01-18-2011 11:05 AM
My wireless AP is the WAP4410n
My switch is the SG300-28P
My router is the RVS4000
I want to create a guest wireless & an internal use only.
It looks easy enough on the WAP, associate a vlan id with the SSID.
I did notice after doing this the second vlan (the non-default vlan i created) wasn't getting an IP address.
I'm guessing the problem is my config on the switch..I created a vlan with the same ID as the one on the WAP.
Now for the trunking....I'm not sure what to do here, any advice on how to configure it?
Should I be creating a vlan to port trunk or vice versa?
Thanks!
01-18-2011 11:32 PM
Hi Zach,
I am a Cisco Systems Engineer, so expect some product suggestions.
I have to admit I don't have the WAP4410N only the older wireless G, WAP200 .
If I had my choice I would have the newer AP541.
Ok thought i would set up the network as a configuration example for others, to get a feel for configuring VLANs. Got to admit that it took me longer to write this response than to setup the whole network..
But yes, we need to be propagating a tagged Guest VLAN, in my case VID 100, originating from the RVS4000, through the 300 series switch and into the Wireless AP Ethernet interface.
.
Here is the setup topology I used in my example;
VLAN setup table
All ethernet ports carrying only one VLAN, will be in access mode.
All ethernet ports carrying more than one VLAN, will be in trunk mode.
I connected switch port 4 on my RVS4000 to Gigabit port 10 on my 10 port SRW2008P-K9-NA, via a CAT5e cable .
Zach, great choice in using the new 300 series switch !
In terms of router, I would have preferred a newer RV120W or the RV220W in preference to the RVS4000. They are a newer technology with some incredible features and raw horsepower, when compared to the older RVS4000.
See product review at the following URL in case you want to check out a independent review on the new RV120W;
All these routers mentioned, including the RVS4000 support trunked or as some people call it tagged VLANs.
In the default factory settings, the default VLAN or native VLAN is always untagged on our switches, routers and wireless devices.
Putting the switch ports into trunk mode will allow for other vlans to traverse over the CAT5e cable as tagged Ethernet frames. But we'll see this later.
This is why I only had to connect one Cat5e cable between RVS4000 switch port 4 and my SRW2008P-K9-NA , switch port 10.
One Cat5e cable between my business series product can, in general, handle one untagged and multiple tagged VLANs
The WAP200 is a wireless G version of the WAP4410N. Management interface on both WAPs are basically very very similar. So I was not deterred in using the WAP200 in this example. It will look very similar to your management interface.
WAP200, WAP4410N and the newer AP541 support as you observed multiple tagged VLANs trversing from the wireless network to the Copper Gigabit interface on the WAPs.
These WAPs can map a SSID to a VLAN, but again the default vlan1 is usually untagged and other SSIDs pass their ethernet frames to the switch network as tagged ethernet frames.
So far simple but lets see how I configured the network.
My rationale in configuring this network was to configure the Network devices from the Wireless device back into the core. This would mean I could configure IP tnterfaces on peripheral or edge devices and work my way back into the network core and still maintain connectivity to edge devices.
So my VLAN 1 or admin network was going to use 192.168.1.x for management of network devices.
I could have created a corporate network vlan, but didn't. (The RVS4000 can support four separate Layer 3 networks)
My Vlan100 (guest network) was going to issue 192.168.100.x addresses for wireless guests.
I set up only the SSID and no wireless encryption, I'll leave encryption to you.
I then mapped a SSID to a VLAN ID
.
I telneted to the switch and gave the switch a new management IP address of 192.168.1.100
Set up a default route, as per my screen shot below, so that I could test pinging from the guest wireless VLAN to the management interface of the router.
I would remove pinging ability later with a Access Control List within my SG300-10P switch. There is an option within the RVS4000 to stop inter-vlan routing, but I thought it was more prudent to run wire speed Access list within my SG200-10P switch.
continued
01-18-2011 11:53 PM
I then added by Guest Vlan (100) to my SRW2008P-K9-NA (SG300-10P)
I am setting Gig 1 ( which is connected to WAP) and Gig 10 (connected to RVS4000) to trunk Mode.
I left all switch ports as untagged in the native or default VL:AN as you can see below.
Now, I altered the VLAN 100 and made G1 and G10 as tagged in VLAN 100.
I highly recommend you occasionally save the switch configuration, by clicking the save button at the top of the GUI.
Please Note save the configuration when you complete the switch configurations, other wise a Power reset will cause the switch to loose configuration information.
continued
01-18-2011 11:59 PM
Now it's time to move back to the router and add Vlan 100 and configure a trunked vlan on switch port 4.
Firstly, setting the RVS4000 switch port 4 to trunk mode.
By default all switch ports will be untagged in VLAN1, so I selected vlan 100 and made sure that switch port 4 was tagged for VLAN 100.
Because I have a new layer 2 interface (VLAN 100) in my RVS4000, I now have a new option to add Layer 3 IP network and DHCP scope to this new VLAN.100
Because I have a DHCP scope now working on VLAN 100, I attached my PC to the wireless GUEST SSID and was given a 192.168.100.X address..
I can now ping the router, all is working absolutely perfectly and as expected.
You can see that when wirelessly connected I was allocated a IP address of 192.168.100.100 and I could ping the routers 192.168.1.1 address.
Hmmm, this has to be modified as your wireless guests are not allowed to ping or access any IP addresses in the 192.168.1.X network.
So, I am going to create a Access list and bind that access list to a ingress (incoming) interface and restrict access from traffic coming in from switch port G1 of the SG300-10P.
.
I then created a ACE that was attached to the ACL. Please note that my ACE was to only restrict access to the routers IP address.
In my example, you might have to alter the Priority 1 entry to destination IP address to 192.168.1.0 mask = 0.0.0.255
At the moment, as you can see from my ACE below , Priority 1 entry, destination address is host specific. It is intended only for me to loose access to a single IP destination address.
(Please note: notice the help button on the top right off all the previous screens, i clicked it )
Help screen that comes up will give you screen specific help on the page you are on. Notice in the help text below, it suggest that the ACL has to be assigned to a interface and the ACL will look at packets coming into the switch.
Time now to attach the ACL that I previously created to a interface that I have my WAP connected to.
This will stop guests in the wireless network from accessing the default VLAN.
But in my example it will stop my ability to ping and manage 192.168.1.1.
Note : the ACL is applied to G1 so wireless traffic will be inspected / dropped by the ACL.
Lastly, Remember to save your configuration
Hope this helps.
regards Dave
01-30-2011 07:23 PM
Thanks for all the info, question:
I don't have static routes in my config.
From what I've read I need to enable Layer 3 mode.
How would one do so?
Thanks!
01-30-2011 07:34 PM
Hi
RVS4000, or the newer RV120W or RV220W all support trunked VLANs from a LAN port, which means that multiple VLANs can be propagated to the switch network.
There is no need to enable Layer 3 on the SG300-29P or ( or SKU ordering p/n SRW2024G4P-K9-XX).
But if you did, for other folks benefit, it can be done via a telnet, console or SSH connection to the switch. From these connections you can modify the mode of the switch, from layer 2 mode to Layer 3 mode.
regards Dave
02-16-2012 07:23 PM
I was following your guide as I want to do a very similar thing as Zach utilizing 1- RVS4000 router, 1- SG200-50P switch and 4- WAP4410N access points.
When I got to the part about setting IPv4 Static Routes, I looked high and low throughout the settings but was unable to find where to set them. Do you have any advice on where I can find or set the Static Routes?
02-18-2012 03:22 PM
Hi Zach and others,
I have a SG300-28 and a WAP4410n with a working configuration. I thought I might as well share some information.
First of all. I have one central SG300-28 switch running in L3 mode. And I also have seven SG300-10(P) switches running in L2 mode, they are connected to the SG300-28. But these seven swithces are out of scope for this manner.
My network is segmented in about 20 VLAN's. Almost every one of them is hosted by the central SG300-20. All VLAN's (except VLAN 10) have an IP Address. That IP Address funcations as a default gateway for clients VLAN's. Below you see a few examples.
The network is fully routable. VLAN 101 contains a DHCP Server that hosts a DHCP scope for almost every VLAN. The important part is I have configured DHCP Relay on each VLAN to reach that DHCP Server. Please keep in mind, you can only enable DHCP Relay when a VLAN has an IP Address (default gateway) configured. And to assign an IP Address to a VLAN your switch needs to be running in L3 mode! You can only configure the switch in L3 mode through the command line (telnet).
My WAP4410n is connected to one port on the SG300-20. That port is configured as a trunk port. The VLAN port membership of that trunk port is 1UP / 10T / 102T / 202T / 302T. Now note that VLAN 10 is our internet connectin. It is considered our guest network for wireless and direct internet connection.There is s a firewall in between, but I don't want to go into detail about that.
So as you can see the trunk ports contain "T"agged VLAN's (10T/102T/202T/302T). This means you need to configure each SSID in your WAP4410n with "T"agged VLAN settings. It also contains an "U"ntagged default Managment VLAN (1UP). That is only used for administrative purpose, since the WAP4410n has an IP Address in that VLAN. To help you out this is what I have configured in the WAP4410.
Go to Wireless > VLAN and QoS
VLAN: Enabled
Default VLAN ID: 1
VLAN Tag: Untagged
AP Management VLAN: 1
VLAN Tag over WDS: Disabled
And then a VLAN ID for every SSID (with WMM enabled)
What happens. If a wireless client connect to one of your VLAN's. It's packet will be tagged. The WAP4410n is only connected with one wire to the trunk port. But since it is a trunk port and each packets of that particular SSID is tagged it will reach the VLAN. That VLAN has an IP Address and is enabled by DHCP Relay. DHCP ruquests will thereby reach your DHCP Server. Or your switch/router if you use something else for DHCP.
So bottom line is; Configure the switch port as a trunk port. That trunk port must host tagged VLAN membership for each SSID. Make sure your WAP1140n tags the packets for each SSID.
I hope this information might help. I also read question about static routes and such. I think that is out of scope right now. But if you want to know more about that you can alway ask me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: