vlan question

Q

QwertyJuan

[H]F Junkie
Joined
Aug 17, 2000
Messages
11,285
I am at a place where I would like my guest wifi to receive IP addresses separate from our private wifi users. I only have one DHCP server running and would like that to change. According to what I am reading online this can be done via vlans?? One lan gets DHCP from the server and then the guest users would get IP's from a DHCP on the other vlan.

Any tips/tricks/info on getting this setup?? :confused:

Thanks!
 
You can have multiple vlans get IP's from one DHCP server, look into Helper IP's (Cisco)

You can create a vlan for guest traffic, then an ACL to block all inter-vlan traffic except to the DHCP server.
 
If you are running an MS DHCP server you can create a different scope and add the option to tag it for the VLAN, so that it will get an IP from the guest scope.
 
EspoNation said:
If you are running an MS DHCP server you can create a different scope and add the option to tag it for the VLAN, so that it will get an IP from the guest scope.
Click to expand...

Ok... yes I am running DHCP from my 2008 Server. I know how to make a different scope. Super easy. But... how do "tag it for the VLAN"?? :confused:
 
The router on the other vlan that is forwarding the DHCP request automatically adds the needed info to tell the DHCP server what scope the request is coming from.

What router are you using? For Cisco you need a helper-address pointing to your DHCP server.
 
Some routers call is DHCP Relay or DHCP Forwarder. Check your Router where the VLAN connects and it should have an option to point the DHCP server at your Windows 2008 box. Just setup a scope with the same network information as your VLAN/Router interface and you're good.
 
http://www.ipofficeassistance.com/howto_dhcp_ip_phones/

This is an example using VOIP. This is how I set up 802.1Q tagging, but it may also work for what you are looking for.

firedrow said:
Some routers call is DHCP Relay or DHCP Forwarder. Check your Router where the VLAN connects and it should have an option to point the DHCP server at your Windows 2008 box. Just setup a scope with the same network information as your VLAN/Router interface and you're good.
Click to expand...

Also this, you can set up your two scopes, tag the helper addresses on a switch and go from there.
 
A VLAN separates layer two traffic, meaning anything connected to the same switch in a nutshell. Traffic in separate VLANs need to be routed at a router or a multilayer switch to be switched to another VLAN. Just an FYI, I don't mean to be condescending - only helpful.
 
Raekwon said:
A VLAN separates layer two traffic, meaning anything connected to the same switch in a nutshell. Traffic in separate VLANs need to be routed at a router or a multilayer switch to be switched to another VLAN. Just an FYI, I don't mean to be condescending - only helpful.
Click to expand...

I don't think he is looking for inter-VLAN routing per-say, but yes they will need to be provided a gateway at a router.
 
What is happening....

I am running a UniFi system.... guest mode is on and works great. HOWEVER the guest network can't access anything else on the network (for obvious reasons) but... what if I have something that I'd like the guests to be able to access like a printer? How does a guest get back into the network? :confused:
 
you don't use guest mode...

or place those things in an IP range that you can not exclude in the guest client rules...
 
The UniFi guest network is isolated by the WAP so it cannot access other internal resources (printers, servers, NAS, webcams, etc). If you want guest users to use internal resources, they have to be on a non-guest wireless.
 
You'll need to do the following, loosely in this order:
1) On the switch ports for your AP's, tag a new VLAN and add this VLAN to any trunks back to your routing device/FW.
2) On the Router/FW, create a new sub-interface and assign it the VLAN you set up in Step 1
3) Assign this new sub-interface a new Subnet
4) Setup DHCP/DNS services on it.
5) Create FW rules/routing to allow access to desired resources.
6) Modify your Guest SSID to disable guest mode and assign the VLAN ID from Step 1.
7) Test. Test. and Test again.
 
Nate7311 said:
You'll need to do the following, loosely in this order:
1) On the switch ports for your AP's, tag a new VLAN and add this VLAN to any trunks back to your routing device/FW.
2) On the Router/FW, create a new sub-interface and assign it the VLAN you set up in Step 1
3) Assign this new sub-interface a new Subnet
4) Setup DHCP/DNS services on it.
5) Create FW rules/routing to allow access to desired resources.
6) Modify your Guest SSID to disable guest mode and assign the VLAN ID from Step 1.
7) Test. Test. and Test again.
Click to expand...

i would agree with this, mostly...

i feel like guest users should still have guest isolation... i would NOT disable guest mode, but instead specify in guest mode setup to unblock the subnet/devices that you want your guests to be able to access...

this is all, of course, assuming your guests MUST have access to your printers... otherwise i'd just set up another SSID for authenticated users that is not isolated for printing...
 
You must log in or register to reply here.
Back
Top