Don't know, but here's what I've got running.
We're using Cisco 1240AG WAPs, but I think the situation is analagous.
I made sure that our firewall's internal interface had two VLANs that didn't
talk with each other, but that each had access to the Internet - each VLAN
interface is a different numbered subnet, and the firewall has an IP address
for that subnet on it to be used as the default gateway by machines on the
subnet. On the guest VLAN I stuck a tiny freebsd box running a dhcp server,
and it hands out IP addresses, the DG and points the clients to 8.8.8.8 for
DNS.
I also instantiated the guest VLAN on the switch attached to the firewall,
and the HP PoE switch to which the WAPs are connected. Both switches are L2
only, so the firewall is acting as the L3 node to which each talks. The
switch attached to the firewall is tagged to the guest VLAN only on the port
connected to the firewall and the port that connects it to the PoE switch.
I then set up two separate SSIDs on separate VLANs on the WAPs. The HP PoE
switches are tagged (to use HP parlance) to both VLANs for each port to
which a WAP is connected, and to the port that connects it to the next
switch.
ASCII diagram looks like this:
|------| |-----| |------| |-----|
| | A | | B | HP | C | |
| fw |----| HP |-----| PoE |-----| WAP |
| | | | | | | |
|------| |-----| |------| |-----|
|
| D
|
|-----------|
| |
| L3 |
| |
|-----------|
Link A: Tagged in VLAN 1 (Production) and VLAN 2 (Guest)
Link B: Tagged in VLAN 1 and VLAN 2
Link C: Tagged in VLAN 1 and VLAN 2
Link D: Tagged in VLAN 1 only
The L3 switch is for the Production LAN only
The WAP has two SSIDs - Prod and Guest, which are assigned to VLANs 1 and 2
respectively. We actually have 15 WAPs spread through the building,
connected to 3 PoE switches, but just two VLANs for them
The HP switch connected to links A/B/C serves many more VLANs than just the
guest network - there's a whole set of Engineering and vendor/partner VLANs
to which the firewall controls access, but I've left them off for
simplicity.
The L3 switch is an HP 3400cl-48 (with 10 HP 2510-48 switches hanging from
it), the HP switch is a 2524, the HP PoE switch is a 2800-PWR and the WAP is
a Cisco 1240AG. Someday I hope to be able to consolidate the HP equipment
into two larger switches (our space is divided in two, and I run Cat5 cables
back to individual HP 2510-48s in the space away from the server room.)
HTH,
Kurt
On Wed, Aug 3, 2011 at 12:53, David Lum <david....@nwea.org> wrote:
> Nice, looks like the SSG5 fits the bill. Looks like Watchguard XTM2 lives
> in the same space.****
>
> ** **
>
> Now that I think about it, in this same office are 4 different companies
> (most sized 2 employees) each with a Linksys doing much the same thing I’m
> trying to do with this WLAN. I’d bet the right firewall would allow me to
> eliminate all those Linksys devices right?****
>
> ** **
>
> Use the Dell switch, have the firewall be promiscuous and VLAN off the
> various ports so they can only see the firewall as well as get DHCP from it.
> ****
>
> ** **
>
> Amirite?****
>
> ** **
>
> Dave****
>
> ** **
>
> *From:* Paul Hutchings [mailto:paul.hutchi...@mira.co.uk]
> *Sent:* Wednesday, August 03, 2011 11:41 AM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b****
>
> ** **
>
> FWIW I think the Juniper SSG5's are perfect for most needs and they're dirt
> cheap too. ****
>
> ** **
>
> They should do what you need if you do go down that route.****
>
> ** **
>
> If not, assuming you can VLAN or zone off ports on the Sonicwall or do
> something to keep the Guest and LAN traffic separate, as other have said
> either chop in the AP or buy a dirt cheap router and connect it to the guest
> VLAN just to use its DHCP server functionality.****
> ------------------------------
>
> *From:* David Lum [david....@nwea.org]
> *Sent:* 03 August 2011 6:58 PM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b****
>
> Their SonicWALL is old (SOHO3!) and I have - previous to this latest work -
> talked them into upgrading but I just haven’t done it (it’s one of my
> clients I can go 3 months w/out being onsite, and it just slipped through
> the cracks). This looks like a good time to revisit and add a new
> requirement to the firewall capabilities…****
>
> ****
>
> Dave****
>
> ****
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Sent:* Wednesday, August 03, 2011 10:36 AM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b****
>
> ****
>
> Send it back and get one that does, or put something in the ‘new’ network
> that will do the dhcp for you. Will the Sonic do dhcp on just one interface
> perhaps? I really think this direction is the cleanest and easiest to do.
> ****
>
> ****
>
> *From:* David Lum [mailto:david....@nwea.org]
> *Sent:* Wednesday, August 03, 2011 1:21 PM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b****
>
> ****
>
> I thought of that, but this AP doesn’t have the capability to be a DHCP
> server.****
>
> ****
>
> Dave****
>
> ****
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Sent:* Wednesday, August 03, 2011 9:57 AM
> *To:* NT System Admin Issues
> *Subject:* RE: VLAN N00b****
>
> ****
>
> Are only non-company assets going to use this AP? If yes read on, otherwise
> hit delete.****
>
> ****
>
> Since it is a small environment with only one AP, set the AP up as it’s own
> DHCP server….put it on it’s own physical and logical network and drop
> another port in the Sonic Firewall and just route them straight out to the
> internets….****
>
> * *****
>
> ****
>
> ****
>
> *From:* David Lum [mailto:david....@nwea.org]
> *Sent:* Wednesday, August 03, 2011 10:27 AM
> *To:* NT System Admin Issues
> *Subject:* VLAN N00b****
>
> ****
>
> So…I bought a wireless AP and it looks like I get to delve into learning a
> little VLANing.****
>
> ****
>
> Environment:****
>
> DNS,DHCP server (2003 SBS server, Domain controller)****
>
> Second DC (2003 R2 Server)
> SonicWall Firewall
> Dell PowerConnect 3448****
>
> 17 Domain PC’s****
>
> HP M110 Wireless AP with non-domain PC’s using this to get to the Internet.
> ****
>
> ****
>
> Desired result for WLAN clients: ****
>
> · Able to get to the Internet, but not be able to see any domain
> systems. ****
>
> · DNS configured to non-domain server (SonicWall would be OK)****
>
> ****
>
> I can VLAN with the PowerConnect and make it so that AP can only get to the
> firewall, but my issue then is how will any clients get assigned an IP
> address. I can configure the Sonicwall to hand out IP’s but then I lose
> control of IP’s (reservations, etc) from the SBS system.****
>
> ****
>
> It looks like I should divorce DHCP from the SBS server and put it on the 2
> nd DC and allow the AP to see the one DC and the Sonicwall.****
>
> ****
>
> Here’s a document I found helpful:
>
> http://www.dell.com/downloads/global/products/pwcnt/en/howto_config_private_vlans.pdf
> ****
>
> ****
>
> From that, the SBS server and all domain PC’s would be in Community 10****
>
> The AP would be in Community 11
> The firewall and 2nd DC (now doing DHCP) would be promiscuous. Is that too
> big of a risk? The HP110 can do RADIUS and I did install that capability on
> the 2nd DC but I don’t really know what I’m doing here.****
>
> ****
>
> This would get me close to my desired result. Can RADIUS be used to
> conditionally hand out IP addresses? What would be nice is the ability to
> have it so VLAN1 (Community 10 in the diagram) gets some IP settings, VLAN2
> (Community 11) gets others – namely a different DNS server.****
>
> ****
>
> All thoughts and comments welcome.****
>
> *David Lum*
> Systems Engineer // NWEATM
> Office 503.548.5229 //* *Cell (voice/text) 503.267.9764****
>
> ****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin****
>
> This email and any attached files are confidential and intended solely for
> the intended recipient(s). If you are not the named recipient you should not
> read, distribute, copy or alter this email. Any views or opinions expressed
> in this email are those of the author and do not represent those of the
> company. Warning: Although precautions have been taken to make sure no
> viruses are present in this email, the company cannot accept responsibility
> for any loss or damage that arise from the use of this email or attachments.
> ****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin****
> ------------------------------
>
> *MIRA Ltd*****
>
> ** **
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England****
>
> Registered in England and Wales No. 402570****
>
> VAT Registration GB 100 1464 84****
>
> ** **
>
> The contents of this e-mail are confidential and are solely for the use of
> the intended recipient. If you receive this e-mail in error, please delete
> it and notify us either by e-mail, telephone or fax. You should not copy,
> forward or otherwise disclose the content of the e-mail as this is
> prohibited.****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin****
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
