D-Link Forums

D-Link Enterprise => DGS-1210-Series => Topic started by: dmwaigi on October 31, 2017, 07:50:16 AM

Title: WLAN and VLANs
Post by: dmwaigi on October 31, 2017, 07:50:16 AM

So I have to create 2 separate SSID (OFFICIAL and GUEST).
Security is a requirement, so I have to place the SSID's in VLANs, say VLAN 2 and 3.
The AP installed allow for both SSIDs to be advertised.
My question is how I will configure this setup on the switch in terms of port tagging, untagging.
Bonus: I am coming from a cisco background, where trunk ports are used to interconnect switches. Do they aplpy in D-link?
Thank you.

Title: Re: WLAN and VLANs
Post by: PacketTracer on November 01, 2017, 11:24:48 AM

Hi,

Quote

Bonus: I am coming from a cisco background, where trunk ports are used to interconnect switches. Do they aplpy in D-link?

According to this manual (ftp://ftp2.dlink.com/PRODUCTS/DGS-1210-10/REVC/DGS-1210-10_REVC_MANUAL_4.50_EN.PDF) for the DGS-1210 Series switches trunking is supported, see "L2 Functions > Link Aggregation > Port Trunking" on page 45.

I assume your AP is capable to offer several SSIDs and to map them 1:1 to different VLANs. It sends and receives tagged Ethernet frames of different VLANs via a single physical link to the switch.

Let's assume you have a DGS-1210-10 or a DGS-1210-10P, where you use ports 9 and 10 as a trunk (LAG group) to an uplink switch.

To keep things simple and unique for every additional VLAN you would start with the default configuration (bullet [1]) of the switch and do the following:

• For every port (1-10): PVID=1, Untagged Member of VID 1 (default). VID 1 will later be used for the "OFFICIAL" IP network.
• Connect a management PC to an arbitrary port and change the management address of the switch to a value, that fits your "OFFICIAL" IP network. The management VLAN will not be changed later, hence the switch will always be managed via VLAN 1.
• Connect your AP to port 1. Configure the AP to map the first SSID "OFFICIAL" to VID 1 and to send and receive frames via the wire only tagged with VID 1. Change port 1 from beeing an untagged member of VID 1 to be a tagged member of VID 1.
• Configure ports 9 and 10 to form a LAG group and eventually configure LACP (consult the manual). The LAG configuration must reflect the LAG configuration of the corresponding uplink switch ports. Connect ports 9 and 10 to the ports of the uplink switch.
• Change port 9 and 10 from beeing an untagged member of VID 1 to be a tagged member of VLAN 1. Do the same for the ports of the uplink switch, that your DGS is connected to.
• Add a new VLAN to your DGS: VID 2 (name=GUEST). Configure ports 1, 9 and 10 to be tagged members of VID 2 (in addition to their tagged memberships of VID1). Do the same for the ports of the uplink switch, that your DGS is connected to.
• Configure the AP to map the second SSID "GUEST" to VID 2 and to send and receive frames via the wire only tagged with VID 2

With this configuration ports 2-8 are access ports for VLAN 1. If you need an access port for VLAN 2, choose one of the ports 2 to 8 and change its configuration to PVID=2 and an untagged membership of VID 2 (instead of VID 1 - note: a port can only be an untagged member of a single VID)

VLAN 2 represents another IP network (the GUEST network), but this is irrelevant for the DGS switch. The interesting thing here is, how VLAN 2 is switched through your (backbone) switch infrastructure and where it connects to some router port, e.g for Internet access for guests (in addition to the internet access for VLAN 1). But that is beyond the scope of your question.

PT

Title: Re: WLAN and VLANs
Post by: dmwaigi on November 02, 2017, 04:51:57 AM

Thanks PT for your reply.
I thinks it is my fault that my question was pretty shallow when I may have required a bit more detail, as you have.
So let me try:
                                            AP                                                  AP
                                            |                                                    |
                                            |                                                    |
Cisco Router----------------D-Link SW 1-------------------------------D-Link SW 2

The AP are configured as you described; i.e SSID mapped to VLAN 1:1

D-Link SW 1: Port 1 - Router
                    Port 2 - D-Link SW 2
                    Port 3 - AP
                    Rest - Official Desktops

D-Link SW 2: Port 1 - D-Link SW 1
                    Port 2 - AP
                    Rest - Official Desktops

IP Addresses
192.168.1.0/24 - Official Desktops
192.168.2.0/24 - Official Wireless Devices/Laptops
192.168.3.0/24 - Guest

Questions:
1. Do I change the managed IP of the switch to 192.168.1.0/24 or 2.0/24. (is it really necessary or I can still use the default 10.90.90.0)
2. Do I need to configure a LAG group or is one port enough for the trunking, which I am assuming will be SW1 Port 2-3 and SW2 Port 1.
3. In the end, network 1.0/24 and 2.0/24 should be able to communicate with each other. The guest 3.0/24 will just have internet access.

Title: Re: WLAN and VLANs
Post by: PacketTracer on November 02, 2017, 07:54:53 AM

Hi again,

unfortunately you didn't tell how your three networks will map to VLANs, so part of your questions cannot be answered unambiguously.

In fact you have a fourth network in place, namely the management network 10.0.0.0/8 which is bound to VLAN 1 in any of the two DGS switches, where both of them (according to the manual (ftp://ftp2.dlink.com/PRODUCTS/DGS-1210-10/REVC/DGS-1210-10_REVC_MANUAL_4.50_EN.PDF), page 16) have a default address of 10.90.90.90. Hence if you connect both switches, you will have an address collision, because both switches claim to have the same IP address. Hence, if you won't indeed change the management network 10.0.0.0/8, you have to change the management address of at least one switch to an address different from the management address of the other switch (e.g. 10.90.90.91).

You have to decide, how you want to access your switches for switch management. You have several choices:

• You could decide to reserve VLAN 1 and the associated management network 10.0.0.0/8 for management purposes only, that is for all other purposes, such as your 3 networks 192.168.x.0/24 {x = 1, 2, 3}, you would configure VLANs different from VLAN 1. The drawback of that decision is, that you don't have management access to the switches from any of your network nodes, because they live in different networks/VLANs (unless some existent router, that is connected to all VLANs, allows routing between say the network/VLAN used for "Official Desktops" and the management network/VLAN1). If you leave VLAN 1 unaccessable via routing and even physically disconnected, you would have to reserve at least one switch port per switch configured to be an access port for VLAN 1 for management purposes, where you connect a management PC only if needed to change the switch configuration. In this case the management PC must be configured to have an address out of 10.0.0.0/8 different from the switch's management IP address. In this case you can even leave any switch using the same default address 10.90.90.90 because they don't see each other.
  
  
• Same as the last bullet, but you decide to connect all switches to bridge VLAN 1 (either via access ports configured for VLAN 1 or via VLAN trunk ports, where VLAN 1 is part of several VLANs) to a router, which allows routing access to the management network from some other network (e.g. the network containing the "Official Desktops"). In this case you have to ensure that the management addresses of the switches are unique. And you have to change the default gateway within each switch to point to the router's IP address within VLAN 1. Of course using 10.0.0.0/8 as a management network is a quite unreasonnable default selection by D-Link, because it prevents the use of this huge private address space for purposes other than the switch management network. Hence, I would lengthen the prefix length from /8 to say /24, so that the management network now is of size C-class = 10.90.90.0/24.
  
  
• You can choose to share VLAN 1 for switch management and use via your "Official Desktops". This gives you the advantage, that your switches can be directly managed from every "Official Desktop" without routing. The drawback is, that you have to ensure, that both the "Offical Desktops" and the switches use the same IP network, which either forces the "Offical Desktops" to use addresses from the predefined management network 10.0.0.0/8 or the switches to be renumbered to use management addresses from 192.168.1.0/24. I would prefer the second choice!
  
  
• You could also decice to use VLAN 1 for no purpose other than a dummy VLAN (e.g. as a "native" VLAN of a VLAN trunk port, where only tagged frames are expected to be received and hence the native VLAN is a "dummy data sink to nowhere". In this case you would assign the switches' management interfaces to another VLAN, see section "VLAN > 802.1Q Management VLAN" at page 37 of the manual.)

Hence, the answer to your first question depends on your choice, of how you want to handle this.

I'm not sure what you mean when you ask "Do I need to configure a LAG group or is one port enough for the trunking" in question 2 - maybe, there is a misunderstanding because the term "trunking" is overloaded to mean both a Link aggragation group (LAG) of at least two physical links/ports used to increase bandwidth (Cisco calls this a "portchannel") and a "VLAN trunk", which means, that you use a physical link (which itself can be a LAG or a single physical link) to transmit ethernet frames that belong to several VLANs (which means frames must be tagged except at most one, which is the "native" VLAN).

The answer to your third question results in what features your Cisco router provides to allow internet access for any of your 3 networks on the one hand, but block communication between the "Guest" network and any of the two other networks on the other hand. Assuming a Cisco IOS, this could be managed via Access Control Lists (ACL) inside your router configuration.

Given the scenario depicted in your last post, in any case you would have to configure "VLAN trunk" ports for the AP connections (respective ports are "tagged" members for the two VLANs used for the "Official wireless" and "Guest" devices) and VLAN tunk ports for the RT-SW1 and SW1-SW2 "Uplink"-connections (for all VLANs in use, eventually including a dedicated management vlan for routing purposes according to the discussion above), where the Uplink connections could consist of LAGs or single physical links as a matter of choice (given the Cisco router has several LAN ports to be bundled to a portchannel).

PT

Title: Re: WLAN and VLANs
Post by: dmwaigi on November 03, 2017, 05:19:56 AM

Thanks again PT for replying. Let me see if I can put my clarity into my explanation.

Router
It is managed by our ISP. The Cisco router has network 192.168.1.0 - 2.0 configured on it, using sub-interfaces. As you have stated, using ACL, these network can communicate with each other.
I therefore want to add 192.168.3.0 which will be used by GUEST network. I therefore think its safe to say that the issue of what network 3.0 can access will depend on the router configuration. Also, does this mean that I don't require a L3 switch?

So if we get back to the setup:

                                            AP                                                  AP
                                            |                                                    |
                                            |                                                    |
Cisco Router----------------D-Link SW 1-------------------------------D-Link SW 2

The AP are configured as you described; i.e SSID mapped to VLAN 1:1

D-Link SW 1: Port 1 - Router
                    Port 2 - D-Link SW 2
                    Port 3 - AP
                    Rest - Official Desktops

D-Link SW 2: Port 1 - D-Link SW 1
                    Port 2 - AP
                    Rest - Official Desktops

IP Addresses
192.168.1.0/24 - Official Desktops                         - VLAN 1
192.168.2.0/24 - Official Wireless Devices/Laptops - VLAN 2
192.168.3.0/24 - Guest                                          - VLAN 3

Possible Solution/Confirmation
1. Create both the networks and VLANs on the router.

2. Add the switches to Network 2.0 (or 1.0?)

3. SW1 - Port 1 & 2: Tagged on VLAN 1, 2, 3
             Port 3:        Tagged on VLAN 2, 3
             Rest:           Can be left default or VLAN 1

    SW2 - Port 1:       Tagged on VLAN 1, 2, 3
             Port 3:        Tagged on VLAN 2, 3
             Rest:           Can be left default or VLAN 1

Title: Re: WLAN and VLANs
Post by: PacketTracer on November 03, 2017, 08:51:17 AM

Hi once more,

<EDIT>
since you seem to have a Cisco background, when it comes to D-Link VLAN configuration, this (http://forums.dlink.com/index.php?topic=41342.msg276248#msg276248) may be possibly helpful to you.
</EDIT>

Quote

Router
It is managed by our ISP. The Cisco router has network 192.168.1.0 - 2.0 configured on it, using sub-interfaces. As you have stated, using ACL, these network can communicate with each other.
I therefore want to add 192.168.3.0 which will be used by GUEST network. I therefore think its safe to say that the issue of what network 3.0 can access will depend on the router configuration. Also, does this mean that I don't require a L3 switch?

So, if the Cisco Router already uses sub interfaces for networks 192.168.x.0/24 {x = 1, 2}, there must also be VLANs say A and B assigned to them in order to differentiate traffic from and to these sub interfaces, right? This can be configured in two ways:

• Either one of these VLANs, say A, is configured to be the native VLAN ("encapsulation dot1Q A native" for the sub interface, or you configured the physical interface with an IP address), which is assigned all traffic sent and received untagged, while the other sub interface must send and receive frames tagged with VID B.
• Both sub interfaces send and receive traffic tagged with VID A and B respectively, while no native VLAN is in use.

So the questions arise, what are the values used for A and B (because these values dictate the VLANs to be configurred in your switches for use with your official wired and wireless desktops) and which of the two possible configurations mentioned above are in place (because this dictates the configuration of port 1 of SW1)?

But I guess, you are also somehow the ISP you mentioned and hence able to configure the router according to your needs, right? At least you need configuration access to the router or an administrator at the ISP site who acts on your behalf in order to establish the third sub interface (and a third VLAN C) for the guest network 192.168.3.0/24 and implement additional routing and traffic control (ACL) requirements.

I'd suggest, you configure the things as follows, and no, you don't need an additional L3 switch, as long as the ISP's Cisco router can do the routing:

• Set A=1 and use it for network 192.168.1.0/24 (Offical Desktops) - Set the router's sub interface address for this network to 192.168.1.1 - Change the management addresses of your switches to 192.168.1.251/24 (SW 1) and 192.168.1.252/24 (SW 2), while their default gateway should be set to the router's address 192.168.1.1.
• Choose bullet [1] of the above enumeration, that is select VLAN A=1 as the native VLAN for the first sub interface (send and receive frames untagged) and assign VLANs B=2 and C=3 for the second and third sub interfaces (send and receive frames tagged). Define the router's sub interfaces to have addresses 192.168.2.1/24 (sub interface for VLAN B) and 192.168.3.1/24 (sub interface for VLAN C) respectively.
• Configure ports 1 and 2 of SW 1 and port 1 of SW 2 as follows: PVID=1, untagged member of VLAN 1, tagged member of VLANs 2 and 3.
• Configure port 3 of SW 1 and port 2 of SW 2 as follows: PVID=2,  untagged member of VLAN 2, tagged member of VLAN 3. (*)
• Configure your APs to map the SSID for "official wireless" to VLAN 2 and the SSID for "guests" to VLAN 3, and that they shall send and receive frames untagged for VLAN 2 and tagged for VLAN 3. (*)
• Leave the other switch ports in their default configuration (PVID=1, untagged member of VLAN 1) and use them for "Official Desktops" only.
• At your Cisco router configure ACLs, that allow traffic between all subnets and the Internet, but block traffic between the guest network and the other local networks.
• Clients in VLAN 1 (192.168.1.0/24 - official wired) have to get configured their default gateway to be 192.168.1.1.
• Clients in VLAN 2 (192.168.2.0/24 - official wireless) have to get configured their default gateway to be 192.168.2.1.
• Clients in VLAN 3 (192.168.3.0/24 - guests) have to get configured their default gateway to be 192.168.3.1.
• Maybe the router may also act as a DHCP server. Then you can configure scopes with suitable address pools (say 192.168.x.10 - 192.168.x.200) for dynamic client configuration.

(*) If you cannot configure your APs as suggested above (because they can map SSIDs to tagged VLANs only), your can also configure the following alternative instead:

• In both switches define a dummy VLAN 100, which is used as "data sink to nowhere" for unexpectedly arriving untagged traffic at the AP ports.
• Configure port 3 of SW 1 and port 2 of SW 2 as follows: PVID=100,  tagged member of VLANs 2 and 3.
• Configure your APs to map the SSID for "official wireless" to VLAN 2 and the SSID for "guests" to VLAN 3, and that they shall send and receive frames tagged for both VLANs.

With this configuration it is also possible to manage the switches from any offical wired and wireless device, but not from the guest network.

PT

Title: Re: WLAN and VLANs
Post by: dmwaigi on November 06, 2017, 05:15:52 AM

Again, let me take a moment to appreciate your input, PT.

Alright, I have just found out that our router doesn't have sub-interfaces, rather IP 192.168.1.0 (primary), 192.168.2.0 (secondary). I therefore see no VLANs on the config. ACLs then do the rest. This is bad, right?

Secondly, could I place the switches in 192.168.2.0? 1.0 is kind full hence why we added 2.0.
Third, does this in turn mean changes have to be made to the PVID (and could I bother you with an small explanation on PVID)

Title: Re: WLAN and VLANs
Post by: PacketTracer on November 06, 2017, 01:21:23 PM

Hi,

Quote

Alright, I have just found out that our router doesn't have sub-interfaces, rather IP 192.168.1.0 (primary), 192.168.2.0 (secondary). I therefore see no VLANs on the config. ACLs then do the rest. This is bad, right?

Yes, this is quite bad, because the router's ACLs can be bypassed. As a result of your configuration you have two IP networks on a single physical link (default VLAN 1 within the switches). Hence, given two network nodes PC1 within network 192.168.1.0/24 and PC2 within network 192.168.2.0/24, each one could configure a local route to the directly connected other network. After that these two nodes could directly talk to each other without routing the traffic through the router and thus bypass the ACLs defined there. For example with Windows systems you can do that via the following commands within a command prompt started with administrative rights, where <if1> and <if2> denote the names of the network interfaces of PC1 and PC2 respectively (a list of local interface names can be shown via the command netsh int ip show int):

PC1 (192.168.1.x/24): netsh int ip add route 192.168.2.0/24 "<if1>" metric=1
PC2 (192.168.2.x/24): netsh int ip add route 192.168.1.0/24 "<if2>" metric=1

Hence, you should either configure sub interfaces with your router, connected to SW 1 via a single physical link using a VLAN trunk (configuration as shown in my last post), or, if the router provides sufficiently many physical Ethernet interfaces, you could configure three of them to be L3 interfaces ("no switchport") and connect them to three switch ports at SW 1, each of them configured to be an access port for VLAN 1, 2 and 3 respectively (PVID = X and untagged member of VLAN X, X = 1, 2, 3).

Quote

Secondly, could I place the switches in 192.168.2.0? 1.0 is kind full hence why we added 2.0.

Of course you can. But since you plan to assign network 192.168.2.0/24 to VLAN 2, you would also have to assign the switches' management interfaces to  VLAN 2, see section "VLAN > 802.1Q Management VLAN" at page 37 of the manual (http://ftp://ftp2.dlink.com/PRODUCTS/DGS-1210-10/REVC/DGS-1210-10_REVC_MANUAL_4.50_EN.PDF).

Quote

Third, does this in turn mean changes have to be made to the PVID (and could I bother you with an small explanation on PVID)

It depends on the concrete configuration you plan to implement, if and how you have to do changes to the PVID settings of the various switch ports involved - see the possible solution I described within my last post. If you had followed the link (http://forums.dlink.com/index.php?topic=41342.msg276248#msg276248) I placed at the beginning of my last post, you should know the answer to what a PVID is. But this newbie discussion (http://forums.dlink.com/index.php?topic=72435) may be helpful either.

PT

Title: Re: WLAN and VLANs
Post by: dmwaigi on November 07, 2017, 10:04:57 PM

Hi,
It looks like we will have to implement a L3 switch to implement the VLANs.
If I do have any questions to that regard, I will post in the appropriate sub-forum.
Thanks again.

Title: Re: WLAN and VLANs
Post by: PacketTracer on November 08, 2017, 01:45:00 AM

One of these models (http://us.dlink.com/product-category/business-solutions/switching/managed-switches/dgs-3630-series/) might fit your needs - they include VRF-LITE and ACLs.

Title: Re: WLAN and VLANs
Post by: dmwaigi on November 08, 2017, 07:50:33 AM

Thanks for the suggestions. The pricing though looks pretty high.
Could this example be used in my setup (switch model):
http://www.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_dgs_1510_how_to_setup_vlans_scenario_configuration
 (http://www.dlink.com/uk/en/support/faq/switches/layer-2-gigabit/dgs-series/uk_dgs_1510_how_to_setup_vlans_scenario_configuration)

Title: Re: WLAN and VLANs
Post by: PacketTracer on November 08, 2017, 11:09:37 AM

Looks fine! At least as long as you get along with the single global routing context that this device seems to support (no VRF support), which of course is sufficient for the scenario you described in this thread. And ACLs are available either in order to deny routing from (and to) a guest network to (and from) other local networks while allowing Internet access via the uplink VLAN to the Cisco Router.