VLAN routing between NXC2500 and USG210
Hello,
I would like to build a network with dynamic VLAN's based on 802.1X. Network topology looks like this
I have:
- USG210
- NXC2500
- GS1920-24Hv2
- 4x WAC6303D-S
On USG210 I have a few Site 2 Site to AWS and Azure clouds. The old network topology has no VLANS and all traffic from local networks was routed to AWS / Azure.
All addresses in security groups, ACLs, routes tables have IPs from VLAN10 (192.168.10.0./24). When I add NXC2500 between USG210 and GS1920 the routing stops working.
My first idea is to set up NAT Many 1:1 NAT for incoming traffic from VLAN10 and use the same IP range as the mapped IPs range.
Should it start working? Do you have other ideas how to solve the issue?
EDIT:
Maybe do you know how to achieve it with route policy?
I would like to build a network with dynamic VLAN's based on 802.1X. Network topology looks like this
I have:
- USG210
- NXC2500
- GS1920-24Hv2
- 4x WAC6303D-S
On USG210 I have a few Site 2 Site to AWS and Azure clouds. The old network topology has no VLANS and all traffic from local networks was routed to AWS / Azure.
All addresses in security groups, ACLs, routes tables have IPs from VLAN10 (192.168.10.0./24). When I add NXC2500 between USG210 and GS1920 the routing stops working.
My first idea is to set up NAT Many 1:1 NAT for incoming traffic from VLAN10 and use the same IP range as the mapped IPs range.
Should it start working? Do you have other ideas how to solve the issue?
EDIT:
Maybe do you know how to achieve it with route policy?
0
Comments
-
Hi @Wojtas ,
Because there's no VLAN in the original topology, you have to add VLAN interface on USG210, NXC2500, and GS1920 to let the VLAN traffic pass. And, Because the dynamic VLAN setting is in the NXC controller, it only supports radius server type “Internal” in CONFIGURATION > Object > AP Profile > SSID > Security List.
Here's an example for how to setup the dynamic VLAN on NXC2500 for your reference.
0 -
@Nebula_Freda thank you for the answer.
I set up VLANs on USG210, with base port P4 (my LAN interface).
On NXC2500 I added ports GE1 and GE2 as VLANs with Tx Tagging. GE1 has type: general, and GE2 has internal.
Connections to clouds working... but strange thing....
When DHCP server for VLANs was on NXC, the client got correct network configuration but had no internet access. When I moved the DHCP server to USG, everything started working normally....?!?!?0 -
Hi @Wojtas
Since NXC will add the routing for the NXC DHCP client automatically, we have to add it by ourselves. If the NXC will release the same IP address subnet with USG, as my testing, I have to add the gateway(USG VLAN interface) in the NXC VLAN setting.
If it still does not work, can you provide the configurations of USG, NXC and Switch for us to test? Please send them via private message.
Thanks.
Joslyn0 -
Thank you @Zyxel_Joslyn
I can't test it now, but will do it in next week, , and I will let you know. Please don't close the topic.0 -
I checked the configuration last Saturday, restored NXC and GS to factory settings, and setup again. My observations:
- when I created VLAN10 and VLAN20 on all devices, and I set up a DHCP server for both VLANs on NXC I was eable reach the "clouds".
- when VLAN10 and VLAN20 was created devices in VLAN0 had problems with communication, eg. I can't ping 8.8.8.8 or gateway on USG. Before I created VLANs 10 & 20 communication in VLAN 0 worked well. When I added port GE1 to VLAN 0 as a member with TX Tagging, changed GE1 type to internal without static IP,and I moved the DHCP server for VLAN0 to NXC then communication started working.
The issue for now is communication between NXC and RADIUS NPS in AWS. I can reach RADIUS NPS server from each VLAN (0,10,20) from my PC, but NXC can't do it, I have any logs in NPS ;/ I need to catch some packages and check it
EDIT 1:Communication to RADIUS NPS started working.... is any way to force NXC to use e.g. VLAN0 when send packages to RADIUS server? For this moment NXC is sending request to RADIUS from VLAN10, next time from VLAN20, that's true random....:/
I created a static route, where all request about RADIUS SERVER IP are sending to VLAN 0 gateway. Looks that resolved an issue. Have you better idea?
EDIT 2:
I had to disable this policy route, because people in the office lost internet access. After disabling everything came back to normal.
EDIT 3:
Enterprise authentication (802.1x) works fine, but I have an issue. When user is already logged in to WLAN and associated to eg. VLAN10, and he hibernate /sleeps his laptops (with Windows) and turns it on again, the laptop is already logged in to WLAN but to default VLAN0. To change VLAN the user must disconnect from WLAN and connect again. Do you know how to fix it? I will disable 802.11r and test it again.
After firsts tests, it looks very good... I let you know when I get any issue
EDIT 4:
@Nebula_Freda & @ZYXEL_Joslyn have some ideas to make my configuration better? If not, we can mark the topic as resolved and I will release my configuration on production next week0 -
Hi @Wojtas
Since NXC will not create the routing automatically, we have to add the routing if needed. That's why you have to add the static route. However, I am a little confused by the interface description in thr first part. Did you mind provide me the NXC configuration via private message and let me have a look for it? I want to have a small lab to realize if the configuration is good to use.
Joslyn0 -
Thank you for your response @ZYXEL_Joslyn
For security reasons I can't send you my config file. I can add that when GE1 is added to VLAN 0 with TX Tagging, the type of GE1 is no matter. When it is internal with addres 0.0.0.0/0 everything works. When I change type to general, it can't get IP from DHCP (DHCP server is on NXC in VLAN0), but traffic flow operates normally.
0 -
Hi @Wojtas
Did you mind to take a screenshot for the VLAN0 configurations for me? There should be no security issue if only providing the port confiugration. Please also let me know the topology. NXC ge1 connects to which device. I am curious about the ge1 interface type setting why it should work with type internal.
Joslyn0 -
0
-
Hi @Wojtas
For the first topology that you provided in first disussion is using ge1 as the WAN port. Now, according to your configuraiton, you used the VLAN0 to do the routing. It seems fine and should work. Thanks for your sharing. May I know if you already apply this configuration to the production site? Any questions?
Joslyn0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight