have overriden the routing table with some other routes).

Now you are also talking about having public IP addresses for your clients, which is a different problem. Shadow13 proposed to have nating enabled on your guest VLANs, which would mean that your clients will get private IPs from the MSM controller DHCP and then will be NATed on the Internet port. The other way would be to the MSM controller for DHCP relay and to relay your DHCP request to your external DHCP server. That way the clients will get their IPs on the proper subnet, not a private subnet. So again here it all depends on how you want your client traffic to appear on the Internet port. Whether you want the client IP to be preserved (therefore you will have to use DHCP relay) or if you can have the client all seen as a single IP address (which will be the controller one and NATing).
Shadow13
Respected Contributor

Re: 765zl - multiple guest vlans?

Fred you have gr8 knowldge about MSM :) where do you work exactly coz i have a doubt ;)?