- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Re: Simple VLAN issues
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-22-2008 05:03 AM
тАО07-22-2008 05:03 AM
Default VLAN (employees) is VLAN1 and guest is VLAN4.
I have attached a network diagram, please take a look.
Guests should only be able to connect to the wireless access point and use the internet and not anything else.
The access point is setup with diffent SSID's for VLAN1 and VLAN4.
Server 2000 is DHCP server for guests, but also file server for employees. Has two NICs (VLAN aware) and VLAN software installed. DHCP server is setup to the VLAN4 NIC.
I have done a little VLAN configuration on the switches using the web interface, but both switches freezed my browser and now i can't ping them (the switches works fine though) so i guess i'm going to use the serial CLI or reboot the switches.
The help i need is about whether to use tagging or not. I don't really understand this yet.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-22-2008 08:33 AM
тАО07-22-2008 08:33 AM
SolutionWith the 4200, and current scenario, my suggestion is:
- Create all your Vlans on the 4200.
- Tag F7 (attached to AP420) with Vlans 1,4
- Create 2 SSIDs with Vlans tagged on each accordingly.
Now, i'm not sure who is doing the routing there,
However, since you need some security features so i would suggest:
-In your DHCP server that assigns IPs to guests, make the default gateway is the Juniper Firewall, and you can there simply create an access policy that allows Guests to access ONLY internet.
- If the routing is done on the 4200, then Of course in this case, you must make the Firewall aware of the Vlan4 IP Subnet (There are many ways of doing this, but the simple way by using a secondary IP on the Firewall interface)
The case could be more Simple or Complicated, and it really depends on the configuration you've done in the network.
If i had a choice to do this network then:
I will keep it as simple as possible,
- Create Vlan4 ONLY on the 4200 (without IP).
- Connect the AP to the 4200.
- Use a Free Ethernet port on the Juniper Firewall to connect to the 4200 (untagged to Vlan4).
- Create a DHCP scope for Vlan4 on the Juniper Firewall.
- Create a Security Zone with respective security policies.
In this case, you will achieve:
- Very secure Network.
- Vlan4 will never Interfere with the LAN.
- Routing is not done on the 4200, and you can just keep it working on L2 basis.
- Use one of the free 8 Ethernet ports on the SSG140 :)
And if you want it more Simple, then just connect the 420AP directly to the SSG and do above mentioned configuration.
Good Luck !!!
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-22-2008 10:51 PM
тАО07-22-2008 10:51 PM
Re: Simple VLAN issues
Routing is done on the Juniper firewall which is default gateway.
I guess the most simple and secure would be buying another access point and connect it directly to the juniper, but it costs money :)
I think i will try connecting the 4200 directly to a free port on the juniper, i didn't even think of that before.
Lets say i connect port F8 of the 4200 to the juniper firewall (F7 is still connected to the AP). Should F8 be untagged and F7 still tagged with vlan1 and 4?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-23-2008 12:04 AM
тАО07-23-2008 12:04 AM
Re: Simple VLAN issues
Since routing is done on the SSG140, then it will be quit simple:
- The 4200 Port connected to the AP must be tagged with 2 Vlans.
- Connect another free port on the 4200 Untagged to Guest Vlan to a free port on the SSG140.
- Create a DHCP scope on the SSG140 for Guests and a security policy to connect to Internet ONLY.
Now what will happen:
- If a Staff connected to the AP, it will get its IP from your DHCP server, with a default gateway of the SSG140 (as it shows in your drawing) and it will work fine.
- If a guest connected to the AP, it will get an IP from the SSG140 and access the Internet.
Notice that:
- Staff traffic is going to the First Ethernet port on the SSG140.
- Guest traffic will go through the Second Ethernet port on the SSG140.
Network is now Secure,
No interference between both Vlans Traffic.
And life is good :)
Good Luck !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-23-2008 04:17 AM
тАО07-23-2008 04:17 AM
Re: Simple VLAN issues
Port F7 is tagged for VLAN1 but whenever i tag it for VLAN4 i loose the connection to the AP.
I don't understand why a port has to be tagged or untagged in at least one VLAN.
Please take a look at the attached running configuration and tell me if there's something wrong.
Again, thank you very much.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-24-2008 12:01 AM
тАО07-24-2008 12:01 AM
Re: Simple VLAN issues
The Port must be Untagged to one Vlan (not more or less) because it has to be a member of one Vlan.
Tagged, means, it will carry other Vlans across, so you MUST untag a port in one Vlan, and you can Tag the same port on many other Vlans.
Back to your scenario:
What i see here is you've enabled the Routing on the 4200, and it just doesn't make sense to me since you need some Control on this traffic which the 4200 doesn't support it.
- Disable Routing on the 4200.
- Tag Vlan1,4 on F7 and E1.
- Create a DHCP Scope for Vlan1 on your Server with default gateway as your SSG140 (in Vlan1 subnet).
- Drop the DHCP scope for Vlan4 on your Server2000.
- Connect a Free port from the 4200 UNATGGED to Vlan4 to a Free port on the SSG140.
- Create a DHCP scope and Security policies on the SSG and in this case you need at least 4 Policies:
1- Traffic from Vlan1 to Internet Allowed.
2- Traffic from Vlan1 to Vlan4 Allowed (So you can manage Vlan4 and access Guest Vlan).
3- Traffic from Vlan4 to Internet Allowed.
4- Traffic from Vlan4 to Vlan1 is Not allowed.
IN this case, your SSG140 acts as:
- Router between both Vlans.
- Firewall with certain security policies.
- DHCP server provides IPs to Vlan4.
- In the future you can depend on this box for more Scalability and network enhancment.
I guess this is a very clear scenario and simple in the same time,
just try to Imagine this Topology in your mind, this imagination gives you a Full Thought how this network should work, and by the time, you will practice to imagine how the traffic will flow in the network :)
Good Luck !!!