Multiple VLANs - Single port

Answered Question
Jul 21st, 2009

We often have guest users wanting to connect their laptops to our network, primarily for Internet access. I have set up a secure wireless with WPA - PEAP - RADIUS on our domain but this means that I have to physically configure every guest computer with the corresponding wireless settings. Our Proxim AP-4000 access points allow for multiple SSIDs on different VLANs. The problem I am up against is that I cannot figure out how to have more than one VLAN per port on the 4506 switch (or the 3560s for that matter). The attached diagram shows what I want to do. The goal is to NOT have to touch a guest's laptop.

SSID1 is configured for RADIUS authentication (NPS on Windows 2008) which is what our employees connect to. SSID2 is configured with a passphrase for authentication on the access point for guest laptops.

I was hoping on using the same subnet for DHCP and DNS services but laptops connecting to SSID2 can't access those DHCP or DNS services. I can easily set up a dedicated server for that on VLAN10 if needed. I have also thought about using something like DNSRedirector installed on VLAN10…

The main issue is getting the SSID2/VLAN10 access point traffic to the DHCP/DNS server.

Any help would be greatly appreciated.

Thanks

Correct Answer by Giuseppe Larosa about 7 years 7 months ago

Hello Dave,

>> he problem I am up against is that I cannot figure out how to have more than one VLAN per port on the 4506 switch

int gx/y

switchport

switchport trunk enc dot1q

switchport mode trunk

! default you will not see this in config

switchport trunk native vlan 1

switchport trunk allowed vlan 1,10

You can probably create a macro for this or you can use interface range to apply this configuration to multiple ports.

if a normal NIC is connected to the port and only untagged frames flow they are seen as belonging to vlan1.

you may want to use a different vlan for native (untagged ) frames

vlan 10 has to be defined and present also on inter-switch trunk links to be able to reach L3 device.

you can apply an ACL to give only internet access in the guest vlan.

More complex solutions involve the use of VRF lite to have the guest vlan(s) in a separate routing table.

an ip helper address command under SVI vlan 10 can allow to reach the DHCP server

int vlan10

ip address x.y.z.k

ip helper-address

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Tue, 07/21/2009 - 10:53

Hello Dave,

>> he problem I am up against is that I cannot figure out how to have more than one VLAN per port on the 4506 switch

int gx/y

switchport

switchport trunk enc dot1q

switchport mode trunk

! default you will not see this in config

switchport trunk native vlan 1

switchport trunk allowed vlan 1,10

You can probably create a macro for this or you can use interface range to apply this configuration to multiple ports.

if a normal NIC is connected to the port and only untagged frames flow they are seen as belonging to vlan1.

you may want to use a different vlan for native (untagged ) frames

vlan 10 has to be defined and present also on inter-switch trunk links to be able to reach L3 device.

you can apply an ACL to give only internet access in the guest vlan.

More complex solutions involve the use of VRF lite to have the guest vlan(s) in a separate routing table.

an ip helper address command under SVI vlan 10 can allow to reach the DHCP server

int vlan10

ip address x.y.z.k

ip helper-address

Hope to help

Giuseppe

daverutz58 Thu, 07/23/2009 - 05:38

Giuseppe,

Thanks for the tips! As soon as I can get some time (could only be mid-August because of a hectic schedule), I'll try this out...

Dave

daverutz58 Fri, 05/21/2010 - 12:53

Giuseppe,

Good thing I didn't specify which year I'd have time to try things out! I'm back to working on this project and am still trying to figure out where, in the Cisco Network Assistant (v.5.5 with software 12.2(52)SG-IP-BASE-CRYPTO), I can enter the IP Helper address... I don't have physical access to the switch right now.

Reza Sharifi Fri, 05/21/2010 - 13:19

Dave,

Can't you use telnet to login and assign the helper address?

HTH

Reza

daverutz58 Mon, 05/24/2010 - 10:28

Thanks Reza,

I can telnet into the switch, I'm just not that into command line stuff, more of a GUI guy. That being said, I find it strange that there not be anywhere in the GUI to specify the ip helper-address. Anyway, I added the ip helper-address to vlan10 but do I need to specify an ip address too? For now, I have a static IP set on the DMZ interface of the Untangle server. I could bridge it with the EXT interface and set the IP on the VLAN.

I've attached a simplified diagram of what I'm trying to achieve...

Thanks,

Dave

jkillion Tue, 05/25/2010 - 12:29

Yes, you need to specify an IP address.  You need to set ip helper-address x.x.x.x.  Substitute the x's w/ your DHCP server IP.

Actions

This Discussion