cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6356
Views
0
Helpful
28
Replies

VLAN for IT Genius, Network moron.

cpatterson
Level 1
Level 1

So, I've been working on computers for more years than I care to count, and some areas I've been able to avoid. Unfortunately, those areas usually pop up with minimal time to figure out how to handle them (like setting up a Linux Squid server 10 years ago... that was fun....or not). This time, I've got a little time to sort it out, but just can't seem to grasp what I need to do, so I'm looking for a little hand-holding. 

I've recently discovered that "Wireless Isolation" does not mean "Isolation", despite what the folks at "www.wirelessisolation.com" say. Hey, it's on the Internet, so it's gotta be true, right? Well, my client wasn't amused either. What I have is a Cisco RVS4000 Router, and a WAP200 Access Point in place (separated by a ******** brand switch, which shouldn't be an issue, as I can connect the Wireless directly to a port in the RVS). What all this post means, is that I want to have 2 wireless networks, one used by the office personnel, and allowing full access to the Internet, and the local wired devices, and a second network available to the "guests" that come in the office, which only allows Internet access, and no access to internal devices at all. 

I get that I need to setup two different SSIDs (check) on the WAP, and need to disable inter-vlan routing on the RVS, but I get part way through the discussion of VLAN port 1 and port 2, and run across something saying "Don't use VLAN 1, since it's reserved for trunk", or something to that effect, and then the difference between tagged, untagged, and trunk gets all garbled up, and before I know it, I'm climbing the tree trunk outside my window, trying to rip the tag out of my shirt.

So, I would greatly appreciate anyone's assistance pointing me to the right path,and then taking me by the hand and pointing out the sights along the way to my destination, pretty please :). Thanks for the help!

3 Accepted Solutions

Accepted Solutions

Ok. In this case, you shouldn't have to configure anything from a VLAN perspective on the dedicated Internet port as it should be isolated from the internal switch.

So, if we were to look at it from an Layer3 point of view, you could view it this way:

Network 1 - Internet (a.a.a.a/a)

Network 2 - Internal Users (b.b.b.b/b)

Network 3 - Guest Users (c.c.c.c/c)

---------------------------------------------------

For Layer 2, you could view it this way:

Network 1 - Dedicated Ethernet port on RVS only.

Network 2 - vlan100

Network 3 - vlan 200

---------------------------------------------------

For Layer1, you could view it this way:

Network 1 - copper

Network 2 - copper and wireless

Network 3 - wireless

 

Now, since network 1 is your Internet, it gets its IP info from your ISP. Network 2 then has an IP address range that you have assigned. This used to be vlan 1 but will soon become vlan100. Therefore, you need to provide an IP range for network 3. Since both of these networks will be defined at Layer3 on the RVS, you can block network 2 from geting to network 3 and vice versa for security. Lastly, these two network ranges should default route out to the Internet. Since there will be no vlan200 on the brand x switch, the only port needing any tagging is port 2 on the RVS where the WAP will plug into. The WAP ethernet interface also needs to be tagged with vlan 100 and vlan 200 so both user and guest traffic can pass over the single port. The internal IP interfaces on the RVS will handle the routing to the Internet.

View solution in original post

My suggestion is to take screen shots of all your config screens as well as do a config backup of each device you are making changes on. If all else fails, you can return the config to its previous state. Also, a good idea is to verify which devices can you can reach on the network before you make changes. Then, afterwards, make sure those same devices can be reached.

View solution in original post

Hi,

 

Not sure if I have to jump in, as you are reaching the end of the tunnel :-) . But because James are mentioning that RVS4000 terminology is little confusing, I will agree and will try to clarify it for him and did my best to make it clear for you as well.

By terminology there are 3 port modes, when we are talking about VLANs - Trunk, Access, General.

Tagging is just information carried in the packet showing to which VLAN this packet belongs. And this "VLAN checking" is happening on the port - for the incoming traffic as well as the outgoing. 

When Trunk mode is used on the port, that means there should be one VLAN untagged, this is also the management, also called native VLAN. And all other VLANs assigned to that port should be tagged. Looking at the print screen you provided, this correspond to the Trunk Function

Access mode means that through this port will pass only packets which do not have tag. And because the traffic allowed will not have VLAN identification, logically you can assign only one VLAN on such port. Looking at your print screen this corresponds to Untagged Function.

General mode, allows all VLANs to be tagged, or all VLANs to be untagged. Let say that you can configure whatever VLANs you want there and someone else will take care of identifying the traffic. On the print screen this corresponds to Tagged Function

The second part of RVS4000 table, is regarding if there will be a tag put/checked for a VLAN packet or not. Or this VLAN will be not allowed to pass through the port - this is the Exclude Function.

Lets take for example port 2 on RVS4000. Through this port should pass (incoming/outgoing) packets for VLAN100 and VLAN200.

Lets assume that your Private network is 192.168.2.X. For example RVS4000 IP is 192.168.2.1 and the WAP200 IP is 192.168.2.2. And you have DHCP server range 192.168.2.100-200. And this is your VLAN100.

After that you have Guest SSID, which will be another IP range. Let say 192.168.3.1 will be RVS4000 IP and DHCP pool 192.168.3.100-200. WAP200 do not need to have IP from that range.

 

1. As WAP200 LAN port is Trunk mode by default, RVS4000 port 2 should be configured Trunk (as James already mentioned). Now as the router and the AP has an IP address form VLAN100, than this will be your native/ management VLAN. So VLAN100 will be untagged and, VLAN200 will be tagged. So whenever a packet is coming with no tag, the router will know that this packet is for VLAN100. The same logic is for the WAP200.

Thats why your privat SSID users do not even receive an IP. With this configuration RVS4000 is tagging VLAN100 packets when are sent to WAP200 and because WAP200 expects these packets to be untagged, it just drops it. The same is the other way - when a user from the private SSID is traying to obtain an IP, WAP200 sends untagged packet to RVS4000 and because RVS4000 is configured to accespt only tagged packets it just drops it.

 

2.  Let me first say that port 1 configuration is correct (more or less :-) ). Now you are saying that the switch is unmanaged. The unmanaged switches (by default) do not support tagging. They are making passing only untagged packets. When a tagged packet arrive on a port it just drops it. So the possible configurations on port 1, where the unmanaged switch is, are: lake you did - Trunk, VLAN100 untagged and the other VLANs excluded. Or Untagged, VLAN 100 untagged.

 

Please, see attached how the configuration should be:

1. create VLANs 100 and 200

2. configure ports 1 and 2 in Trunk mode and PVID 100

3. assign VLAN200 to port 2 as tagged

4. and 5. When you configure the IP range for each VLAN, do not forget to configure as well DNS. If you leave it blank it will use as DNS the router IP 192.168.1.1, and because there is no interVLAN routing, the internet pages will not open - meaning no internet.

6. I would suggest to assign static IP on WAP200 from VLAN100, its easy to manage. Again be sure to put a DNS

7. change the default VLAN from 1 to 100, as shown and assign the VLANs to the SSIDs

 

Waiting for your reply.

Kremena

View solution in original post

28 Replies 28

james.doukas
Level 1
Level 1
What vlan are using now? Dont want to assume anything when replying.

As far as vlan 1 and trunks, vlan 1 is the default native(untagged) vlan unless otherwise specified.

No VLAN in use at this time. Thanks for the reply :)

Well, if you're not using any vlans on your switch then you are using vlan 1. It's the default and every switch has it.

As my standard practice, I always create at least one vlan on any switch I use even if the requirements are for a single vlan.

If you are going to plug the WAP into the RVS device, you need to have two vlans on the device so you can trunk the connection to the WAP. Just to keep things simple, you could come up with a standard for how you use vlans on any switch.

For example, you may decide that vlan100 will always be your internal users vlan and vlan200 will always be your external users, and so on.

So, lets say you use the above example. You would need to create two interfaces on your WAP, one for each SSID. You could name them something simple like internal, external or private, guest, etc.... However, when it comes time to assign them a vlan, you would put 100 for the internal and 200 for the external, if you use the above example. Then you would assign each interface to the WAP port. Once again, I'm assuming this WAP is standalone. However, the same theory applies for a wireless lan controller.

Now, depending on which device you want to plug the wap into, you create the same two vlans on that device. Then, you choose which port you will plug the wap into on that device. This port will be a trunk port. More precisely, it will be an 801.1q trunk, which is pretty much the standard nowadays. This q-trunk (or dot1q) will allow multiple vlans to cross while keeping the traffic logically separate. It does this by applying a small tag in the ethernet frame as it crosses the trunk. The tag simply indicates which vlan this ethernet frame should be assigned to. If you decide to plug the wap into the brand-x switch, then the port you plug the wap into needs to have both vlans assigned to it (the trunk). Now, to get the data from the brand-x switch to the RVS device, you have two options.

Option A is to run a single cable from the brand-x switch for each vlan you created to the RVS. So, you could make port 1 vlan 100 and port 2 vlan 200. Then, you would connect port 1 from the switch to port 1 on the RVS and port 2 on the switch to port 2 on the RVS. Of course, you would have to create the two separate IP subnets on the RVS assign one to each port before hand, you get the idea.

Option B is to create a 2nd trunk port on the brand-x switch with both vlans assigned, similar to the port you created for the wap. Then, you connect this trunk to the RVS. The RVS device needs to have both new subnets assigned to a single port. If this device is a pure router, then the single interface would have two sub-interfaces assigned to it. One for vlan100 and one for vlan200.

So, you have your two separate WLANS getting to your switch and this traffic travels to your router. Now, your traffic is separate. You would plug your Internet connection into the brand-x switch on a single access port (access meaning not trunked) with vlan 200 assigned. Now, any user you assign to vlan 200 on the switch, or any user assigned to the guest SSID, would only have access to the Internet because you would configure your RVS to block any attempts of the guest network to access the internal private network. Plus, you can create a rule that allows internal users to pass into the guest network on the way to the internet.

So, this gives your internal users access to the Internet while being protected from the guest users as well as allowing the guest users to have Internet access without being able to get into the internal network.

Hope this helps a little. As usual, any time you are going to make changes, back up your existing configs just in case you need to fail back to the previous state.

 

 

 

Ok, so attached is the basic layout, and here's how I understand between yourself, and M Ivanova, how to set it up, and where my process breaks down in understanding :)

Setup 2 SSIDs in the WAP, and move it directly to the RVS, setting it on port 2. Make sure the switch is on Port 1. Assign one SSID (Private) VLAN 100, assign the second SSID (Guest) VLAN 200, disable interLAN routing. On the RVS, setup 2 VLANs, 100 and 200. 

Here's where I run into my first snag in understanding. I need the WAP to be both 100 and 200, but the switch traffic to be 100 only, I think. By plugging the WAP directly into the RVS, does the function of the VLAN ensure that it sends both 100 and 200 traffic to the WAP, and lets the WAP SSID/VLAN combo sort out which traffic is isolated? See 3rd picture below :)

Second question is regarding tagged/untagged. Which VLAN needs to be tagged and untagged? Do I need to set one up as a "trunk", and if it's easy to explain, why?

Third, the switch I'm using is, I believe, unmanaged, since the company is small, and didn't need anything fancy. I'll have to double check onsite tho, to be sure. It's not one of the simple 4-port PoS switches, tho, it's a good brand, 16 port gigabit, but unmanaged. Is this going to cause a failure at any point of trying to get this all rolling?

So, the port on the RVS that you are plugging the wap into needs to be tagged with vlan 100 and 200. However, the interface on the wap also needs to be setup as a tagged (trunk) port. When traffic exits the wap via its wired interface, it will be tagged with whatever vlan the SSID has been assigned to. Once the traffic enters the RVS, the RVS will see the tag and "dump" the traffic into the proper vlan. This is what provides the separation. At this point, traffic residing in vlan100 or vlan200 is now looking for where it needs to go. The default route on the RVS will send all traffic to the Internet.

 

ding!!!  damn... a light comes on.... terminology comes in handy from time to time. so let me see if I understand this point. "Tagged" means that traffic coming into the port is "tagged" as belonging to one "group" (VLAN 100 or 200) or another. Is this correct? And if so, if I leave the port leading to my switch as "untagged", or not even bothering it at all, how does either the WAP or the Router know that the VLAN100 traffic is allowed to talk to the rest of the switch traffic?

 

told you in the title: "Network Moron". I've been wanting to take a network series, but have never gotten "Round Tuit". Sometimes, dealing with these things throws me so far off my beaten path, it's hard to even see that I'm looking at a "tree" because I'm trying so hard to figure out how this "thing" is existing "here"...... if you follow that :)

Correct.

For the 2nd question, a port that is not "tagged" assumes the vlan that is assigned to it. So, it a switch port is not tagged but is assigned to vlan100, then only traffic from vlan100 will traverse it.

So, since the RVS seems to be part router and part switch, the connection to your switch should be untagged to vlan100. The port to your wap should be tagged with vlan100 and vlan200.

However, there is one thing that needs to be resolved. What interface does the cable modem connect to? Since you need Internet access for both vlan100 and vlan200, the RVS needs to handle the routing. If you only left the Internet modem plugged into vlan100, how would vlan200 get to the Internet because you disabled inter vlan routing. Vlan200 could never get to vlan100 to access the Internet.

What the best plan of action would be is to have a third interface for the Internet modem. Then, you could use the RVS to route both vlan100 and vlan200 to the Internet. However, depending on how you disable Intervlan routing, you may still have an issue since the RVS may not route the traffic to the 3rd Interface. What you need is a rule that allows both vlan100 and vlan200 to route via the RVS to the Internet modem as well as prevents vlan100 and vlan200 from talking to each other. Basically, a simple access list rule could accomplish this.

Modem actually connects to the "Internet" port on the RVS. (see attached 1)

 

Ok, so, here's it in my head. 

 

 

Step one, make WAP config look like Attach vlan.a. This will setup 2 separate VLANs on the WAP, one for private, and one for guest. 

Step two, Setup on RVS like vlan.b and vlan.c, which makes VLAN4 look like vlan4a. 

Step three, Ensure WAP is plugged into port 2 on RVS, and Switch on port 1.

Step four Cross my fingers and make sure I can find my backup config files?

I think you want port 2 to say tagged vlan 100 and 200. Not familiar with the RVS setup screen but picture 4a, to me, should say:

100,200 tagged

The other ports should say

100 untagged

However, keep in mind the Internet modem and the section I mentioned about how the vlans will get to the Internet.

 

 

Thanks for all the replies :)

 

I replied above about the Internet, as well as another question. If you get a chance, the second part is more a "do I understand the concept" sort of thing. 

To the Internet/modem part, I think, based on the settings available in the RVS, there is no way to assign the internet port as "tagged" or otherwise. The actual cable modem on the front end is in "bridge" mode, so it's not in the picture at all. All I really think I need to worry on is splitting the traffic correctly.

I plan on running up tomorrow with this game plan, and see if it can break, unless you see some serious deficiency in my plan here. 

If the cable modem is in bridged mode it changes a few things. Was the RVS purchased by you or was it part of the carriers Internet package?

mine, mine, mine!!!!  

 

What changes? cable modem bridging is just passing the protocol, yes?it won't care what comes in, or how, as long as it authenticates properly. All traffic (great and small) is passed to the RVS for distribution or termination as it sees fit :)

 

To continue the above thread regarding the internet port, and it kinda ties in here, The cable modem does the "authentication" process, which incidentally, includes somewhere along the way, making it so that the ISP can see the mac address of the RVS for its authentication. All traffic is then passed to the RVS, which has a NATed external IP, which I can remote to, if needed. The RVS, having a dedicated internet port, which is set to receive an address from the ISP  (whether directly, or passed transparently thru NAT of the cable modem, I'm not sure), should simply bring Internet traffic in, and pass it to the requesting VLAN. I state this like I know it's a "fact", based simply on the actual "fact", that I can't find a way to tell the RVS that the Internet Port has any VLAN flavor at all :)

Ok, this makes sense.

So, the RVS Internet port should be considered a router port which is used only to connect to the ISP. Can you confirm that the Internet port goes directly to the ISP modem and doesn't connect back to brand-x switch?