cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1149
Views
0
Helpful
16
Replies
Highlighted
Beginner

ISA550W with multi SSIDs (each with separate DHCP and VLAN tag)?

Can ISA550W do the following (in order):

1) first group physical interface(s) and wireless SSID(s) together

2) then assign with DHCP (ip subnet)

3) then add VLAN tag to some interface(s) and wireless SSID(s)

4) repeat (1) to (3) for the remainging interface(s) and wireless SSID(s) to create the diagram below:

image.png

3 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

1) I believe that will turn those ports into Trunk ports. That said, I normally go into the ports themselves under Networking, change them to Trunk ports and add the appropriate VLANs. Keep in mind that generally speaking what you would attach to a Trunk port is another switch. Then you would assign the appropriate VLANs to each switch Access port as attach a device like a workstation. There are some devices that do support being connected to a Trunk port, like Cisco's OnPlus device however.

2) Think of SSIDs as Access only ports. Since you could never attach a device that would support Trunking wirelessly, you can only apply 1 VLAN per SSID via Wireless -> Basic Settings.

3) Because SSIDs can't be Trunked. See #2 above to configure VLANs on SSIDs.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

View solution in original post

Highlighted

1) I believe you can actually control access between VLANs in the same Zone with Access Rules. I could be wrong, but the rest of your statement is true for certain.
2) Correct

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

View solution in original post

Highlighted

Not exactly.  In your example ACL Rule, both the source and destination are in the same subnet.  As such, the firewall would never have an opportunity to block traffic between them because they can communicated directly at Layer 2 without requiring Layer 3 routing.

What I'm referring to is this.  Using your example, let's imagine you created another VLAN called Test2, VLAN ID 20, with IP Addresses in the 192.168.70.1 subnet located in the LAN Zone as well.  Traffic would be allowed between the 192.168.75.1 and 192.168.70.1 subnets by default since their in the same Zone.  However, since they are 2 different subnets and would require Layer 3 routing between each other, you can then write ACL Rules to limit traffic between them...if  you so desire.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

View solution in original post

16 REPLIES 16
Highlighted
Contributor

I'm not sure I understand your question well enough to give a response with any degree of certainty.  As well, your diagram isn't showing up either.  Can you try attaching your diagram again and/or try explaining your desired end result?

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Just updated with picture. Thanks for your prompt response.

Do you know if it would support VLAN tagging onto SSID?

Highlighted

Let me see if I can answer your question by telling you want it can do.  Each SSID has it's own VLAN.  Each SSID can only have 1 VLAN applied to it.  You can group SSIDs into Zones to determine what VLANs have unlimited access to each other versus those that have limited or no access to other VLANs.  Each SSID can have it's own DHCP pool or share with a VLAN.  You can also configure Trunk ports that will simply trunk all selected VLANs down to the attached device.

I hope that answers your questions.  You have a number of things going on in the diagram and I tried to address each as I understood them.  Let me know if this helps, you have additional questions, or don't hesitate to send me a private message if you would prefer to have a more detailed discussion that is not public.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Correction, as I re-read my comment.  Each SSID can have it's own VLAN or can share VLANs with other SSIDs or network ports.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted
Beginner

Thanks for your help and I have sent you a private message.

In additional, is it possible to create the following 3 VLAN entries:

VLAN #1 (VLAN id : 10, DHCP pool : 192.168.10.x) assign to GE2, GE3

VLAN #2 (VLAN id : 20, DHCP pool : 192.168.20.x) assign to GE2, GE3

VLAN #3 (VLAN id : 30, DHCP pool : 192.168.30.x) assign to GE3, GE4, GE5

Highlighted

Yes. Do you need assistance setting that up? The main thing to keep in mind is that you can only apply multiple VLANs to the same port if it's a Trunk port instead of an Access port.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

1) For example to set up VLAN#3 (see below image taken from ISA550 Emulator), select GE3, GE4, GE5 and click on "->Trunk"?

2) Can I apply multi VLAN to SSID (i.e. replace the GE3 with SSID in VLAN #1, #2, #3 setup in my previous post)?

3) How come there is no SSID for me to choose from (again see the image below)

Highlighted

1) I believe that will turn those ports into Trunk ports. That said, I normally go into the ports themselves under Networking, change them to Trunk ports and add the appropriate VLANs. Keep in mind that generally speaking what you would attach to a Trunk port is another switch. Then you would assign the appropriate VLANs to each switch Access port as attach a device like a workstation. There are some devices that do support being connected to a Trunk port, like Cisco's OnPlus device however.

2) Think of SSIDs as Access only ports. Since you could never attach a device that would support Trunking wirelessly, you can only apply 1 VLAN per SSID via Wireless -> Basic Settings.

3) Because SSIDs can't be Trunked. See #2 above to configure VLANs on SSIDs.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

View solution in original post

Highlighted

One other consideration is to note the Zone in you VLAN configuration screen. Keep in mind that anything in the same Zone has unfiltered access to any other VLANs in that same Zone. If you want to truly segregate VLANs and limit access between them via Access Rules, you'd need to create new Zones via Networking -> Zone. A higher Security Level has, unless limited by an Access Rule, unlimited access to lower Security Levels. Lower Security Levels only have access to higher Security Levels if explicitly allowed by an Access Rule. The only exception to that rule is when a lower Security Level is responding to a request from a higher Security Level, then permission is assumed unless it is explicitly denied by an Access Rule.

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Thanks for you help and truly appreciate your time and expertise. Not sure if the summary below is correct:

When ports are assigned with VLANs belong to:

1) same Zone (ports behave as if joined together with a switch), hence firewall rules have no effect in Deny/Segregate traffic between VLANs

2) different Zone (ports behave as if physically seperated), hence firewall rules are needed to Allow/Aggregate traffic between VLANs

Highlighted

1) I believe you can actually control access between VLANs in the same Zone with Access Rules. I could be wrong, but the rest of your statement is true for certain.
2) Correct

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

View solution in original post

Highlighted

BTW, I did get your PM but I've only been on iOS devices the past couple of days and I can't seem to reply to PMs. As well the app doesn't have Private Message support. I think we got those questions answered as well, correct?

Sent from Cisco Technical Support iPhone App

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.
Highlighted

Yes you have every questions answered including questions from PM.

From your posts

a) Jun 15, 2013 7:44 PM:

"Keep in mind that anything in the same Zone has unfiltered access to any other VLANs in that same Zone."

b) Jun 16, 2013 6:49 AM:

"you can actually control access between VLANs in the same Zone with Access Rules"

Does that mean, by default traffic between 2 IPs of the same zone (same VLAN) is allowed. Unless we create a firewall rule (like the mock up I did as shown in picture below) and that would stop the traffic between 2 IPs of the same VLAN.

Highlighted

Not exactly.  In your example ACL Rule, both the source and destination are in the same subnet.  As such, the firewall would never have an opportunity to block traffic between them because they can communicated directly at Layer 2 without requiring Layer 3 routing.

What I'm referring to is this.  Using your example, let's imagine you created another VLAN called Test2, VLAN ID 20, with IP Addresses in the 192.168.70.1 subnet located in the LAN Zone as well.  Traffic would be allowed between the 192.168.75.1 and 192.168.70.1 subnets by default since their in the same Zone.  However, since they are 2 different subnets and would require Layer 3 routing between each other, you can then write ACL Rules to limit traffic between them...if  you so desire.

Shawn Eftink CCNA/CCDA Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

View solution in original post