SG300 - Wifi Vlan

Answered Question
Mar 26th, 2012

Hello,

I want to set up a vlan only for the wifi APs and wifi clients on my network. They can't access to any server, only internet acces

I already implement this configuration and its working, but now I want to allowed a couple of laptops to connect to servers in other vlan. what should I do?

Should I do it using Mac address of laptops or IP? how?

thanks a lot.

I have this problem too.
0 votes
Correct Answer by David Hornstein about 2 years 2 weeks ago

Hi Angel,

It sounds to me like you;

  • know what you want to do with the switch,
  • have DHCP services in place and it's working
  • You understand how to filter (permit or deny) traffic with ACLs. These ACL will deny traffic from or to wireless clients even before the ethernet frames leaves my switch

You still can have VLAN 3 on the switch terminating on the firewall, there maybe no

need to add a IP interface to VLAN 3 on the switch.

If all is working, we are finished. But if you have further questions , more than happy to assist with advice or a configuration example.

regards David

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
David Hornstein Mon, 03/26/2012 - 18:12

Hi Angel,

You said "I already implement this configuration and its working"

To know what to do,  the community have to know exactly what you did "can't access to any server..."

Could you please describe what you did so that the wireless clients cannot get to the servers.

regards Dave

bluebytes1 Tue, 03/27/2012 - 12:02

David,

thanks for your reply. You are very helpful.

You are right.

I configured the switch in layer 3 mode with 3 vlans and 3 vlans interfaces.

One of the Vlans (vlan 20) is only for access point and wireless clients. That Vlan only have access to internet (the switch have a routing rule 0.0.0.0. 0.0.0.0. 10.0.0.2 where 10.0.0.2 is the firewall). And I will block any other comunication with ACL doing a deny everything from this vlan 20 to others vlans, like you point me in the other post.

But I need some wireless laptop can connect to servers (support laptops). Should I allow this communication with a a rule on the ACL? permit laptop ip to server? or should I do it another way?

Please, sorry about my english and thanks a lot.

Angel

David Hornstein Tue, 03/27/2012 - 14:55

Hi Angel.

You must be highly intelligent, you can speak and write multiple languages, but i can only speak one.

Is the firewall VLAN aware , in other words can you assign multiple vlans on it's ethernet port or ports ?

If yes is the answer i would also guess that this firewall may also provide DHCP services to Local Area Networks that are attached to it.

To me it seems simpler to just run the switch in layer 2 mode like the diagram below;

I would have thought that if your firewall , which may be VLAN aware, and like my ASA5500,  can provide multiple DHCP scopes for different networks.

Still seems easier to leave the network in Layer 2 mode  and engineer the network so that the firewall can provide basic DHCP services for the different VLANs.  in another question you ask how to configure the DHCP server  for multiple vlans using with dhcp request using option 82. 

If this is a problem for you, it just seems simpler to just run the switch in layer 2 mode and allow the firewall to DHCP (if possible).

regards Dave

bluebytes1 Mon, 04/02/2012 - 16:53

David,

I have this scenario.

      INTERNET

            I

            I

            I

       Firewall   10.0.0.2

            I

            I

            I

Switch Layer 3 10.0.0.1

     I           I

     I           I

     I        Switch layer 2

     I            I

     I            I

     I      AccessPoints (vlan3)

     I

     I

Switch layer2

  I            I

  I         vlan1

vlan2

Vlan 1 administration

Vlan 2 HR

Vlan 3 is only for access point and wireless client.

My switch layer 3 does the intervlan communication and it have one ip route 0.0.0.0 0.0.0.0 10.0.0.2

I configured vlan interfaces on each vlan on the switch layer 3 so every host on the vlans uses that interface as gateway.

But I want to do this:

I want vlan3 only can access internet an not the other vlans.

Can I delete vlan 3 interface on the switch and use the firewall as gateway of that vlan? I mean create a vlan 3 interface on firewall. This way I have more specific control on that vlan. Can I do that? should i set something in the switch layer 3?

Thanks a lot

Angel

David Hornstein Mon, 04/02/2012 - 21:09

Hi Angel

I prefer to run the switch in Layer 2 mode for the following reasons.

It will be easier for you to configure services such as DHCP if your firewall device supports multiple DHCP scopes..

I cannot tell you if you can configure VLAN3 on your firewall.  You really have to know if Vlan3 can be created on a firewall Ethernet interface.  You also have to know if your firewall is capable of providing DHCP services for separate VLANs.

My concern is,  can wireless client within VLAN 3 get a response to DHCP requests ?

The switch can always bind a ACL to a ingress interface for the purpose of restricting  access of VLAN3 IP hosts  to other VLANs.

bluebytes1 Tue, 04/03/2012 - 07:52

David,

Thanks again for your reply.

I prefer to run core switch in layer 3 mode because of the intervlan routing between vlans except vlan 3 for wireless devices. That vlan I think is better if it goes all to the firewall. And the firewall can filter better.

My firewall support multiple DHCP scopes.

I also have a DHCP server on my network so I think I can configured the layer 3 switch to relay that DHCP to vlans 1 and 2. Am I right?

So in this scenario, my DHCP server for ethernet vlans (admin and HR) are a server on the network.

And my DHCP for my wireless client vlan it will be the firewall. I should test if client within vlan 3 can get a response from firewall dhcp.

I only will have vlan interfaces for vlan 1 and 2 but not for vlan3, so if i have no vlan 3 interface on the switch how do i tell the switch to forward all vlan3 comunication to firewall? I mean the some especial route? some especial configuration on switch-firewall trunk?

Thanks a lot and sorry to bother you!

Correct Answer
David Hornstein Tue, 04/03/2012 - 08:17

Hi Angel,

It sounds to me like you;

  • know what you want to do with the switch,
  • have DHCP services in place and it's working
  • You understand how to filter (permit or deny) traffic with ACLs. These ACL will deny traffic from or to wireless clients even before the ethernet frames leaves my switch

You still can have VLAN 3 on the switch terminating on the firewall, there maybe no

need to add a IP interface to VLAN 3 on the switch.

If all is working, we are finished. But if you have further questions , more than happy to assist with advice or a configuration example.

regards David

bluebytes1 Wed, 04/04/2012 - 13:36

David

thanks a lot for your advice. you are very helpful.

I try that configuration and it works perfect. Now I'm going to test the dhcp relay of the switch.

Thanks !!!

nvong@martinrea.com Tue, 07/17/2012 - 10:55

I have windows DHCP server with 2 scopes. AP 1040 and Switch SG300. two SSID associated with VLANs 1 and 5. VLAN 1 is on the management subnet and get the IP from DHCP ok. But not the the client from 2nd SSID on the VALN 5.

How do you make the DHCP assign the IP to guest wirelesss VALN 5?

Thanks in advance.

Actions

Login or Register to take actions

This Discussion

Posted March 26, 2012 at 12:50 PM
Stats:
Replies:9 Avg. Rating:5
Views:1354 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard