We often have guest users wanting to connect their laptops to our network, primarily for Internet access. I have set up a secure wireless with WPA - PEAP - RADIUS on our domain but this means that I have to physically configure every guest computer with the corresponding wireless settings. Our Proxim AP-4000 access points allow for multiple SSIDs on different VLANs. The problem I am up against is that I cannot figure out how to have more than one VLAN per port on the 4506 switch (or the 3560s for that matter). The attached diagram shows what I want to do. The goal is to NOT have to touch a guest's laptop.
SSID1 is configured for RADIUS authentication (NPS on Windows 2008) which is what our employees connect to. SSID2 is configured with a passphrase for authentication on the access point for guest laptops.
I was hoping on using the same subnet for DHCP and DNS services but laptops connecting to SSID2 can't access those DHCP or DNS services. I can easily set up a dedicated server for that on VLAN10 if needed. I have also thought about using something like DNSRedirector installed on VLAN10â¦
The main issue is getting the SSID2/VLAN10 access point traffic to the DHCP/DNS server.
Any help would be greatly appreciated.
>> he problem I am up against is that I cannot figure out how to have more than one VLAN per port on the 4506 switch
switchport trunk enc dot1q
switchport mode trunk
! default you will not see this in config
switchport trunk native vlan 1
switchport trunk allowed vlan 1,10
You can probably create a macro for this or you can use interface range to apply this configuration to multiple ports.
if a normal NIC is connected to the port and only untagged frames flow they are seen as belonging to vlan1.
you may want to use a different vlan for native (untagged ) frames
vlan 10 has to be defined and present also on inter-switch trunk links to be able to reach L3 device.
you can apply an ACL to give only internet access in the guest vlan.
More complex solutions involve the use of VRF lite to have the guest vlan(s) in a separate routing table.
an ip helper address command under SVI vlan 10 can allow to reach the DHCP server
ip address x.y.z.k
Hope to help