Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2059
Views
5
Helpful
7
Replies

VLAN configuration on WLAN

Go to solution
dmwaigi4433
Level 1
Level 1

‎10-14-2017 12:36 AM - edited ‎03-08-2019 12:21 PM

Quick description of setup:

  • 4 Sites on different networks (e.g. 192.168.1.0, 192.168.2.0 ...)
  • Connected through MPLS thus devices directly communicated with each other across networks.
  • Each site has a Cisco Router
  • Switches in sites are non-cisco but intelligent (D-Link)
  • AP are non-cisco (UniFi)
  • Two WLANs: OFFICIAL using EAP, GUEST using WPA

Disclaimer: Novice

I have been tasked to create VLANs which will further segregate the OFFICIAL traffic from the GUEST traffic.

So my questions are:

Say I configure VLAN 2 (OFFICIAL) and VLAN 3 (GUEST) on separate subnets. VLAN2 can access company servers and internet, VLAN3 purely internet. I then do the necessary configuration of trunk ports interconnecting the switches. 

  1. Does the port on the switch where the APs connect to have to configured to either a truck/access or can it be left blank.
  2. Because the essence of creating VLANs is solely to protect access through wireless, do the rest of the LAN ports have to configured.
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Meheretab Mengistu
Level 7
Level 7
In response to dmwaigi4433

‎10-14-2017 01:38 AM

If the switch you are using is managed switch, it understands VLANs and uses VLAN tags to process traffics. If the desktops are not in any VLAN (are untagged), they will be send to the native VLAN (by default, VLAN 1 in Cisco switches). So, if you want to send the desktops and the laptop users to the same gateway, you will need to tag them accordingly.

Let's say you configure the gateways as subinterfaces on the Cisco router (that is, you're having Router-on-stick setup). Each subinterface operates as a gateway for specific VLANs which are configured on it using "encapsulation dot1q x" where x equals VLAN number. All traffic tagged with VLAN x (VLAN 2 in our case) goes to the corresponding subinterface and routed.

HTH,
Meheretab
HTH,
Meheretab

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎10-14-2017 12:52 AM

Say I configure VLAN 2 (OFFICIAL) and VLAN 3 (GUEST) on separate subnets. VLAN2 can access company servers and internet, VLAN3 purely internet. I then do the necessary configuration of trunk ports interconnecting the switches. 

  1. Does the port on the switch where the APs connect to have to configured to either a truck/access or can it be left blank?

The switch ports where the APs are connected should be configured as trunk port so that it could allow more than one VLAN. You can configure one of the VLANs (say VLAN2) as Native VLAN if you prefer.

 

  1. Because the essence of creating VLANs is solely to protect access through wireless, do the rest of the LAN ports have to configured?

If they are going to be the same subnet as the Office WLAN, they need to be configured to the same VLAN. 

 

HTH,

Meheretab

 

HTH,
Meheretab
0 Helpful

Go to solution
dmwaigi4433
Level 1
Level 1
In response to Meheretab Mengistu

‎10-14-2017 01:24 AM

Thanks for the quick reply.

Again, indulge my ignorance.

Lets say i want subnet 192.168.1.0/25 to be OFFICIAL traffic (both LAN and WLAN) and 192.168.1.128/25 to be GUEST traffic. Computers have static addresses in 192.168.1.0/25 range.

DHCP will be used to distribute both subnets and use policies accordingly, so that office laptop will get 192.168.1.0/25 and mobile phones will get 192.168.1.128/25.

 

With the UniFi AP, I can create WLANs and assign them a VLAN. Therefore OFFICIAL WLAN = VLAN2 = 192.168.1.0, GUEST WLAN = VLAN3 = 192.168.1.128.

 

SO my concern is on the desktop environment. Can it remain as is, or do I now have to assign them to VLAN2.

 

0 Helpful

Go to solution
Meheretab Mengistu
Level 7
Level 7
In response to dmwaigi4433

‎10-14-2017 01:38 AM

If the switch you are using is managed switch, it understands VLANs and uses VLAN tags to process traffics. If the desktops are not in any VLAN (are untagged), they will be send to the native VLAN (by default, VLAN 1 in Cisco switches). So, if you want to send the desktops and the laptop users to the same gateway, you will need to tag them accordingly.

Let's say you configure the gateways as subinterfaces on the Cisco router (that is, you're having Router-on-stick setup). Each subinterface operates as a gateway for specific VLANs which are configured on it using "encapsulation dot1q x" where x equals VLAN number. All traffic tagged with VLAN x (VLAN 2 in our case) goes to the corresponding subinterface and routed.

HTH,
Meheretab
HTH,
Meheretab
0 Helpful

Go to solution
dmwaigi4433
Level 1
Level 1
In response to Meheretab Mengistu

‎10-14-2017 02:00 AM

Thanks again for the reply and contextualizing my thoughts.

You are right, we have a router-on-stick setup setup with sub-interfaces for each subnet, but wit no VLANs. We were running out of (for argument sake) 192.168.1.0/24 ip's, so we added 192.168.2.0/24. Both networks communicate with each other. So my plan is to add a 3rd network for GUEST connectivity, and implement VLANs to separate that network.

So my main concern is the ramifications of untagged machines in terms what they can and cannot access.

 

 

0 Helpful

Go to solution
mattjones03
Level 1
Level 1

‎10-14-2017 01:38 AM

Hi,

 

When completing something similar in the past I completed the following example;

 

At each site;

VLAN 10 - Corporate Access

Subnet: 192.168.10.0/24

VLAN 20 - Corporate WiFi

Subnet: 192.168.20.0/24

VLAN 30 - Guest WiFi

Subnet: 192.168.30.0/24

 

To your first point around using a trunks, this is worthwhile as it enables you to associate a specific VLAN against a WiFi SSID that resides on your APs.

 

As you mention, the purpose of a VLAN is to isolate/segregate however using the above approach will enable you to also control the traffic also (apply granular ACLs etc). Furthermore, the dedicated subnets will allow you to differentiate the traffic should you want it to traverse the MPLS.

 

Some of these controls could be applied on your MPLS router (CE);

 

- Rate limit traffic for the guest network

 

- ACLs to ensure that the guest network is only able to access the internet, and none of the corporate services.

 

A bit of a long winded explanation, but thought some context may help you with some further considerations.

 

Regards

 

Matt

 

0 Helpful

Go to solution
dmwaigi4433
Level 1
Level 1
In response to mattjones03

‎10-14-2017 02:01 AM

Eaxctly what I am trying to setup up. If you have any documentation, I would so really appreciate it.

0 Helpful

Go to solution
mattjones03
Level 1
Level 1
In response to dmwaigi4433

‎10-14-2017 03:34 AM - edited ‎10-14-2017 03:36 AM

Hi,

 

I have submitted a message to you outside of this conversation.

 

Unfortunately, the documentation I have on this solution contains company sensitive information, so would not be able to share this.

 

 

Something I forgot to mention in my last reply is, it is wise to create a dedicated corporate wired and WiFi subnet, as there may be a requirement to treat the WiFi traffic differently. When that need arises, you will be grateful for making the strategic decision to accommodate for this in the design phase.

 

Just put this quick example diagram together, that may assist you in visualising the thought process;

 

Cisco Support Community - WiFi Explanation.JPG

 

Hope this helps. 

 

Regards

 

Matt

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card