Solved

Simple Guest VLAN Help

Posted on 2016-11-03
17
33 Views
Last Modified: 2016-11-04
My first go at VLAN's and I have a very basic gist. I'm trying to use a 2nd physical interface on our ASA to isolate guest VLAN traffic coming from our Unifi AP's. I've done the ASA work, and set up the AP with a test SSID VLAN 2.

But I'm confused on the switch config (using ubiquiti).  How do I get traffic destined from the APs on Ports 24,31,48 VLAN 2 to get DHCP and route out of Port 2 (the 2nd interface on the asa).  Not a huge cli fan, but the switch has a good vlan wizard. I'm sure I'm just not tagging/trunking correctly. See attached.
switch vlan
0
Comment
Question by:bhieb
  • 9
  • 7
17 Comments
 

Author Comment

by:bhieb
Comment Utility
To clarify one thing, the ASA is just a physical interface it doesn't care at all about the VLAN ID. I just need anything hitting VLAN 2 to be send to that interface for DHCP.
0
 
LVL 11

Expert Comment

by:BillBondo
Comment Utility
You may need a IP Helper, DHCP relay for that to work. I am not familiar on how to set that up (ubiguiti) but figured at least make the suggestion.
0
 
LVL 6

Expert Comment

by:Rob Leaver
Comment Utility
So you have you AP's that plug into your switch? on VLAN2 ?

Then a connection goes to your ASA ?

Could you draw a diagram so i can get a better understanding of your overall achievement?


Edit: Additionally, if you have tagged and untagged traffic on the same port, you may aswell just stay on the native VLAN, the vlans are basically cancelling themselves out at this stage because any traffic on the native vlan 1 can pass through those ports.
0
 

Author Comment

by:bhieb
Comment Utility
Ok so I've change it a bit to follow this article. Essentially I've moved from a physical int to a Virtual one on the ASA.

https://help.ubnt.com/hc/en-us/articles/205197630-EdgeMAX-VLAN-Walkthrough-with-EdgeSwitch-using-Sample-Enterprise-Topology

Attached is a layout, shot of the ap setup, and a revised shot of the switch vlan setup. Since all the parties at play here (the asa and 3 AP's) need to see both vlans. I've trunked them all. When I connect to ssid1 I get a dhcp from vlan1 the windows server, but if I try ssid2 I get no dhcp. ap configdiagramswith vlan
0
 

Author Comment

by:bhieb
Comment Utility
To clarify I wasn't following that article exactly since they were locking down all the ports. I just have the default vlan1 and vlan2.
0
 
LVL 6

Expert Comment

by:Rob Leaver
Comment Utility
Do you have an IP address assigned to your VLAN2?

If you're having both tagged and untagged data on the same ports, there is no real reason to use VLAN's....unless you're doing something like a VOIP&PC situation.

If you want to divide the traffic accordingly, you will require setting up a segment of ports for VLAN1 and a second set for VLAN2, then plugging in separate cables from your ASA to the corresponding correct vlan (on the switch) keeping the traffic separate. Also this matching where your AP's are plugged into.

Trunking is typically used to pass vlan traffic from switch to switch, you're only using one switch, so i'm not sure what you've done with your trunking there. Unless you've somehow trunked from your ASA to your switch, which from what i gather, you may have done. Which confuses things, because you've setup a virtual interface you're basically doing intervlan routing now and there is really no need for what you're trying to achieve.
0
 

Author Comment

by:bhieb
Comment Utility
I have an IP address assigned to VLAN2 on the ASA (not the switch), and a dhcp server on the ASA for that vlan. I was just trunking everything I guess to see if I could get it to work.  I agree I shouldn't need any trunking since all the Untags see vlans 1-4093 anyway.

If that's the case does the switch need any vlan config at all? It shouldn't right the ap tags the request on the ssid, the router sees vlan2 and hands out a dhcp?

I'll test and see maybe I was just over thinking it. The main goal here is to just have the router handle dhcp for the guests so they don't eat up a MS CAL.
0
 

Author Comment

by:bhieb
Comment Utility
oh and I don't want or need intervlan access, I want this traffic separate.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 6

Expert Comment

by:Rob Leaver
Comment Utility
When you setup a VLAN, you require to setup an IP on that vlan. Try assigning the VLAN an IP and see if your AP's then pickup correct guest network IP info
0
 
LVL 6

Expert Comment

by:Rob Leaver
Comment Utility
actually scrap that, can you make the VLAN2 ports VLAN2 untagged? so its untagged going out of the switch?

I've had a similar issues on a dell switch before, some of the non cisco switch vlan tagging can be slightly different which causes major confusion i've found.
0
 

Author Comment

by:bhieb
Comment Utility
I don't have that option. I can either Tag or Exclude the vlan2 ports. But to be clear there aren't any just vlan2 ports. All 3 carry both traffic. I just need the asa to process dhcp for vlan2.
0
 

Author Comment

by:bhieb
Comment Utility
Here is the new switch config, port 9 to the asa is a trunk rest are just tagged vlan2 untagged vlan1.
conf
0
 
LVL 6

Accepted Solution

by:
Rob Leaver earned 500 total points
Comment Utility
I'm out of ideas.......

Could you now re summarise your setup? you are using a virtual interface on your ASA or physical?

I understand you are using DHCP from the ASA for your guest network, and your corporate network is receiving DHCP from your windows server.

I am assuming your AP's are set on the correct network address?  can you ping the AP's from your switch/ASA?

If you plug your laptop into the ASA do you receive DHCP from it?
0
 

Author Comment

by:bhieb
Comment Utility
Rob I'm going to escalate this to a consultant I work with on ubiquiti stuff. I thought I might have been something simple but not I'm not so sure. I tried to hard set a test port to VLAN2 and it still didn't get a dhcp so I think it may be the asa. I appreciate the time and the points are yours.
0
 
LVL 6

Expert Comment

by:Rob Leaver
Comment Utility
No worries, probably the best solution for you to get this resolved.

Good luck and hopefully you can figure it out and provide feedback on here so we can see the solution.

--Rob
0
 

Author Comment

by:bhieb
Comment Utility
If in doubt start over, man what a brain fart. When I traced the line from the asa to the switch I traced it to the wrong port DOH! So all my configs were in the wrong place. All that was required was to create the vlan's and tag the ports (just untagged on vlan1 tagged on 2) and it works perfectly.
0
 
LVL 6

Expert Comment

by:Rob Leaver
Comment Utility
haha that sneaky layer 1 issue!

Glad you got it resolved.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now