Freshman Member
Zyxel Employee
Static and MAC based VLAN in combination on WiFi
Hi,
I have serval clients connecting to a wireless LAN. I want some of the clients to be located on a specific VLAN. Today it's soved by having two wirelsess networks / SSID's, one for each respective VLAN. However I would like to avoid more SSID's if possible.
I have tried to solve it by using MAC based VLAN in combination with static VLAN, but cant get it to work, if possible at all.
The setup is.
VPN100 router/firewall
GS2220 switch
WAC6303D-S AP
In the switch static VLANs is configured as follows:
Static VLAN PVID1
WiFi AP port 1, fixed, no TX Tagging
Router / switch uplink port 24, fixed, TX Tagging
Static VLAN10 PVID10
WiFi AP port 1, normal, no TX Tagging
Router / switch uplink port 24, fixed, TX Tagging
Besides that, MAC based VLAN is configured with:
MAC 1A:2B:3C:4D:5E:6F, VID10, Priority 1
Connected clients not found in the MAC based VLAN table reciewss IP's from PVID1, but clients found in the MAC based VLAN table dosent reciewe IP's at all.
Is it possible to achive the discribed scenario, and if so, what am I doing wrong?
Best regards Ole.
I have serval clients connecting to a wireless LAN. I want some of the clients to be located on a specific VLAN. Today it's soved by having two wirelsess networks / SSID's, one for each respective VLAN. However I would like to avoid more SSID's if possible.
I have tried to solve it by using MAC based VLAN in combination with static VLAN, but cant get it to work, if possible at all.
The setup is.
VPN100 router/firewall
GS2220 switch
WAC6303D-S AP
In the switch static VLANs is configured as follows:
Static VLAN PVID1
WiFi AP port 1, fixed, no TX Tagging
Router / switch uplink port 24, fixed, TX Tagging
Static VLAN10 PVID10
WiFi AP port 1, normal, no TX Tagging
Router / switch uplink port 24, fixed, TX Tagging
Besides that, MAC based VLAN is configured with:
MAC 1A:2B:3C:4D:5E:6F, VID10, Priority 1
Connected clients not found in the MAC based VLAN table reciewss IP's from PVID1, but clients found in the MAC based VLAN table dosent reciewe IP's at all.
Is it possible to achive the discribed scenario, and if so, what am I doing wrong?
Best regards Ole.
0
Accepted Solution
-
Hi @OWB,
Based on your topology, you can refer to the steps below to configure the Dynamic VLAN in on-Premise mode.
I. VNP100 configuration
1. Configure Interface: CONFIGURATION > Network > Interface > VLAN. Click Add to create a new VLAN configuration.
In General Settings, check Enable and enter the VLAN information (e.g: VLAN10, 20)
2. Configure AP Profile
CONFIGURATION > Object > AP Profile > SSID > Security List, select the default AP profile and edit.
CONFIGURATION > Object > AP Profile > SSID > SSID List, and select the default AP profile and edit.
CONFIGURATION > Wireless > AP Management > AP Group, select the default AP profile and edit.
3. Configure RADIUS server info.
CONFIGURATION > Object > AAA Server > RADIUS, click #1 radius, and edit.
CONFIGURATION > Object > Auth. Method, click #1 default, and edit.
II. GS2220 configuration
Advanced Application > VLAN > VLAN Configuration > Static VLAN setup (e.g: VLAN10, 20)
III. RADIUS server configuration
Configure the VPN100 info.
Configure User with password and three attribute needed to add: Tunnel Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID
Verification:
Use mobile phone to connect with SSID DyVlan. Enter the Username and Password which are in VLAN 10/ VLAN20 group, and then click Join to connect with the AP. The logged-in client gets an IP in VLAN10/ VLAN20.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
1
All Replies
-
Hi @OWB,Thanks for asking.I recommend you use the 802.1x with dynamic VLAN on the SSID setting and set up a Radius server to fulfill your requirement.May I know does your AP in standalone mode or Nebula mode? So I can provide you with the setup guide for the mode you are using.0
-
Hi,
Thanks a lot for your feedback!
OK, can that be achieved without further components to the network?
AP is in standalone mode, but managed from the ZyWALL
BR O0 -
Hi @OWB,
Thanks for sharing the information. We will provide you with the solution after doing a lab for confirmation.
Additionally, you will need to add a Radius server for this solution.
0 -
Hi @OWB,
In Controller managed mode with your typology, to let some of the clients to be located on a specific VLAN with one SSID, you need to have a RADIUS server to do authentication.
To implement your scenario without further components to the network, recommend you use the cloud mode (Zyxel Nebula), you can configure dynamic VLAN with Nebula Cloud Authentication Server. Please refer to this link: https://community.zyxel.com/en/discussion/15667
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0 -
Nebula is not a possible solution for me in this case, sorry.To implement your scenario without further components to the network, recommend you use the cloud mode (Zyxel Nebula), you can configure dynamic VLAN with Nebula Cloud Authentication Server. Please refer to this link: https://community.zyxel.com/en/discussion/15667
0 -
Thanks a lot, I will await the solution.Zyxel_Melen said:Hi @OWB,
Thanks for sharing the information. We will provide you with the solution after doing a lab for confirmation.
Additionally, you will need to add a Radius server for this solution.
Best regards Ole0 -
Hi @OWB,
Based on your topology, you can refer to the steps below to configure the Dynamic VLAN in on-Premise mode.
I. VNP100 configuration
1. Configure Interface: CONFIGURATION > Network > Interface > VLAN. Click Add to create a new VLAN configuration.
In General Settings, check Enable and enter the VLAN information (e.g: VLAN10, 20)
2. Configure AP Profile
CONFIGURATION > Object > AP Profile > SSID > Security List, select the default AP profile and edit.
CONFIGURATION > Object > AP Profile > SSID > SSID List, and select the default AP profile and edit.
CONFIGURATION > Wireless > AP Management > AP Group, select the default AP profile and edit.
3. Configure RADIUS server info.
CONFIGURATION > Object > AAA Server > RADIUS, click #1 radius, and edit.
CONFIGURATION > Object > Auth. Method, click #1 default, and edit.
II. GS2220 configuration
Advanced Application > VLAN > VLAN Configuration > Static VLAN setup (e.g: VLAN10, 20)
III. RADIUS server configuration
Configure the VPN100 info.
Configure User with password and three attribute needed to add: Tunnel Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID
Verification:
Use mobile phone to connect with SSID DyVlan. Enter the Username and Password which are in VLAN 10/ VLAN20 group, and then click Join to connect with the AP. The logged-in client gets an IP in VLAN10/ VLAN20.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
1 -
Thanks alot!
Could you provide me the name of the Radius server product used in the configuration example?
Best regards Ole0 -
Hi @OWB,
We used TekRADIUS LT Manager to implement the LAB.In case you need to have more advanced feature, you can refer to Window server.
Share your feedback through our survey, make your voice heard, and win a WiFi 7 AP!
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 145 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 239 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
