Solved

Simple Guest VLAN Help

Posted on 2016-11-03
17
49 Views
Last Modified: 2016-11-04
My first go at VLAN's and I have a very basic gist. I'm trying to use a 2nd physical interface on our ASA to isolate guest VLAN traffic coming from our Unifi AP's. I've done the ASA work, and set up the AP with a test SSID VLAN 2.

But I'm confused on the switch config (using ubiquiti).  How do I get traffic destined from the APs on Ports 24,31,48 VLAN 2 to get DHCP and route out of Port 2 (the 2nd interface on the asa).  Not a huge cli fan, but the switch has a good vlan wizard. I'm sure I'm just not tagging/trunking correctly. See attached.
switch vlan
0
Comment
Question by:bhieb
  • 9
  • 7
17 Comments
 

Author Comment

by:bhieb
ID: 41872453
To clarify one thing, the ASA is just a physical interface it doesn't care at all about the VLAN ID. I just need anything hitting VLAN 2 to be send to that interface for DHCP.
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 41872785
You may need a IP Helper, DHCP relay for that to work. I am not familiar on how to set that up (ubiguiti) but figured at least make the suggestion.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873056
So you have you AP's that plug into your switch? on VLAN2 ?

Then a connection goes to your ASA ?

Could you draw a diagram so i can get a better understanding of your overall achievement?


Edit: Additionally, if you have tagged and untagged traffic on the same port, you may aswell just stay on the native VLAN, the vlans are basically cancelling themselves out at this stage because any traffic on the native vlan 1 can pass through those ports.
0
 

Author Comment

by:bhieb
ID: 41873072
Ok so I've change it a bit to follow this article. Essentially I've moved from a physical int to a Virtual one on the ASA.

https://help.ubnt.com/hc/en-us/articles/205197630-EdgeMAX-VLAN-Walkthrough-with-EdgeSwitch-using-Sample-Enterprise-Topology

Attached is a layout, shot of the ap setup, and a revised shot of the switch vlan setup. Since all the parties at play here (the asa and 3 AP's) need to see both vlans. I've trunked them all. When I connect to ssid1 I get a dhcp from vlan1 the windows server, but if I try ssid2 I get no dhcp. ap configdiagramswith vlan
0
 

Author Comment

by:bhieb
ID: 41873084
To clarify I wasn't following that article exactly since they were locking down all the ports. I just have the default vlan1 and vlan2.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873112
Do you have an IP address assigned to your VLAN2?

If you're having both tagged and untagged data on the same ports, there is no real reason to use VLAN's....unless you're doing something like a VOIP&PC situation.

If you want to divide the traffic accordingly, you will require setting up a segment of ports for VLAN1 and a second set for VLAN2, then plugging in separate cables from your ASA to the corresponding correct vlan (on the switch) keeping the traffic separate. Also this matching where your AP's are plugged into.

Trunking is typically used to pass vlan traffic from switch to switch, you're only using one switch, so i'm not sure what you've done with your trunking there. Unless you've somehow trunked from your ASA to your switch, which from what i gather, you may have done. Which confuses things, because you've setup a virtual interface you're basically doing intervlan routing now and there is really no need for what you're trying to achieve.
0
 

Author Comment

by:bhieb
ID: 41873120
I have an IP address assigned to VLAN2 on the ASA (not the switch), and a dhcp server on the ASA for that vlan. I was just trunking everything I guess to see if I could get it to work.  I agree I shouldn't need any trunking since all the Untags see vlans 1-4093 anyway.

If that's the case does the switch need any vlan config at all? It shouldn't right the ap tags the request on the ssid, the router sees vlan2 and hands out a dhcp?

I'll test and see maybe I was just over thinking it. The main goal here is to just have the router handle dhcp for the guests so they don't eat up a MS CAL.
0
 

Author Comment

by:bhieb
ID: 41873122
oh and I don't want or need intervlan access, I want this traffic separate.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873158
When you setup a VLAN, you require to setup an IP on that vlan. Try assigning the VLAN an IP and see if your AP's then pickup correct guest network IP info
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41873160
actually scrap that, can you make the VLAN2 ports VLAN2 untagged? so its untagged going out of the switch?

I've had a similar issues on a dell switch before, some of the non cisco switch vlan tagging can be slightly different which causes major confusion i've found.
0
 

Author Comment

by:bhieb
ID: 41873996
I don't have that option. I can either Tag or Exclude the vlan2 ports. But to be clear there aren't any just vlan2 ports. All 3 carry both traffic. I just need the asa to process dhcp for vlan2.
0
 

Author Comment

by:bhieb
ID: 41873999
Here is the new switch config, port 9 to the asa is a trunk rest are just tagged vlan2 untagged vlan1.
conf
0
 
LVL 6

Accepted Solution

by:
Rob Leaver earned 500 total points
ID: 41874126
I'm out of ideas.......

Could you now re summarise your setup? you are using a virtual interface on your ASA or physical?

I understand you are using DHCP from the ASA for your guest network, and your corporate network is receiving DHCP from your windows server.

I am assuming your AP's are set on the correct network address?  can you ping the AP's from your switch/ASA?

If you plug your laptop into the ASA do you receive DHCP from it?
0
 

Author Comment

by:bhieb
ID: 41874130
Rob I'm going to escalate this to a consultant I work with on ubiquiti stuff. I thought I might have been something simple but not I'm not so sure. I tried to hard set a test port to VLAN2 and it still didn't get a dhcp so I think it may be the asa. I appreciate the time and the points are yours.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41874132
No worries, probably the best solution for you to get this resolved.

Good luck and hopefully you can figure it out and provide feedback on here so we can see the solution.

--Rob
0
 

Author Comment

by:bhieb
ID: 41874323
If in doubt start over, man what a brain fart. When I traced the line from the asa to the switch I traced it to the wrong port DOH! So all my configs were in the wrong place. All that was required was to create the vlan's and tag the ports (just untagged on vlan1 tagged on 2) and it works perfectly.
0
 
LVL 6

Expert Comment

by:Rob Leaver
ID: 41874411
haha that sneaky layer 1 issue!

Glad you got it resolved.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Access point 6 58
Radius Debug Error 16 50
IP Calculator 10 56
Trunk and Port Security 4 39
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now