VLAN on 3com baseline 2916 SFP plus

[wzoet]

Hi,

I have a question about configuring VLANs and I hope you can help.

In the office we got a 3com baseline 2916 SFP plus switch and a 3Com wireless 7760 accesspoint. For internet access we use a draytek 2820 router and also a VMWare ESX server is installed with several virtual servers running on it.

The configuration is as follows:

- The router is configured to use VLAN 2 and 3 and is connected to port 15. This port is configured untagged for vlan 2 and tagged for vlan 3. The router is a DHCP server (192.168.0.x). (tech specs:

http://www.draytek.us/dual-wan-performance-routers/2820.html)

- The server uses vlan 2 for internet access and no vlan is set up for the local network. It is connected to port 16 on the switch which has vlan 2 tagged and vlan 1 untagged. One of the virtual servers is a DHCP server for the LAN (10.0.0.x) and also routes between the lan and the router.

- The accesspoint is capable of multiple SSID's with each SSID on a separate VLAN. It also supports a management VLAN.
SSID1 uses VLAN 1 and SSID2 uses VLAN 3. It is connected to port 8 which is configured tagged on VLAN 3 and untagged on VLAN1.

I try to create a situation in which my accesspoint is configured with two SSID's: one to have lan access and one to have internet only access. This last one is for clients or partners to have guest access.

The current problem with the situation is that when I subscribe to SSID2, i get a 10.0.0.x IP although VLAN 3 should get an IP address from the router (192.168.1.x)

Does anyone have a clue how i should configure the switch so i get the right dhcp response in vlan 3?

Also: I noticed when I change port 15 (router) from untagged to tagged in VLAN 2, the server can no longer connect to the router.

Please feel free to ask for more information, i will try to give a quick response.

 

[VinceWhirlwind]

I don't understand why your server is on a switchport that has two VLANs configured.
I'm also not sure why you're using a server to "route between the LAN and the router".
I'm not clear on which VLAN each subnet belongs to. I'm not sure you're clear either.

What you need to do is this:
Make a VLAN/Subnet table, eg:

VLAN1 <not used>
VLAN2 "LAN" 10.0.0.0/24
VLAN3 "WAN_LINK" 10.0.1.0/24
VLAN4 "WLAN" 10.0.2.0/24

Then, you need to decide what is going to route for each subnet, then on that router create a VLAN interface with the defaultGW for that subnet configured on it.

Then, you need to decide which subnets need link down to a switch and there configure a dot1q trunk (tagged VLANs only).

Finally, you need to configure access ports for your edge devices (1 untagged VLAN only).

 

[wzoet]

@vincewhirlwind,

thanks for your reply,

Without vlans, the situation was:
WAN <-> Router <-> Server <-> Switch <-> Clients
The server routes between the lan and router, since it contains an ISA firewall which is better than a simple draytek router/firewall.

VLAN 1 is 10.0.x.x: servers 10.0.1.0/10 and clients 10.0.0.0/50, gateway 10.0.1.1 (isa server)
VLAN 2 is 192.168.1.0/50, gateway 192.168.1.1 (router)
VLAN 3 is 192.168.1.0/50, gateway 192.168.1.1 (router)

Since my router is quite basic, i cannot setup different gateways for different vlans. The router wants itself to be a gateway.

I will try your suggestion to set all clients to a different vlan and not to use vlan 1. Unfortunately my switch does not allow using no untagged ports. If I put a port tagged in multiple vlans, vlan 1 becomes an untagged member and the switch does not let me alter vlan1 members.

 

[VinceWhirlwind]

OK, so from an IP perspective you have:
WAN <-> Router1 <-> Router2 <-> Switch <-> Clients

The only place where you should have VLANs is on the trunk between Router2<->Switch (multiple VLANs, all tagged except default/native VLAN) and Switch<->Client (one VLAN each, untagged).

Your clients' default GW has to be the "inside" interface of your Server (router2), which therefore must have one VLAN interface configured per VLAN trunked to the Switch.

You certainly don't want multiple VLANs with the same subnet on them, and you shouldn't have multiple subnets on the same VLAN.
I'm not sure what you mean by "/50" - that's where I would normally expect to see a subnet mask.

 

[wzoet]

The problem was found:

Router 1 seems to use port-vlan, which seems to be something to separate several ports from others. Unfortunately this has nothing to do with 802.1q, so there are no vlan tags.

I always thought /50 was the number of available IP addresses, but no problem, learned something new than .

You're right about the subnet on vlans, but for the configuration I imagined i had to depend on the dhcp server of router1, which is rather limited.

Since only port vlan is available, I will have to search for another solution to separate my guest-SSID from my normal network. although it is possible to have isa route trafic from a separate networkcard, i rather have the guest-SSID not connected to my lan/server at all.

Thank you for your help, it helped me to find my problem and it became clear what the difference of tagged and untagged is.