Hi Zach,
I am a Cisco Systems Engineer, so expect some product suggestions.
I have to admit I don't have the WAP4410N only the older wireless G, WAP200 .
If I had my choice I would have the newer AP541.
Ok thought i would set up the network as a configuration example for others, to get a feel for configuring VLANs. Got to admit that it took me longer to write this response than to setup the whole network..
But yes, we need to be propagating a tagged Guest VLAN, in my case VID 100, originating from the RVS4000, through the 300 series switch and into the Wireless AP Ethernet interface.
.
Here is the setup topology I used in my example;
VLAN setup table
All ethernet ports carrying only one VLAN, will be in access mode.
All ethernet ports carrying more than one VLAN, will be in trunk mode.
I connected switch port 4 on my RVS4000 to Gigabit port 10 on my 10 port SRW2008P-K9-NA, via a CAT5e cable .
Zach, great choice in using the new 300 series switch !
In terms of router, I would have preferred a newer RV120W or the RV220W in preference to the RVS4000. They are a newer technology with some incredible features and raw horsepower, when compared to the older RVS4000.
See product review at the following URL in case you want to check out a independent review on the new RV120W;
All these routers mentioned, including the RVS4000 support trunked or as some people call it tagged VLANs.
In the default factory settings, the default VLAN or native VLAN is always untagged on our switches, routers and wireless devices.
Putting the switch ports into trunk mode will allow for other vlans to traverse over the CAT5e cable as tagged Ethernet frames. But we'll see this later.
This is why I only had to connect one Cat5e cable between RVS4000 switch port 4 and my SRW2008P-K9-NA , switch port 10.
One Cat5e cable between my business series product can, in general, handle one untagged and multiple tagged VLANs
The WAP200 is a wireless G version of the WAP4410N. Management interface on both WAPs are basically very very similar. So I was not deterred in using the WAP200 in this example. It will look very similar to your management interface.
WAP200, WAP4410N and the newer AP541 support as you observed multiple tagged VLANs trversing from the wireless network to the Copper Gigabit interface on the WAPs.
These WAPs can map a SSID to a VLAN, but again the default vlan1 is usually untagged and other SSIDs pass their ethernet frames to the switch network as tagged ethernet frames.
So far simple but lets see how I configured the network.
My rationale in configuring this network was to configure the Network devices from the Wireless device back into the core. This would mean I could configure IP tnterfaces on peripheral or edge devices and work my way back into the network core and still maintain connectivity to edge devices.
So my VLAN 1 or admin network was going to use 192.168.1.x for management of network devices.
I could have created a corporate network vlan, but didn't. (The RVS4000 can support four separate Layer 3 networks)
My Vlan100 (guest network) was going to issue 192.168.100.x addresses for wireless guests.
I set up only the SSID and no wireless encryption, I'll leave encryption to you.
I then mapped a SSID to a VLAN ID
.
I telneted to the switch and gave the switch a new management IP address of 192.168.1.100
Set up a default route, as per my screen shot below, so that I could test pinging from the guest wireless VLAN to the management interface of the router.
I would remove pinging ability later with a Access Control List within my SG300-10P switch. There is an option within the RVS4000 to stop inter-vlan routing, but I thought it was more prudent to run wire speed Access list within my SG200-10P switch.
continued
I then added by Guest Vlan (100) to my SRW2008P-K9-NA (SG300-10P)
I am setting Gig 1 ( which is connected to WAP) and Gig 10 (connected to RVS4000) to trunk Mode.
I left all switch ports as untagged in the native or default VL:AN as you can see below.
Now, I altered the VLAN 100 and made G1 and G10 as tagged in VLAN 100.
I highly recommend you occasionally save the switch configuration, by clicking the save button at the top of the GUI.
Please Note save the configuration when you complete the switch configurations, other wise a Power reset will cause the switch to loose configuration information.
continued
Now it's time to move back to the router and add Vlan 100 and configure a trunked vlan on switch port 4.
Firstly, setting the RVS4000 switch port 4 to trunk mode.
By default all switch ports will be untagged in VLAN1, so I selected vlan 100 and made sure that switch port 4 was tagged for VLAN 100.
Because I have a new layer 2 interface (VLAN 100) in my RVS4000, I now have a new option to add Layer 3 IP network and DHCP scope to this new VLAN.100
Because I have a DHCP scope now working on VLAN 100, I attached my PC to the wireless GUEST SSID and was given a 192.168.100.X address..
I can now ping the router, all is working absolutely perfectly and as expected.
You can see that when wirelessly connected I was allocated a IP address of 192.168.100.100 and I could ping the routers 192.168.1.1 address.
Hmmm, this has to be modified as your wireless guests are not allowed to ping or access any IP addresses in the 192.168.1.X network.
So, I am going to create a Access list and bind that access list to a ingress (incoming) interface and restrict access from traffic coming in from switch port G1 of the SG300-10P.
.
I then created a ACE that was attached to the ACL. Please note that my ACE was to only restrict access to the routers IP address.
In my example, you might have to alter the Priority 1 entry to destination IP address to 192.168.1.0 mask = 0.0.0.255
At the moment, as you can see from my ACE below , Priority 1 entry, destination address is host specific. It is intended only for me to loose access to a single IP destination address.
(Please note: notice the help button on the top right off all the previous screens, i clicked it )
Help screen that comes up will give you screen specific help on the page you are on. Notice in the help text below, it suggest that the ACL has to be assigned to a interface and the ACL will look at packets coming into the switch.
Time now to attach the ACL that I previously created to a interface that I have my WAP connected to.
This will stop guests in the wireless network from accessing the default VLAN.
But in my example it will stop my ability to ping and manage 192.168.1.1.
Note : the ACL is applied to G1 so wireless traffic will be inspected / dropped by the ACL.
Lastly, Remember to save your configuration
Hope this helps.
regards Dave
