[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Simple Guest VLAN Help

Posted on 2016-11-03
17
Medium Priority
?
89 Views
Last Modified: 2016-11-04
My first go at VLAN's and I have a very basic gist. I'm trying to use a 2nd physical interface on our ASA to isolate guest VLAN traffic coming from our Unifi AP's. I've done the ASA work, and set up the AP with a test SSID VLAN 2.

But I'm confused on the switch config (using ubiquiti).  How do I get traffic destined from the APs on Ports 24,31,48 VLAN 2 to get DHCP and route out of Port 2 (the 2nd interface on the asa).  Not a huge cli fan, but the switch has a good vlan wizard. I'm sure I'm just not tagging/trunking correctly. See attached.
switch vlan
0
Comment
Question by:bhieb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
17 Comments
 

Author Comment

by:bhieb
ID: 41872453
To clarify one thing, the ASA is just a physical interface it doesn't care at all about the VLAN ID. I just need anything hitting VLAN 2 to be send to that interface for DHCP.
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 41872785
You may need a IP Helper, DHCP relay for that to work. I am not familiar on how to set that up (ubiguiti) but figured at least make the suggestion.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873056
So you have you AP's that plug into your switch? on VLAN2 ?

Then a connection goes to your ASA ?

Could you draw a diagram so i can get a better understanding of your overall achievement?


Edit: Additionally, if you have tagged and untagged traffic on the same port, you may aswell just stay on the native VLAN, the vlans are basically cancelling themselves out at this stage because any traffic on the native vlan 1 can pass through those ports.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:bhieb
ID: 41873072
Ok so I've change it a bit to follow this article. Essentially I've moved from a physical int to a Virtual one on the ASA.

https://help.ubnt.com/hc/en-us/articles/205197630-EdgeMAX-VLAN-Walkthrough-with-EdgeSwitch-using-Sample-Enterprise-Topology

Attached is a layout, shot of the ap setup, and a revised shot of the switch vlan setup. Since all the parties at play here (the asa and 3 AP's) need to see both vlans. I've trunked them all. When I connect to ssid1 I get a dhcp from vlan1 the windows server, but if I try ssid2 I get no dhcp. ap configdiagramswith vlan
0
 

Author Comment

by:bhieb
ID: 41873084
To clarify I wasn't following that article exactly since they were locking down all the ports. I just have the default vlan1 and vlan2.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873112
Do you have an IP address assigned to your VLAN2?

If you're having both tagged and untagged data on the same ports, there is no real reason to use VLAN's....unless you're doing something like a VOIP&PC situation.

If you want to divide the traffic accordingly, you will require setting up a segment of ports for VLAN1 and a second set for VLAN2, then plugging in separate cables from your ASA to the corresponding correct vlan (on the switch) keeping the traffic separate. Also this matching where your AP's are plugged into.

Trunking is typically used to pass vlan traffic from switch to switch, you're only using one switch, so i'm not sure what you've done with your trunking there. Unless you've somehow trunked from your ASA to your switch, which from what i gather, you may have done. Which confuses things, because you've setup a virtual interface you're basically doing intervlan routing now and there is really no need for what you're trying to achieve.
0
 

Author Comment

by:bhieb
ID: 41873120
I have an IP address assigned to VLAN2 on the ASA (not the switch), and a dhcp server on the ASA for that vlan. I was just trunking everything I guess to see if I could get it to work.  I agree I shouldn't need any trunking since all the Untags see vlans 1-4093 anyway.

If that's the case does the switch need any vlan config at all? It shouldn't right the ap tags the request on the ssid, the router sees vlan2 and hands out a dhcp?

I'll test and see maybe I was just over thinking it. The main goal here is to just have the router handle dhcp for the guests so they don't eat up a MS CAL.
0
 

Author Comment

by:bhieb
ID: 41873122
oh and I don't want or need intervlan access, I want this traffic separate.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873158
When you setup a VLAN, you require to setup an IP on that vlan. Try assigning the VLAN an IP and see if your AP's then pickup correct guest network IP info
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873160
actually scrap that, can you make the VLAN2 ports VLAN2 untagged? so its untagged going out of the switch?

I've had a similar issues on a dell switch before, some of the non cisco switch vlan tagging can be slightly different which causes major confusion i've found.
0
 

Author Comment

by:bhieb
ID: 41873996
I don't have that option. I can either Tag or Exclude the vlan2 ports. But to be clear there aren't any just vlan2 ports. All 3 carry both traffic. I just need the asa to process dhcp for vlan2.
0
 

Author Comment

by:bhieb
ID: 41873999
Here is the new switch config, port 9 to the asa is a trunk rest are just tagged vlan2 untagged vlan1.
conf
0
 
LVL 6

Accepted Solution

by:
Rob Leaver earned 2000 total points
ID: 41874126
I'm out of ideas.......

Could you now re summarise your setup? you are using a virtual interface on your ASA or physical?

I understand you are using DHCP from the ASA for your guest network, and your corporate network is receiving DHCP from your windows server.

I am assuming your AP's are set on the correct network address?  can you ping the AP's from your switch/ASA?

If you plug your laptop into the ASA do you receive DHCP from it?
0
 

Author Comment

by:bhieb
ID: 41874130
Rob I'm going to escalate this to a consultant I work with on ubiquiti stuff. I thought I might have been something simple but not I'm not so sure. I tried to hard set a test port to VLAN2 and it still didn't get a dhcp so I think it may be the asa. I appreciate the time and the points are yours.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41874132
No worries, probably the best solution for you to get this resolved.

Good luck and hopefully you can figure it out and provide feedback on here so we can see the solution.

--Rob
0
 

Author Comment

by:bhieb
ID: 41874323
If in doubt start over, man what a brain fart. When I traced the line from the asa to the switch I traced it to the wrong port DOH! So all my configs were in the wrong place. All that was required was to create the vlan's and tag the ports (just untagged on vlan1 tagged on 2) and it works perfectly.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41874411
haha that sneaky layer 1 issue!

Glad you got it resolved.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question