Multiple VLAN support on Access Port

  • 1
  • Question
  • Updated 3 years ago
Is it possible to have multiple SSIDs w/ separate vlans available on a AP330 that is attached to an access port on a switch rather than a trunk?  Most of the campus I am supporting has managed switches where I can set the port as a trunk and have the available vlans available, but there is one that is connected to an unmanaged PoE switch to provide access for a small area.  I don't see it as an issue for the internal wireless, but for the guest wireless I'm not sure how I should set the access point, if it's even possible. 
Photo of David

David

  • 5 Posts
  • 0 Reply Likes

Posted 3 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
David,
For all switches that I know of, an access port is defined as one that has only one VLAN present. If you cannot change that switch out, consider tunneling the Guest traffic back to an access point which does have the correct VLAN connectivity. Search your HiveManager Help for "Identity based tunnels" for descriptions on this.
Photo of David

David

  • 5 Posts
  • 0 Reply Likes
Thanks.  I know some controller based configurations have the ap encapsulate the traffic back to the controller, but i understand why that wouldn't be the case here.  I'll look into this. 
Photo of David Coleman

David Coleman, Employee

  • 27 Posts
  • 29 Reply Likes
David:

As Mike stated, the only way to provide a separate guest VLAN in that scenario is tunnel all the guest traffic to a DMZ where the additional guest VLAN resides. That probably is the best scenario if you have the resources.

Another strategy would be to put your employees and guest users on two separate SSID but in the in the same VLAN at the edge.  The key would be to have a VERY RESTRICTIVE Firewall Policy in the User Profile for the Guest Users.  Additionally I would block "peer-to-peer" traffic on the Guest SSID.

This is an old blog on guest access, but is still relevant reading in regards to this conversation:

http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/how-to-set-up-guest-wlans-101
Photo of David

David

  • 5 Posts
  • 0 Reply Likes
Thanks for the help.  I think the tunneling approach makes the most sense.  Would I be able to tunnel from the AP that doesn't have a vlan-aware switch connected to one that does?  They'll both be on the same vlan in terms of there management interface, just the 2nd also has access to the guest vlan.  Would I just statically assign the destination AP as well as the source AP, then make the policy using those 2 objects?
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
David,
Yes, you should. I believe that the tunnels are established from one management interface to the other, so if they are in the same VLAN then the tunnel should successfully establish.
Photo of David

David

  • 5 Posts
  • 0 Reply Likes
Thanks.  Running through this now and had one question about applying the policy.  When I make the changes i created a new User Profile and associated it w/ the SSID.  When I pushed the policy to the APs, only the 2 that are defined in the tunnel policy successfully update.  The remaining 2 go to Abort.  

I ended up making a reservation for all 4 units, and then setting the destination in the policy to an object that included all 3 access points that are able to access the vlan.  Is that correct or is there a better way to do it?  And is there anyway to just use the Host Name for the objects?  I see the radio button but am unable to select it. 
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
At the moment, if you have a policy that includes a user profile with a tunnel policy, then every AP that the policy applies to either has to be in the "tunnel sources" or the "tunnel destinations". If you want to have some APs that are neither tunnel sources nor destinations, then you need to clone the policy, the SSID object and the user profile and disable the tunnel policy in the cloned user profile.
Photo of David

David

  • 5 Posts
  • 0 Reply Likes
Ok, that makes sense.  In some respects I prefer it as it as so I don't have a single point of failure in the destinations; was just curious and wanted to confirm.  Just waiting on someone to test access, but I think it looks like a good solution.