cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6351
Views
0
Helpful
28
Replies

VLAN for IT Genius, Network moron.

cpatterson
Level 1
Level 1

So, I've been working on computers for more years than I care to count, and some areas I've been able to avoid. Unfortunately, those areas usually pop up with minimal time to figure out how to handle them (like setting up a Linux Squid server 10 years ago... that was fun....or not). This time, I've got a little time to sort it out, but just can't seem to grasp what I need to do, so I'm looking for a little hand-holding. 

I've recently discovered that "Wireless Isolation" does not mean "Isolation", despite what the folks at "www.wirelessisolation.com" say. Hey, it's on the Internet, so it's gotta be true, right? Well, my client wasn't amused either. What I have is a Cisco RVS4000 Router, and a WAP200 Access Point in place (separated by a ******** brand switch, which shouldn't be an issue, as I can connect the Wireless directly to a port in the RVS). What all this post means, is that I want to have 2 wireless networks, one used by the office personnel, and allowing full access to the Internet, and the local wired devices, and a second network available to the "guests" that come in the office, which only allows Internet access, and no access to internal devices at all. 

I get that I need to setup two different SSIDs (check) on the WAP, and need to disable inter-vlan routing on the RVS, but I get part way through the discussion of VLAN port 1 and port 2, and run across something saying "Don't use VLAN 1, since it's reserved for trunk", or something to that effect, and then the difference between tagged, untagged, and trunk gets all garbled up, and before I know it, I'm climbing the tree trunk outside my window, trying to rip the tag out of my shirt.

So, I would greatly appreciate anyone's assistance pointing me to the right path,and then taking me by the hand and pointing out the sights along the way to my destination, pretty please :). Thanks for the help!

28 Replies 28

Absolutely :)

Ok. In this case, you shouldn't have to configure anything from a VLAN perspective on the dedicated Internet port as it should be isolated from the internal switch.

So, if we were to look at it from an Layer3 point of view, you could view it this way:

Network 1 - Internet (a.a.a.a/a)

Network 2 - Internal Users (b.b.b.b/b)

Network 3 - Guest Users (c.c.c.c/c)

---------------------------------------------------

For Layer 2, you could view it this way:

Network 1 - Dedicated Ethernet port on RVS only.

Network 2 - vlan100

Network 3 - vlan 200

---------------------------------------------------

For Layer1, you could view it this way:

Network 1 - copper

Network 2 - copper and wireless

Network 3 - wireless

 

Now, since network 1 is your Internet, it gets its IP info from your ISP. Network 2 then has an IP address range that you have assigned. This used to be vlan 1 but will soon become vlan100. Therefore, you need to provide an IP range for network 3. Since both of these networks will be defined at Layer3 on the RVS, you can block network 2 from geting to network 3 and vice versa for security. Lastly, these two network ranges should default route out to the Internet. Since there will be no vlan200 on the brand x switch, the only port needing any tagging is port 2 on the RVS where the WAP will plug into. The WAP ethernet interface also needs to be tagged with vlan 100 and vlan 200 so both user and guest traffic can pass over the single port. The internal IP interfaces on the RVS will handle the routing to the Internet.

Gonna mark that last one "answer", James, really appreciate the assistance. I'll be going up tomorrow to the client, and hopefully not breaking things too badly :) I'll let you know how it goes, and you better believe, back here if I run into any snags!! Thanks again for the help!!

My suggestion is to take screen shots of all your config screens as well as do a config backup of each device you are making changes on. If all else fails, you can return the config to its previous state. Also, a good idea is to verify which devices can you can reach on the network before you make changes. Then, afterwards, make sure those same devices can be reached.

along your concerns, wouldn't the rvs4000 automatically assume that all VLAN traffic gets internet access?

also, pointing to your second paragraph, "So, since the RVS seems to be part router and part switch, the connection to your switch should be untagged to vlan100. The port to your wap should be tagged with vlan100 and vlan200."   As I understand it, I'm not really "tagging the port with vlan", technically, all I'm doing is setting the port as looking for "tagged" traffic, separating as necessary, and dropping any untagged, right? Did I get that correct? 

"along your concerns, wouldn't the rvs4000 automatically assume that all VLAN traffic gets internet access?"

It depends. When a device wants to get to an IP destination, it looks in its routing table and says "can i get there from here". If not, it usually has a default gateway it sends to. So, if a pc wants to get to, lets say, 8.8.8.8 (Google DNS), it looks at its own routing table and says, "I only know about my local subnet" (lets say the subnet is 192.168.1.0/24. However, its been given a default gateway of the RVS. So, it says, "I don't know how to get to 8.8.8.8, so I'll send it to my default gateway." The RVS then says, "ok, this guy wants to get to 8.8.8.8. I don't have that network defined on me but I have a default gateway of the Internet modem so I'll send it there". So, each hop along the way keeps sending it to the next device that is its default gateway. Eventually, you get to big Internet backbone routers who actually know a path to that IP. They contain hundreds of thousands of routes(prefixes) They continue the process until they find the last router in the path and this router says "yeah, I have 8.8.8.8" and sends the traffic into the local subnet.

So, if you check your RVS, it probably has a default route to the Internet with the next hop being the carrier who provides your Internet circuit. On large enterprise class routers, you define this manually. However, the RVS might have a setup program that helps install this entry. It's very similar to your home based Internet routers.

Kremena Ivanova
Cisco Employee
Cisco Employee

1. RVS4000 needs to be configured with VLAN1 and VLAN2.  (Layer 2 switch menu)

VLAN1 will be used for the LAN devices and VLAN2 will be used for the guest SSID users

2. As the topology is RVS4000 ---- managed switch----WAP200, the port connecting router to the switch needs to be Trunk, PVID 1 - and configured with  VLAN1 untagged and VLAN2 tagged 

On RVS4000 - the VLAN configuration is in Layer 2, so there is no interVLAN routing

3. It is good the switch to be in Layer 2 mode, so it does not make interVLAN routing. Otherway it will need additional access list. Lets assume its Layer 2. The 2 VLANs needs to be configured in the switch and the ports connecting the router and the AP configured as above - Trunk, PVID1, VLAN1 untagged, VLAN2 tagged

4. In WAP200 (wireless - VLAN and QoS) Default VLAN is 1, it is Untagged, AP management VLAN is 1, and then you need to configure the 2 VLANs for the 2 SSIDs

 

Good luck,

Kremena

Thanks for the reply, M. Ivanova :)  Will sort thru your directions and see if I can figure out how to handle it. 

cpatterson
Level 1
Level 1

Sooo..... Things didn't/aren't quite working out. I believe it's got to do with the membership settings. M. Ivanova, it would be great if you could jump in here with specifics, since you are a cisco rep. James was great in getting me to understand the terms, at least, of what I was fooling with, and did the best he could, but I managed to mess it up anyway :)

Attached are the screenshots of the existing VLAN membership settings. I'm not using VLAN 1 (default) since it won't let me delete it. VLAN 100 is the VLAN for the Private SSID on the wireless, VLAN 200 is the VLAN for the Guest SSID on the wireless. The UNmanaged switch is plugged into  Port 1 on the RVS, the WAP200 is plugged into Port 2 on the RVS.

 

Things that are working. 

I've not broken my LAN internet, which is good.

I can see devices attach to the Guest Wireless, under a different subnet (192.168.3.***)

Devices attached to the guest network can not see local LAN devices any longer (woohoo!!)

 

Things that are not working. 

I cannot connect to the Private Wireless any longer. 

Devices attached to the guest network can not browse the Internet (oops.....)

Even tho I set the Managed VLAN to be 100, I cannot access the WAP from the wired network to manage it any longer.

 

I can reset to default, and then restore the config (made-em heap big backup!) on the wireless, but I would love to just fix it. I think the problem mainly lies in the Membership setting, but I can't hit across the correct combination to make it behave. Attached are the existing membership pages. Assistance, is as always, appreciated :)

 

 

Try to make port 2 a trunk instead of tagged. The wording is a little confusing with this device as tagged, to me, means a dot1q trunk, regardless of how many vlans on it.

Did you make sure to make the WAP port a trunk(tagged) as well for both vlans?

Hi,

 

Not sure if I have to jump in, as you are reaching the end of the tunnel :-) . But because James are mentioning that RVS4000 terminology is little confusing, I will agree and will try to clarify it for him and did my best to make it clear for you as well.

By terminology there are 3 port modes, when we are talking about VLANs - Trunk, Access, General.

Tagging is just information carried in the packet showing to which VLAN this packet belongs. And this "VLAN checking" is happening on the port - for the incoming traffic as well as the outgoing. 

When Trunk mode is used on the port, that means there should be one VLAN untagged, this is also the management, also called native VLAN. And all other VLANs assigned to that port should be tagged. Looking at the print screen you provided, this correspond to the Trunk Function

Access mode means that through this port will pass only packets which do not have tag. And because the traffic allowed will not have VLAN identification, logically you can assign only one VLAN on such port. Looking at your print screen this corresponds to Untagged Function.

General mode, allows all VLANs to be tagged, or all VLANs to be untagged. Let say that you can configure whatever VLANs you want there and someone else will take care of identifying the traffic. On the print screen this corresponds to Tagged Function

The second part of RVS4000 table, is regarding if there will be a tag put/checked for a VLAN packet or not. Or this VLAN will be not allowed to pass through the port - this is the Exclude Function.

Lets take for example port 2 on RVS4000. Through this port should pass (incoming/outgoing) packets for VLAN100 and VLAN200.

Lets assume that your Private network is 192.168.2.X. For example RVS4000 IP is 192.168.2.1 and the WAP200 IP is 192.168.2.2. And you have DHCP server range 192.168.2.100-200. And this is your VLAN100.

After that you have Guest SSID, which will be another IP range. Let say 192.168.3.1 will be RVS4000 IP and DHCP pool 192.168.3.100-200. WAP200 do not need to have IP from that range.

 

1. As WAP200 LAN port is Trunk mode by default, RVS4000 port 2 should be configured Trunk (as James already mentioned). Now as the router and the AP has an IP address form VLAN100, than this will be your native/ management VLAN. So VLAN100 will be untagged and, VLAN200 will be tagged. So whenever a packet is coming with no tag, the router will know that this packet is for VLAN100. The same logic is for the WAP200.

Thats why your privat SSID users do not even receive an IP. With this configuration RVS4000 is tagging VLAN100 packets when are sent to WAP200 and because WAP200 expects these packets to be untagged, it just drops it. The same is the other way - when a user from the private SSID is traying to obtain an IP, WAP200 sends untagged packet to RVS4000 and because RVS4000 is configured to accespt only tagged packets it just drops it.

 

2.  Let me first say that port 1 configuration is correct (more or less :-) ). Now you are saying that the switch is unmanaged. The unmanaged switches (by default) do not support tagging. They are making passing only untagged packets. When a tagged packet arrive on a port it just drops it. So the possible configurations on port 1, where the unmanaged switch is, are: lake you did - Trunk, VLAN100 untagged and the other VLANs excluded. Or Untagged, VLAN 100 untagged.

 

Please, see attached how the configuration should be:

1. create VLANs 100 and 200

2. configure ports 1 and 2 in Trunk mode and PVID 100

3. assign VLAN200 to port 2 as tagged

4. and 5. When you configure the IP range for each VLAN, do not forget to configure as well DNS. If you leave it blank it will use as DNS the router IP 192.168.1.1, and because there is no interVLAN routing, the internet pages will not open - meaning no internet.

6. I would suggest to assign static IP on WAP200 from VLAN100, its easy to manage. Again be sure to put a DNS

7. change the default VLAN from 1 to 100, as shown and assign the VLANs to the SSIDs

 

Waiting for your reply.

Kremena

Oooh..... I don't think those words mean what I think they mean.....

*sigh* ok, definitely got things all messed up, thanks to both for the replies. I'll remote in and see if I can get back and rolling. The wireless won't respond, and I think I know why..., but I'll keep that answer quiet until I find out, so I don't look like quite as much of an idiot if I'm wrong... again... :) 

Since this is an accountant's office (and every change I make to the VLAN IP range restarts the router), I'll make the changes later today when things aren't quite so busy. However, M. Ivanova, the settings you kindly screenshot for me look like they're the exactly what I need... apparently, I'm not advanced enough to handle a book without pictures yet... *sigh* Thanks very much, will print these out, and head up later to see if I can fix what I broke. Thanks again to both of you for your patience and responses. I'll report back later with either how you saved the day, or how I broke it again :) 

Oh, and by the way? Very nice of you " Let me first say that port 1 configuration is correct (more or less :-) ). " but very wrong. you and I both know I completely messed it up  cheeky. I appreciate the attempt to make me feel not quite so stupid though laugh

Sorry to wait so long to reply, but last week was a nightmare for me. The good news is, everything's up and running. The last piece of the puzzle that I missed (and, if I had gotten that, I might have been able to figure out where I was messed up earlier), was requiring DNS for each VLAN. 

 

Thanks very much to the both of you for your assistance and Patience. Hopefully, I'll retain some of this when the next project like it rolls around. Thanks again!

chris