AP is connected on the normal corporate network on Eth 0, with Eth 1 being connected into their DMZ firewall. Essentially, the traffic from the other APs will be tunneled to this AP and the user traffic will egress out of Eth 1.
Just wondering what sort of setup needed for the Eth1 port? Is it just a case of making Eth 1 to be bridge-access with the allowed vlan to be the one that we are tunneling?
Multiple Default Routes: It is now possible to configure multiple Layer 2 routes based on the VLAN ID of a user so that the HiveAP can route Layer 2 traffic through different Ethernet interfaces as appropriate. This allows, for example, a guest user on a corporate network segment to access a more appropriate segment for routing to the Internet while the HiveAP forwards traffic from an employee on a different VLAN through a different Ethernet interface.
HiveAPs with two Ethernet ports can now support multiple default routes based on the VLAN of the traffic. With this
feature configured, you can easily tunnel guest traffic from a HiveAP on a private network to a HiveAP in the DMZ. The
HiveAP in the DMZ terminates the tunnel and forwards it out eth1—properly tagged with the correct VLAN—to the public
network. For corporate traffic, the HiveAP applies a different VLAN tag and forwards it out eth0 to the corporate network.
To do this, the HiveAP that bridges the two subnets must meet the following requirements:
The HiveAP must have two Ethernet ports.
The HiveAP must have the eth1 port in backhaul mode.
The Ethernet ports must not be set as an aggregate or redundant pair.
If your guest (public) network is on a separate subnet from your corporate (private) network, guests who connect through HiveAPs on your corporate subnet can be easily redirected to the public network using a HiveAP as an intermediary to bridge the two disparate subnets. This intermediary HiveAP connects to your corporate subnet using its eth0 interface, and to your public subnet using its eth1 interface. You configure eth0 to use the corporate VLAN by default, and eth1 to use the public VLAN by default.
When a guest connects to a HiveAP on the corporate network, the HiveAP applies a guest user policy to the traffic, which assigns it to the public VLAN (20). The HiveAP tags the frame with the public VLAN, encapsulates it with a GRE wrapper, and forwards it to the eth0 port of the HiveAP in the DMZ. That HiveAP terminates the GRE tunnel, revealing the public VLAN ID and routes the frame out the eth1 port to the public network with the public VLAN tag (see the illustration on the next page).
Note: You do not need to set a default Layer 2 route for VLAN 20 on the HiveAP in the trusted network. The user profile applied to guest traffic directs the HiveAP to forward all that traffic through an INXP tunnel, which uses eth0 as its egress interface and the HiveAP in the DMZ as its destination. On the other hand, the user profile for corporate users assigns their traffic to VLAN 1. The HiveAP forwards it out eth0, which is the egress interface in its default Layer 2 route.
There are two places that require configuration to forward traffic in this way. Steps 1-3 below configure the Ethernet interfaces to accept tagged frames; steps 4-6 configure the HiveAP to forward the internal traffic between interfaces.
Furthermore, the following process assumes that you have already configured the SSIDs, user policies, and WLAN policies on your WLAN, and that you have configured your network infrastructure to handle 802.1Q or similar VLAN tagging where necessary. For more information on configuring the WLAN and other policies, see the HiveManager Help system. To configure multiple default routes based on VLAN ID, enter the following on HiveManager:
Click Monitor > Access Points > HiveAPs, select the HiveAPs that you want to configure to mediate traffic between the trusted network and the public network/DMZ, and then click Modify.
In the HiveAP settings dialog box that appears, expand the Interface and Network Settings section, and then choose Backhaul from the Eth1 Operation Mode drop-down list.
Expand the Advanced Ethernet Settings section, enter the default VLAN ID for your public network in the Eth1 row in the Native VLAN column, and then enter the VLAN IDs you want to allow on the public network in the Allowed VLAN column.
Note: You do not have to enter a value in the Allowed VLAN column if the only VLAN ID allowed is entered in the Native VLAN column. This is because entering a value in the Native VLAN column implicitly allows that VLAN ID on that interface. If you have additional VLAN IDs you want to add, you can enter a single VLAN ID (e.g., 20), a range of VLAN IDs (e.g., 11-30), a non-contiguous list of VLAN IDs separated by commas (e.g., 15,20,25), or a combination of these formats (e.g., 11-15,20,25-30). Be careful to avoid permitting access to the VLAN of your corporate network on an interface permitting access to the VLAN of your public network as this might expose your corporate data to guests and other non-corporate users.
Expand the Routing section, and then in the Multiple Network Default Routing subsection, click New.
Enter the VLAN ID whose default route you the HiveAP to forward out the eth1 interface, and then click Apply. By default, the egress interface for default Layer 2 routes is eth0. However, the VLAN IDs you enter here use eth1 as the egress interface in their default routes.
If you want to forward multiple VLAN IDs, you can add more VLAN IDs, but you can only enter one VLAN ID per line.
As for Eth1, our support partner seems to says that an ap in 'ap-mode' can't have Eth1 active as well. Fair enough, but would be helpful if the option was greyed out if that was the case.
What model AP are we talking about? There shouldn't be any restrictions on eth ports while in AP mode unless there is a power issues such as the AP320 needs AT power to have eth1 turned on.
For the GRE tunnel termination on an AP you do not need to set the APs eth port into Bridge mode. Leaving the port in Backhaul mode will allow the VLANs and GRE traffic to pass correctly, as the GRE traffic will be encapsulated and passing on the APs MGT VLAN. The L3 switch interface will need to be able to pass any VLANs that are leaving the access point.