SonicWALL = Guest Wireless, VLANs, and DHCP
All,I'm going to attempt to set up corporate and guest WIFI using Ubiquiti UniFi APs. I'm new to VLANs in general but understand that this is the likely approach. The equipment that I will be using is below- SonicWALL TZ-400 configured for PTP VPN to a SonicWALL E6500.- Ubiquiti toughswitch just for the APs- 4 Ubiquiti APsThe SonicWALL E6500 (central location) does DHCP over VPN to all of the remote offices such as where this TZ-400 will be. I'm struggling with how to handle DHCP. If I set up VLANs say VLAN 10 for corporate to pull DHCP as normal and VLAN 20 for guest WIFI. How can I tell VLAN 20 to get a different range of IPs so that I can restrict from the corporate network range? The toughswitch would be using its own interface on the TZ400. Does what I'm trying to accomplish make sense and is it possible?
This topic first appeared in the Spiceworks Community
Setup:Sonicwall TZ205Created a sub-interface – X0:V100 with an IP address of10.45.1.1.Created a DHCP scope for said IP ranged associated withX0:V100 within Sonicwall.Three Netgear switches:A.24 Port + 4 SFPB.24 Port + 4 SFPC.48 Port + 4 SFP1.Sonic wall connected to switch C on port 12.Switch C connected to switch B using port 473.Switch B connected to switch C using port 234.Switch B connected to switch A using port 25 –(GB SFP over fiber)5.Switch A connected to switch B using port 25 –(GB SFP over fiber)6.Ubiquiti AP connected to switch A on port 2VLAN 1 – default·All ports on all switches are untagged fordefault VLAN 1VLAN 100 – meant for wireless guests·Ports 2 and 25 are Tagged for V100 on switch A –all other ports are blank for V100·Ports 23 and 25 are Tagged for V100 on switch B– all other ports are blank for V100·Ports 1 and 47...
This topic first appeared in the Spiceworks Community
Similar Messages
-
Hello,
Designing a configuration for a Wireless solution. Have a 2951 with SRE-WLC and 4 port switch module. The documentation at
http://www.cisco.com/en/US/docs/wireless/controller/controller_modules/sre/installation/guide/wlcsreinst.html#wp1072942 arised couple of questions. Exact part of diagram from documentation is attached.
The question is that VLANs configured on SRE-WLC and ones configured on local switched belong to different subnets. Why? For example on SRE-WLC VLAN 20 - 55.20.0.0/24, but on switch - VLAN 20 - 20.1.1.0/24. Why?
Thanks!Hi George,
Today i tried implementing APs on different VLAN than MGMT. Here is what I got:
1. New out-of-box APs didnt join to WLC once placed directly to APs VLAN. However they were able to join the WLC once I put them back to MGMT Vlan. They upgraded their IOS from WLC, joined compeletely. After that I moved them back to APs VLAN and they started to join. So, here is the procedure - Open new AP from box, connect it to MGMT VLAN, wait for joining to WLC and then move them to APs VLAN. This is a little bit strange. Also I noticed that they were unable to join teh WLC even on MGMT vlan if MGMT vlan is tagged on WLC and that tagged vlan is allowed on trunk. I have WLC on SRE, MGF trunk, VLANS and DHCP pools with option 43 configured. Will continue to investigate tomorrow.
2. What was the most difficult and problematic issue is that the LED was disabled on all APs after joining the WLC. I have been thinking that there is an error but only then found that APs by default turned off LED after joining the WLC. Issuing config ap led-status enable all on wlc solved the problem.
3. Also I regularly have been receiving
%PARSER-4-BADCFG: Unexpected end of configuration file.
during the AP joining to WLC. Dont know why. My APs are LAP1041n.
ANyways, will continue digging tomorrow, hopefully will find a stable solution. My ideal solution will be:
1. WLC Management is on MGMT VLAN - tagged vlan 20, static IP assignments.
2. APs on separate AP VLAN - tagged vlan 15 - dynamic IP assignments from DHCP pool on ISR with option 43.
3. Clients are on separate USERS VLAN - tagged vlan 10
The native VLAN will be other VLAN - VLAN 25. -
I am trying to configure my Aironet 1121G acess points with several vlans, got the vlans all working fine with wired devices, but the wirless devices don't get DHCP.
Basically, I have the BVI on my managment vlan and two other vlans that pass through, trying to have the public WiFi on 1 vlan and two corporate vlans with seperate wifi. can't get IPs on any of them though.
Vlnas are routed by a catlayst 3550 with helper addresses configured on all the vlan interfaces.
DHCP comes from 2 windows server 2003 boxes on a further vlan
any Ideas?Vinod,
Here is the AP config, I'm confused, so any help would be useful, got to get a wireless course under my belt.
Cheers,
Peter
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname IT_AP1121G_01
no logging console
enable secret
ip subnet-zero
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 vlan-name Corporate vlan 3
dot11 vlan-name Default vlan 1
dot11 vlan-name Managment vlan 2
dot11 ssid stosWIFI
vlan 1
authentication open
guest-mode
mbssid guest-mode
infrastructure-ssid optional
mobility network-id 1
dot11 ssid stoswaldsWIFI
vlan 3
authentication open eap eap_methods
mobility network-id 3
username admin privilege 15 secret 5 $1$.dBF$jstGCUjGPaD6OQ/JVmZEY1
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
encryption key 1 size 128bit 7 0D1A262E215F252C7E5A2D6A6498 transmit-key
encryption mode wep mandatory
encryption vlan 1 key 1 size 128bit 7 DA303E012047F6068707FC131B4A transmit-key
encryption vlan 1 mode wep mandatory
encryption vlan 3 mode wep mandatory
ssid stosWIFI
ssid stoswaldsWIFI
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
channel 2412
station-role root
world-mode dot11d country GB both
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 254
bridge-group 254 subscriber-loop-control
bridge-group 254 block-unknown-source
no bridge-group 254 source-learning
no bridge-group 254 unicast-flooding
bridge-group 254 spanning-disabled
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
bridge-group 254
no bridge-group 254 source-learning
bridge-group 254 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3
interface FastEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.2.33 255.255.255.0
no ip route-cache
ip default-gateway 192.168.2.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging trap notifications
logging
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
control-plane
bridge 1 route ip
line con 0
password
line vty 0 4
password
line vty 5 15
end -
hi,
I am trying to setup a guest WLAN using a local controller and a controller in my DMZ using the mobility-anchor configuration.
Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
Local Controller config
Configured mobility-groups, verified mobility group is working
Created WLAN called "guest" - assigned it to the management interface.
Have tried the following with regards to DHCP on this WLAN.
Set it to "override" and specified the DMZ controller's mangement interface
Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management interface
Left DHCP server blank on the local controller's management interface
Setup the DMZ controller as the mobility anchor for the "guest" WLAN
DMZ controller config
Configured mobility-groups, verified mobility group is working
Created WLAN called "guest"
Created a dynamic interface called "guest" associated to the "guest" WLAN
Setup mobility anchor for the "guest" interface, mobility-anchor = local controller
Created an internal DHCP server scope and enabled it
Have tried the following with regards to DHCP on the "guest" WLAN
Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest" dynamic interface
Set DHCP to "assignment required" and specified the IP address of the controllers "guest" dynamic interface as the DHCP server on the "guest" dynamic interface
Set DHCP to "override" and specified the DMZ controller's management interface IP
Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
After all this, my client still cannot get an IP address via DHCP. I verfiied the client is associating to the AP.
Any help would be appreciated.
Thanks
Leeon the DMZ controller, what is the output of a debug client < mac address of the client> You may also want to capture debug mobility handoff enable, from both WLC.
For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC. One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled. -
OK, Im a bit confused about what to do with the native VLAN. I know that for QoS/CoS, I should not use VLAN1 as the native VLAN. I also know that I should use a separate VLAN as the management VLAN. So Im left thinking, do I need a native VLAN? If I do, can I just make a dumb VLAN that goes nowhere and use that as the native VLAN? Or am I just completely missing something. Thanks
The native VLAN must also be your management VLAN for Cisco APs.
The Native VLAN can be any number, as long as you configure it accordingly.
Also keep in mind that the local RADIUS server, and DHCP will only deliver to the native VLAN. If you intend to use either of those services on the non-native VLAN/SSID, you'll need to have a layer three device on the line to forward that traffic.
Good Luck
Scott -
Wireless VLANs and Layer2/3 VLANs
Dear,
The vlans created for the mapping of SSID in embedded AP on cisco 1941 can be connected/communicated to the VLAN created on Layer2/3 switch.
Lets say i have created 3 vlans (say 200,201,202) for 3 ssid and the vlan created on switch (say 200,201,202) can be communicated?
Or these wireless vlan are purely for the mapping of ssid?. Thanksyes that should be a trunk.. the below link is the configuration guide..
https://www.cisco.com/en/US/docs/routers/access/1900/software/configuration/guide/Software_Configuration.html
http://www.cisco.com/en/US/docs/routers/access/1900/software/configuration/guide/wlan.html
Regards
Surendra -
Cisco aironet 1310G non_native vlan and dhcp
hi evrybody
i have problem with my cisco aironet 1310G
non-native vlan can not get(dynamicly)ip address from cisco aironet 1310G
this is all my configuration please can someone help me
ip dhcp excluded-address 20.20.20.20
ip dhcp excluded-address 20.0.0.0
ip dhcp excluded-address 30.0.0.0
ip dhcp excluded-address 30.30.30.30
ip dhcp excluded-address 10.0.0.0
ip dhcp excluded-address 10.0.0.10
ip dhcp excluded-address 10.1.0.0
ip dhcp excluded-address 10.1.0.10
ip dhcp pool d01
network 10.0.0.0 255.255.255.0
default-router 10.0.0.10
ip dhcp pool d02
network 20.0.0.0 255.255.255.0
default-router 20.20.20.20
ip dhcp pool d03
network 30.0.0.0 255.255.255.0
default-router 30.30.30.30
no aaa new-model
dot11 ssid vlan01
vlan 1
authentication open
dot11 ssid vlan02
vlan 2
authentication open
dot11 ssid vlan3
vlan 3
authentication open
username cisco password xxx
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
broadcast-key vlan 2 change 100
broadcast-key vlan 3 change 100
ssid vlan01
ssid vlan02
ssid vlan3
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
interface BVI1
ip address 10.0.0.10 255.255.255.0
no ip route-cache
interface BVI2
ip address 20.20.20.20 255.255.255.0
no ip route-cache
interface BVI3
ip address 30.30.30.30 255.255.255.0
no ip route-cache
control-plane
bridge 1 priority 9000
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 priority 10000
bridge 2 protocol ieee
bridge 3 priority 3100
bridge 3 protocol ieee
line con 0
line vty 0 4
login local
endhi friend
i did what you sugested but it is styl not working so plz find below the show run and debug ip dhcp server in ordr to help us thanks for all your suport
ip subnet-zero
ip dhcp excluded-address 20.0.0.20
ip dhcp excluded-address 30.0.0.30
ip dhcp excluded-address 10.0.0.10
ip dhcp pool d01
network 10.0.0.0 255.255.255.0
default-router 10.0.0.10
ip dhcp pool d02
network 20.0.0.0 255.255.255.0
default-router 20.0.0.20
ip dhcp pool d03
network 30.0.0.0 255.255.255.0
default-router 30.0.0.30
aaa new-model
dot11 ssid vlan01
vlan 1
authentication open
guest-mode
dot11 ssid vlan02
vlan 2
authentication open
dot11 ssid vlan03
vlan 3
authentication open
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
broadcast-key vlan 2 change 100
broadcast-key vlan 3 change 100
ssid vlan01
ssid vlan02
ssid vlan03
station-role root access-point
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding
bridge-group 3 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface FastEthernet0.2
encapsulation dot1Q 2
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
no bridge-group 3 source-learning
bridge-group 3 spanning-disabled
interface BVI1
ip address 10.0.0.10 255.255.255.0
no ip route-cache
interface BVI2
ip address 20.0.0.20 255.255.255.0
no ip route-cache
interface BVI3
ip address 30.0.0.30 255.255.255.0
ip helper-address 30.0.0.0
no ip route-cache
and debug ip dhcp server {events | packets | linkage}
*Mar 1 01:06:37.054: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0011.a304.2b65 Reason: Sending station has left the BSS
*Mar 1 01:06:40.140: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0011.a304
.2b65 Associated KEY_MGMT[NONE] -
While this isn't always the case, using vlans also implies using subnetting and routing. In this case each vlan needs to have its own subnet, or the L3 router won't know where to send the data.
Hi,
Ok so i'm racking my brain here and not getting anywhere. I'm trying to set up up VLAN so it gets DHCP. Here is some back story:
Core Switch:
IP 172.16.250.250
VLAN 400
IP Address 172.161.250.250
IP Helper Address 172.16.1.3
End Switch:
IP 172.16.250.6
VLAN 400
IP Address 172.161.250.250
IP Helper Address 172.16.1.3
DHCP Server
IP 172.16.1.3
DHCP Scope
Router IP 172.161.250.250
Am I missing something here?
This topic first appeared in the Spiceworks Community -
Separate Internet service for Guest Wireless
Hi all,
I was reading about security concerns having guest wireless sharing the corporate Internet services and therefore looking towards the path where a separate basic Internet serivce can be provided for them keeping the corporate side safe.
In doing that what i was thinking would be the way:
Extend the Guest Wireless VLAN from the core switch where the SVI is currently at to the new ADSL router's Inside interface. And in doing that I will need to configure the ADSL router for the right DHCP scope and DNS entries and finally remove the SVI from the core switch so it simple does switching across to this ADSL service.
Let me know if i am on the right track or if i am missing something.
Regards!Hi George,
it is a simple setup with just one controller. and the WLC is talking to the ISE to authenticate including the web auth login for the guest.
So to ans your Q, i think No, the WLC deosnt push the guest to the DMZ. the guest VLAN is hanging off the core switch at the moment. and using their corporate Internet service.
i hope the above answered your doubts. Cheers! -
Wrvs4400n vlans/ssid/dhcp issue
Hi all,
it will be great if someone will help me with my problem.
the problem is : our wrvs4400n wifi router configuration.
network description: we need 2 separated wifi networks one for guests and one for internal access, and i configured them on router, and also configured each one of them to different vlan, guests to vlan 200 and internal use default vlan 1.
vlan 1 configured as dhcp relay and its working pritty well.
vlan 200 configured as dhcp and the problem begins here.
somehow on vlan 200 i get dhcp from our externam dhcp server,
wrvs4400n conected as follow> lan port1/vlan 200 connected to firewall port(configured as vlan 200) and lan port 4/vlan1 conected to our main switch wich connected to firewall also.
i guess that my knowlege in networking its not so good......
how can i prevent from our internal dhcp to comunicate with vlan 200 ,
any help will be very appreciated.Hi Rich,
You cannot have different L3 VLANs sharing the same subnet.
Each VLAN must have it's own subnet and then you have a routing device routing between both VLANs.
You should have a DHCP pool also for VLAN 111 configured on the DHCP server.
Even if you have ip helper address configured and this should be done on the VLAN111 interface of the switch, you still need a DHCP pool for VLAN 111 because the DHCP discovery is coming on VLAN 111.
Please take a look into this document:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.
Here it explains how to configure 2 ssids on 2 vlans and dhcp pool (on the switch itself) for each vlan.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
VLAN Configuration for Internal and Guest Wireless
Hello,
We are using the following hardware…
SG300-52MP switch -- latest firmware
ASA 5512-X firewall -- 9.1
Aironet AP1131AG WAP
We have the following networks…
10.252.4.0/24 = Internal = ASA-01 interface = VLAN1
10.252.6.0/24 = Guest = ASA-02 interface = VLAN6
10.252.6.0/24 = VOIP = ASA-03 interface = VLAN3
The Aironet supports two SSIDs, Secure (RADIUS) and Guest (WPA2), which are supposed to provide access to the appropriate interface on the ASA.
Relevant parts of the WAP configuration are…
dot11 ssid GUEST
vlan 6
dot11 ssid SECURE
vlan 1
interface Dot11Radio0
no ip address
ssid GUEST
ssid SECURE
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
interface Dot11Radio0.6
encapsulation dot1Q 6
no ip route-cache
bridge-group 255
interface Dot11Radio1
no ip address
no ip route-cache
ssid GUEST
ssid SECURE
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
interface Dot11Radio1.6
encapsulation dot1Q 6
no ip route-cache
bridge-group 255
interface FastEthernet0
no ip address
no ip route-cache
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
interface FastEthernet0.6
encapsulation dot1Q 6
no ip route-cache
bridge-group 255
interface BVI1
ip address 10.252.4.4 255.255.255.0
no ip route-cache
ip default-gateway 10.252.4.1
We can manage the WAP through it’s Internal IP address (10.252.4.4).
And the “Guest” wireless network is working -- connecting to that SSID provides the client with the correct IP addressing (10.242.6.X from VLAN6/ASA-02). [Note: the VOIP DHCP and network access also works correctly.]
The “Secure” wireless network is not working however -- the client never receives an Internal DHCP address from ASA-01, and even if you hard-code the client’s IP, no IP4 traffic ever passes.
[Note: connecting a device to a SG300 port with the “Default” configuration provides the client with an Internal DHCP configuration, and it works as intended.]
While this may be a problem with the WAP configuration, I would like to confirm that it is not an issue with the switch not passing traffic correctly.
I have a feeling that I have configured the VLANs on the ports incorrectly.
Relevant parts of the SG300 configuration are...
v1.3.0.62 / R750_NIK_1_3_647_260
vlan database
vlan 3,6
ip dhcp snooping
ip dhcp relay address 10.252.4.1
ip dhcp relay enable
bonjour interface range vlan 1
interface vlan 1
ip address 10.252.4.2 255.255.255.0
no ip address dhcp
interface vlan 3
name VOIP
interface vlan 6
name Guest
interface gigabitethernet45 -- Access mode, Untagged VLAN6
description ASA-Guest
ip dhcp snooping trust
switchport mode access
switchport access vlan 6
interface gigabitethernet46 -- Access mode, Untagged VLAN3
description ASA-VOIP
ip dhcp snooping trust
switchport mode access
switchport access vlan 3
interface gigabitethernet47 -- Trunk mode, Untagged VLAN1 and Tagged VLAN6
description WAP1
switchport trunk allowed vlan add 6
interface gigabitethernet48 -- Trunk mode
description ASA-Internal
ip dhcp snooping trust
ip dhcp relay enable
Can someone who understands this switch better than I do please confirm the VLAN configuration? THANK YOU!Welcome to the discussion area!
+PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration. -
Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510
I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:
WLC 2504
1142 LAPs
4510R+E
ASA 5510
Existing configuration as follows:
WLC management interface and APs addressed on the 192.168.126.0 /25 network
Internal WLAN mapped to the management interface
Management interface VLAN ID 0 (untagged) and dynamic AP management enabled
WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7
4510 connected to ASA inside interface (security level 100)
Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)
ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network
What is the best way to add guest wireless to our existing configuration?
Note: I need the guest wireless to be filtered by Websense as our internal wireless is
Any advice would be greatly appreciated!Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?
Any input would be greatly appreciated...
JW -
Multiple Guest VLANs and Shared WLC
Hi,
I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
Please advise how best I should implement this.
many thanks
SankungIt sounds like you already have this done. You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
Then on the internal anchor the SSID to the same SSID in the DMZ
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
Anchor Guest controller and DHCP configuration
I checked the cisco documentation about the DHCP configuration but I´m not 100%sure which DHCP server address I must use.
I used as example the scope 10.240.97.0/24 for our Guest Users. In this range are the DHCP scope and the Guest interface configured. For the management I used as example the range 10.240.96.0/24.Now I configured our Guest WLC and I insert on the Guest interface as Primary DHCP address the Guest interface address. After I applied I got the message I can´t use this DHCP address. Now I checked the cisco and found following description:
“If DHCP services are to be implemented locally on the anchor controller, populate the primary DHCP server field with the management IP address of the controller"
Means it now I must insert as the IP for the Primary DHCP Server on the Guest interface the IP from the management
Interface and the controller will then forward the traffic to the internal DHCP scope on the Guest subnet and wil sent it back ?
( DHCP proxy is on the Guest WLC enabled ) .
Thanks
AlFor Anchor you can use either internal or external dhcp server.
Means it now I must insert as the IP for the Primary DHCP Server on the Guest interface the IP from the management
Interface and the controller will then forward the traffic to the internal DHCP scope on the Guest subnet and wil sent it back ?
Yes. WLC forwards the unicast dhcp req to management ip for guest interface. All cpu generated traffic by default uses management interface as source address i.e., snmp, radius, ping...
Is your question whether you need routing between guest and management interface.
No, routing is not required in this case bcoz the interface residing on WLC's management. Also for proxy it uses the virtual ip address for dhcp instead of actual dhcp ip. And only wireless client can get ip from WLC's internal dhcp server.
If you're using dhcp proxy on wlc and having external dhcp server on different vlan then yes you need routing between the two vlans. -
Internal Corporate wireless and guest wireless network
I need some technical information on hwo the wireless guest network is created on the Airport Extreme. We currently do not permit personal wireless devices to connect to our internal wireless network in order to protect out data. Several times users have presented us with justifiable business requests to have access to the wireless network from their own devices. We've been looking at using the Airport Extreme in order to do this, but we are bound by PCI (Payment Card Industry) requirements to keep our customer credit card data secure. PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?
Two or three of these on each floor would fit our need for such access and keep out customer data secure.
ThanksWelcome to the discussion area!
+PCI regulations do not consider VLAN a secure way of keeping the data isolated. Does anyone have any technical information on how the device creates the guest wireless network ?+
I spoke to Apple Support some time ago and was told that Apple uses VLAN to create the Guest network, and also that formal documentation was not available on this topic. I was referred to the AirPort Extreme Specifications for available information.
This was some time ago, so if you need more up to date info, you might want to try to contact Apple to see if they are willing to share more information about this feature. Although, since VLAN is used, your question may already be answered.
FWIW, to use the Guest Network feature in a home situation, the AirPort Extreme must be set up as the main router controlling DHCP and NAT on the network. If you were thinking of installing the AirPort Extreme behind another router, the Guest Network feature would not be available in this type of configuration.
Maybe you are looking for
-
How can I locate my serial number for the Student and Teacher Edition
All I am trying to do right now is to obtain the serial number for my Student and Teacher (Academic) Edition <removed by moderator>, but I wanted to use my personal (home) e-mail address since this purchase is to be installed on my home computer. Th
-
PRD account getting hit during Invoice verification . OBYC
Dear Experts , When i am posting incoming invoice , the PRD account is getting hit by minor amounts . What is the relevance of PRD & whether it should hit or not . Regards Anis
-
Print presets not keeping settings after saved?
I've created a preset to have the object printed to Scale at 100%, but none of the settings stick. I turned off Auto Rotate, set it to Landscape, and set it to Scale-100%, but after every print job it goes back to Auto Rotate: On, Portrait, and Scale
-
My intention here is to implement a function that do something to a Collection. The function recusively "knock off" one element from the Collection and call recursively until it hits certain base case. Also, I would like my Collection argument untouc
-
Adobe Muse CC Crashing 5x per day
We have a team of 6 designers using Adobe Muse CC on a daily basis to build simple sites as well as complex prototypes. We work off a corporate server, this is a requirement and cannot operate locally on our own hard drives. Each of us are reporting