Static and MAC based VLAN in combination on WiFi

OWB
OWB Posts: 17
First Comment Friend Collector Third Anniversary
 Freshman Member
edited January 17 in WirelessLAN
Hi,

I have serval clients connecting to a wireless LAN. I want some of the clients to be located on a specific VLAN. Today it's soved by having two wirelsess networks / SSID's, one for each respective VLAN. However I would like to avoid more SSID's if possible.

I have tried to solve it by using MAC based  VLAN in combination with static VLAN, but cant get it to work, if possible at all.

The setup is.

VPN100 router/firewall
GS2220 switch
WAC6303D-S AP

In the switch static VLANs is configured as follows:

Static VLAN PVID1
WiFi AP port 1, fixed, no TX Tagging
Router / switch uplink port 24, fixed, TX Tagging

Static VLAN10 PVID10
WiFi AP port 1, normal, no TX Tagging
Router / switch uplink port 24, fixed, TX Tagging

Besides that, MAC based VLAN is configured with:

MAC 1A:2B:3C:4D:5E:6F, VID10, Priority 1




Connected clients not found in the MAC based VLAN table reciewss IP's from PVID1, but clients found in the MAC based VLAN table dosent reciewe IP's at all.

Is it possible to achive the discribed scenario, and if so, what am I doing wrong?

Best regards Ole.

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 558
    Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
     Guru Member
    Hi @OWB,

    Thanks for asking.
    I recommend you use the 802.1x with dynamic VLAN on the SSID setting and set up a Radius server to fulfill your requirement.
    May I know does your AP in standalone mode or Nebula mode? So I can provide you with the setup guide for the mode you are using.
    Melen
  • OWB
    OWB Posts: 17
    First Comment Friend Collector Third Anniversary
     Freshman Member
    Hi,

    Thanks a lot for your feedback!

    OK, can that be achieved without further components to the network?

    AP is in standalone mode, but managed from the ZyWALL

    BR O
  • Zyxel_Melen
    Zyxel_Melen Posts: 558
    Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 50 Answers
     Guru Member
    Hi @OWB,

    Thanks for sharing the information. We will provide you with the solution after doing a lab for confirmation.
    Additionally, you will need to add a Radius server for this solution.

    Melen
  •  Zyxel_Judy
    Zyxel_Judy Posts: 138
    5 Answers First Comment Friend Collector
     Ally Member

    Hi @OWB,

    In Controller managed mode with your typology, to let some of the clients to be located on a specific VLAN with one SSID, you need to have a RADIUS server to do authentication.

    To implement your scenario without further components to the network, recommend you use the cloud mode (Zyxel Nebula), you can configure dynamic VLAN with Nebula Cloud Authentication Server. Please refer to this link:  https://community.zyxel.com/en/discussion/15667


  • OWB
    OWB Posts: 17
    First Comment Friend Collector Third Anniversary
     Freshman Member

    To implement your scenario without further components to the network, recommend you use the cloud mode (Zyxel Nebula), you can configure dynamic VLAN with Nebula Cloud Authentication Server. Please refer to this link:  https://community.zyxel.com/en/discussion/15667


    Nebula is not a possible solution for me in this case, sorry.
  • OWB
    OWB Posts: 17
    First Comment Friend Collector Third Anniversary
     Freshman Member
    Hi @OWB,

    Thanks for sharing the information. We will provide you with the solution after doing a lab for confirmation.
    Additionally, you will need to add a Radius server for this solution.

    Thanks a lot, I will await the solution.

    Best regards Ole
  •  Zyxel_Judy
    Zyxel_Judy Posts: 138
    5 Answers First Comment Friend Collector
     Ally Member

    Hi @OWB,

    Based on your topology, you can refer to the steps below to configure the Dynamic VLAN in on-Premise mode.

    I. VNP100 configuration

    1. Configure Interface: CONFIGURATION > Network > Interface > VLAN. Click Add to create a new VLAN configuration.

    In General Settings, check Enable and enter the VLAN information (e.g: VLAN10, 20)

    2.    Configure AP Profile

    CONFIGURATION > Object > AP Profile > SSID > Security List, select the default AP profile and edit.

    CONFIGURATION > Object > AP Profile > SSID > SSID List, and select the default AP profile and edit.

    CONFIGURATION > Wireless > AP Management > AP Group, select the default AP profile and edit.


    3.    Configure RADIUS server info.

    CONFIGURATION > Object > AAA Server > RADIUS, click #1 radius, and edit.


    CONFIGURATION > Object > Auth. Method, click #1 default, and edit.


    II. GS2220 configuration

    Advanced Application > VLAN > VLAN Configuration > Static VLAN setup (e.g: VLAN10, 20)

    III. RADIUS server configuration

    Configure the VPN100 info.


    Configure User with password and three attribute needed to add: Tunnel Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID


    Verification:

    Use mobile phone to connect with SSID DyVlan. Enter the Username and Password which are in VLAN 10/ VLAN20 group, and then click Join to connect with the AP. The logged-in client gets an IP in VLAN10/ VLAN20.