Switches, Hubs, and Modems
1748202 Members
3174 Online
108759 Solutions
New Discussion юеВ

Re: Simple VLAN issues

 
SOLVED
Go to solution

Simple VLAN issues

I have a nice working network with only one VLAN at the moment. I have started to create another VLAN for guests to use the internet from their wireless laptops.
Default VLAN (employees) is VLAN1 and guest is VLAN4.

I have attached a network diagram, please take a look.

Guests should only be able to connect to the wireless access point and use the internet and not anything else.

The access point is setup with diffent SSID's for VLAN1 and VLAN4.

Server 2000 is DHCP server for guests, but also file server for employees. Has two NICs (VLAN aware) and VLAN software installed. DHCP server is setup to the VLAN4 NIC.

I have done a little VLAN configuration on the switches using the web interface, but both switches freezed my browser and now i can't ping them (the switches works fine though) so i guess i'm going to use the serial CLI or reboot the switches.

The help i need is about whether to use tagging or not. I don't really understand this yet.
5 REPLIES 5
Mohieddin Kharnoub
Honored Contributor
Solution

Re: Simple VLAN issues

Hi

With the 4200, and current scenario, my suggestion is:

- Create all your Vlans on the 4200.
- Tag F7 (attached to AP420) with Vlans 1,4
- Create 2 SSIDs with Vlans tagged on each accordingly.

Now, i'm not sure who is doing the routing there,
However, since you need some security features so i would suggest:

-In your DHCP server that assigns IPs to guests, make the default gateway is the Juniper Firewall, and you can there simply create an access policy that allows Guests to access ONLY internet.
- If the routing is done on the 4200, then Of course in this case, you must make the Firewall aware of the Vlan4 IP Subnet (There are many ways of doing this, but the simple way by using a secondary IP on the Firewall interface)

The case could be more Simple or Complicated, and it really depends on the configuration you've done in the network.

If i had a choice to do this network then:
I will keep it as simple as possible,
- Create Vlan4 ONLY on the 4200 (without IP).
- Connect the AP to the 4200.
- Use a Free Ethernet port on the Juniper Firewall to connect to the 4200 (untagged to Vlan4).
- Create a DHCP scope for Vlan4 on the Juniper Firewall.
- Create a Security Zone with respective security policies.

In this case, you will achieve:
- Very secure Network.
- Vlan4 will never Interfere with the LAN.
- Routing is not done on the 4200, and you can just keep it working on L2 basis.
- Use one of the free 8 Ethernet ports on the SSG140 :)

And if you want it more Simple, then just connect the 420AP directly to the SSG and do above mentioned configuration.

Good Luck !!!



Good Luck !!!
Science for Everyone

Re: Simple VLAN issues

Thanks for the answer, it's very appreciated!

Routing is done on the Juniper firewall which is default gateway.

I guess the most simple and secure would be buying another access point and connect it directly to the juniper, but it costs money :)

I think i will try connecting the 4200 directly to a free port on the juniper, i didn't even think of that before.

Lets say i connect port F8 of the 4200 to the juniper firewall (F7 is still connected to the AP). Should F8 be untagged and F7 still tagged with vlan1 and 4?
Mohieddin Kharnoub
Honored Contributor

Re: Simple VLAN issues

Hi

Since routing is done on the SSG140, then it will be quit simple:

- The 4200 Port connected to the AP must be tagged with 2 Vlans.
- Connect another free port on the 4200 Untagged to Guest Vlan to a free port on the SSG140.
- Create a DHCP scope on the SSG140 for Guests and a security policy to connect to Internet ONLY.

Now what will happen:
- If a Staff connected to the AP, it will get its IP from your DHCP server, with a default gateway of the SSG140 (as it shows in your drawing) and it will work fine.
- If a guest connected to the AP, it will get an IP from the SSG140 and access the Internet.

Notice that:
- Staff traffic is going to the First Ethernet port on the SSG140.
- Guest traffic will go through the Second Ethernet port on the SSG140.

Network is now Secure,
No interference between both Vlans Traffic.
And life is good :)

Good Luck !!!
Science for Everyone

Re: Simple VLAN issues

It doesn't seem to work.

Port F7 is tagged for VLAN1 but whenever i tag it for VLAN4 i loose the connection to the AP.

I don't understand why a port has to be tagged or untagged in at least one VLAN.

Please take a look at the attached running configuration and tell me if there's something wrong.

Again, thank you very much.
Mohieddin Kharnoub
Honored Contributor

Re: Simple VLAN issues

Hi Kasper

The Port must be Untagged to one Vlan (not more or less) because it has to be a member of one Vlan.

Tagged, means, it will carry other Vlans across, so you MUST untag a port in one Vlan, and you can Tag the same port on many other Vlans.

Back to your scenario:
What i see here is you've enabled the Routing on the 4200, and it just doesn't make sense to me since you need some Control on this traffic which the 4200 doesn't support it.

- Disable Routing on the 4200.
- Tag Vlan1,4 on F7 and E1.
- Create a DHCP Scope for Vlan1 on your Server with default gateway as your SSG140 (in Vlan1 subnet).
- Drop the DHCP scope for Vlan4 on your Server2000.
- Connect a Free port from the 4200 UNATGGED to Vlan4 to a Free port on the SSG140.
- Create a DHCP scope and Security policies on the SSG and in this case you need at least 4 Policies:

1- Traffic from Vlan1 to Internet Allowed.
2- Traffic from Vlan1 to Vlan4 Allowed (So you can manage Vlan4 and access Guest Vlan).
3- Traffic from Vlan4 to Internet Allowed.
4- Traffic from Vlan4 to Vlan1 is Not allowed.

IN this case, your SSG140 acts as:
- Router between both Vlans.
- Firewall with certain security policies.
- DHCP server provides IPs to Vlan4.
- In the future you can depend on this box for more Scalability and network enhancment.

I guess this is a very clear scenario and simple in the same time,
just try to Imagine this Topology in your mind, this imagination gives you a Full Thought how this network should work, and by the time, you will practice to imagine how the traffic will flow in the network :)

Good Luck !!!
Science for Everyone