Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Guest Vlan on umnaged network

 

I've bought some unifi wifi access points which I want to add to our network. We use a mix of cisco and netgear switches (I'll be phasing out the netgears over time). I'd like to make a guest vlan for the wifi, I'm just not sure how is best to do it, there are some details on a possible setup here.

At the moment we have an unmanaged network so everything is using vlan1

We use 2 Cisco Pix 515e firewall's (One as backup), they go directly to a switch, then we use a Windows server for DHCP. The config for firewall (fw1) the interface that connects to a switch is:

 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.135.248 255.255.192.0 standby 192.168.135.249

 

on the switch it connects to called sw1 (C2950-I6Q4L2-M) the port is configured like so:

interface FastEthernet0/15
 switchport mode trunk
 switchport nonegotiate
 speed 100
 duplex full

 

Port Gi/02 connects to the next switch which is a netgear GS748T (sw2) which then connects to various other switches

interface GigabitEthernet0/2
 description Netgear GS748T
 switchport trunk allowed vlan 1-4
 switchport mode trunk
 switchport nonegotiate
 speed 1000
 duplex full
 flowcontrol receive desired

(There are some other vlans created, not sure what they are for yet, I'm new here!)

 

We've just bought a Cisco WS-C3650-24PS - sw3

I was thinking of only plugging in the wifi access points into cisco switches only and creating a Vlan - Vlan20 and only allowing Vlan20 to specific ports if this is possible?

I'm a beginner at this so the theory is there but not sure how to execute it!

I'm thinking on the firewall fw1

eth2

 speed 100
 duplex full
 nameif guest
 security-level 90
 ip address 192.168.0.248 255.255.255.0 standby 192.168.0.249

 

 

on sw1 connect Gi0/2 to sw3 Gi1/1/1

config to be

switchport trunk allowed vlan 20
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full

 

sw3 will already have vlan1 going to it as part of the unmanaged network as it is connected to another switch on another port already.

So my question is how do I setup the dhcp server on sw3 for vlan20 (192.168.0/24)

And how would both vlans get sent to the wifi access points which are patched into sw3 but without vlan 20 traffic being sent other ports which do not have the ap's connected to them? I would also like to allow vlan20 to another cisco switch.

Or if is the wrong way of doing it let me know a better solution

Apologies in advanced if this is not making much sense!

 

 

 

 

 

 

 

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

I actually use UniFi APs in

I actually use UniFi APs in our environment too, great little APs as long as you buys the Pro models (the standard ones have their short falls).

I think your PIX config looks good (it's been a while since I've touched one so I'd have to login to the 525 I have at home to confirm) Just ensure it's configured to disallow traffic from your guest VLAN to the internet network, if memory serves there's an option that's on by default to disallow traffic from a higher security if to a lower.

It may be better to configure Sw1/0/2 and Sw3/1/1/1 with all of your VLANs, if you want redundancy you can create a LAG between the two with multiple ports. If you use different links for different VLANs and down the road something happens and both of those ports become active on the same VLAN (I/E you or someone else forgets that you're using different uplinks for different VLANs) if STP isn't setup properly you'll create a loop on that VLAN potentially flooding the network with broadcast traffic.

As for the UniFi config, you configure the ports that the APs connect to as trunks, I assume you'll be managing the APs over VLAN 1 so the ports should be VL1 untagged, VLAN 20 tagged.

The UniFi Controller software is used setup and manage the APs if you haven't already done so install it. Once you have it installed you want to create two SSIDs one without VLAN tagging enabled which will be your internal SSID, and another with VLAN tagging enabled for VL20 which will be your guest SSID. This way when a client connects to the Guest SSID the AP(s) will tag their traffic VLAN 20, so on ingress to SW3 the traffic will be tagged with the correct VLAN.

The attached is a screen from my UniFi guest SSID config, you can also assign guests to a user group, which allows you to limit the bandwidth at the AP.

 

6 REPLIES
New Member

I actually use UniFi APs in

I actually use UniFi APs in our environment too, great little APs as long as you buys the Pro models (the standard ones have their short falls).

I think your PIX config looks good (it's been a while since I've touched one so I'd have to login to the 525 I have at home to confirm) Just ensure it's configured to disallow traffic from your guest VLAN to the internet network, if memory serves there's an option that's on by default to disallow traffic from a higher security if to a lower.

It may be better to configure Sw1/0/2 and Sw3/1/1/1 with all of your VLANs, if you want redundancy you can create a LAG between the two with multiple ports. If you use different links for different VLANs and down the road something happens and both of those ports become active on the same VLAN (I/E you or someone else forgets that you're using different uplinks for different VLANs) if STP isn't setup properly you'll create a loop on that VLAN potentially flooding the network with broadcast traffic.

As for the UniFi config, you configure the ports that the APs connect to as trunks, I assume you'll be managing the APs over VLAN 1 so the ports should be VL1 untagged, VLAN 20 tagged.

The UniFi Controller software is used setup and manage the APs if you haven't already done so install it. Once you have it installed you want to create two SSIDs one without VLAN tagging enabled which will be your internal SSID, and another with VLAN tagging enabled for VL20 which will be your guest SSID. This way when a client connects to the Guest SSID the AP(s) will tag their traffic VLAN 20, so on ingress to SW3 the traffic will be tagged with the correct VLAN.

The attached is a screen from my UniFi guest SSID config, you can also assign guests to a user group, which allows you to limit the bandwidth at the AP.

 

New Member

Thanks for the reply. I

Thanks for the reply. I understood all of that except for creating a LAG?

Also how do I stop VLAN 20 going to the rest of the network? 

New Member

If you want to create

If you want to create redundancy for your links between devices you can create a LAG (or in most of the Cisco-world an etherchannel) basically you combine multiple physical interfaces on each switch to form one aggregate interface, since the ports are used active/active it increases throughput capability and provides redundancy against failure of the cable or individual port.

Here's the config guide on creating/configuring Etherchannels for the 3560:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_55_se/configuration/guide/3560_scg/swethchl.html

New Member

Thanks.How do I set a port to

Thanks.

How do I set a port to be vlan1 untagged and vlan20 tagged?

I assume I would do switchport access vlan 20 for the tagged vlan?

New Member

You want the port to be a

You want the port to be a trunk port, access ports are only allowed to be assigned one VLAN, whereas trunks can be assigned to multiple. The port's native VLAN is the untagged VLAN and all other VLANs allowed on that port are tagged, since by design you can only have one untagged, so your configuration will go something like this:

switchport mode trunk

switchport trunk native vlan 1

switchport trunk allowed vlan 20

New Member

I couldn't get it working

I couldn't get it working without allowing vlan1 also?

so sh run looks like this for the port I plug the ap into:

interface GigabitEthernet1/0/12
 switchport trunk allowed vlan 1,20
 switchport mode trunk

 

I also did switchport trunk native vlan 1 but that doesn't seem to show in sh run

 

so my config on sw3 is like so:

ip routing
!
ip device tracking
!
ip dhcp pool guest_wifi_pool
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1 255.255.255.0
 dns-server 8.8.8.8

 

 

interface GigabitEthernet1/0/12
 description wifi test port
 switchport trunk allowed vlan 1,20
 switchport mode trunk

 

interface Vlan1
 ip address 192.168.135.237 255.255.192.0
 no ip route-cache cef
!
interface Vlan20
ip address 192.168.0.1 255.255.255.0

!
ip default-gateway 192.168.135.248 (fw1)

 

 

 

506
Views
0
Helpful
6
Replies