Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Simple Guest VLAN Help

Posted on 2016-11-03
17
62 Views
Last Modified: 2016-11-04
My first go at VLAN's and I have a very basic gist. I'm trying to use a 2nd physical interface on our ASA to isolate guest VLAN traffic coming from our Unifi AP's. I've done the ASA work, and set up the AP with a test SSID VLAN 2.

But I'm confused on the switch config (using ubiquiti).  How do I get traffic destined from the APs on Ports 24,31,48 VLAN 2 to get DHCP and route out of Port 2 (the 2nd interface on the asa).  Not a huge cli fan, but the switch has a good vlan wizard. I'm sure I'm just not tagging/trunking correctly. See attached.
switch vlan
0
Comment
Question by:bhieb
  • 9
  • 7
17 Comments
 

Author Comment

by:bhieb
ID: 41872453
To clarify one thing, the ASA is just a physical interface it doesn't care at all about the VLAN ID. I just need anything hitting VLAN 2 to be send to that interface for DHCP.
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 41872785
You may need a IP Helper, DHCP relay for that to work. I am not familiar on how to set that up (ubiguiti) but figured at least make the suggestion.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873056
So you have you AP's that plug into your switch? on VLAN2 ?

Then a connection goes to your ASA ?

Could you draw a diagram so i can get a better understanding of your overall achievement?


Edit: Additionally, if you have tagged and untagged traffic on the same port, you may aswell just stay on the native VLAN, the vlans are basically cancelling themselves out at this stage because any traffic on the native vlan 1 can pass through those ports.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:bhieb
ID: 41873072
Ok so I've change it a bit to follow this article. Essentially I've moved from a physical int to a Virtual one on the ASA.

https://help.ubnt.com/hc/en-us/articles/205197630-EdgeMAX-VLAN-Walkthrough-with-EdgeSwitch-using-Sample-Enterprise-Topology

Attached is a layout, shot of the ap setup, and a revised shot of the switch vlan setup. Since all the parties at play here (the asa and 3 AP's) need to see both vlans. I've trunked them all. When I connect to ssid1 I get a dhcp from vlan1 the windows server, but if I try ssid2 I get no dhcp. ap configdiagramswith vlan
0
 

Author Comment

by:bhieb
ID: 41873084
To clarify I wasn't following that article exactly since they were locking down all the ports. I just have the default vlan1 and vlan2.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873112
Do you have an IP address assigned to your VLAN2?

If you're having both tagged and untagged data on the same ports, there is no real reason to use VLAN's....unless you're doing something like a VOIP&PC situation.

If you want to divide the traffic accordingly, you will require setting up a segment of ports for VLAN1 and a second set for VLAN2, then plugging in separate cables from your ASA to the corresponding correct vlan (on the switch) keeping the traffic separate. Also this matching where your AP's are plugged into.

Trunking is typically used to pass vlan traffic from switch to switch, you're only using one switch, so i'm not sure what you've done with your trunking there. Unless you've somehow trunked from your ASA to your switch, which from what i gather, you may have done. Which confuses things, because you've setup a virtual interface you're basically doing intervlan routing now and there is really no need for what you're trying to achieve.
0
 

Author Comment

by:bhieb
ID: 41873120
I have an IP address assigned to VLAN2 on the ASA (not the switch), and a dhcp server on the ASA for that vlan. I was just trunking everything I guess to see if I could get it to work.  I agree I shouldn't need any trunking since all the Untags see vlans 1-4093 anyway.

If that's the case does the switch need any vlan config at all? It shouldn't right the ap tags the request on the ssid, the router sees vlan2 and hands out a dhcp?

I'll test and see maybe I was just over thinking it. The main goal here is to just have the router handle dhcp for the guests so they don't eat up a MS CAL.
0
 

Author Comment

by:bhieb
ID: 41873122
oh and I don't want or need intervlan access, I want this traffic separate.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873158
When you setup a VLAN, you require to setup an IP on that vlan. Try assigning the VLAN an IP and see if your AP's then pickup correct guest network IP info
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873160
actually scrap that, can you make the VLAN2 ports VLAN2 untagged? so its untagged going out of the switch?

I've had a similar issues on a dell switch before, some of the non cisco switch vlan tagging can be slightly different which causes major confusion i've found.
0
 

Author Comment

by:bhieb
ID: 41873996
I don't have that option. I can either Tag or Exclude the vlan2 ports. But to be clear there aren't any just vlan2 ports. All 3 carry both traffic. I just need the asa to process dhcp for vlan2.
0
 

Author Comment

by:bhieb
ID: 41873999
Here is the new switch config, port 9 to the asa is a trunk rest are just tagged vlan2 untagged vlan1.
conf
0
 
LVL 6

Accepted Solution

by:
Rob Leaver earned 500 total points
ID: 41874126
I'm out of ideas.......

Could you now re summarise your setup? you are using a virtual interface on your ASA or physical?

I understand you are using DHCP from the ASA for your guest network, and your corporate network is receiving DHCP from your windows server.

I am assuming your AP's are set on the correct network address?  can you ping the AP's from your switch/ASA?

If you plug your laptop into the ASA do you receive DHCP from it?
0
 

Author Comment

by:bhieb
ID: 41874130
Rob I'm going to escalate this to a consultant I work with on ubiquiti stuff. I thought I might have been something simple but not I'm not so sure. I tried to hard set a test port to VLAN2 and it still didn't get a dhcp so I think it may be the asa. I appreciate the time and the points are yours.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41874132
No worries, probably the best solution for you to get this resolved.

Good luck and hopefully you can figure it out and provide feedback on here so we can see the solution.

--Rob
0
 

Author Comment

by:bhieb
ID: 41874323
If in doubt start over, man what a brain fart. When I traced the line from the asa to the switch I traced it to the wrong port DOH! So all my configs were in the wrong place. All that was required was to create the vlan's and tag the ports (just untagged on vlan1 tagged on 2) and it works perfectly.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41874411
haha that sneaky layer 1 issue!

Glad you got it resolved.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question