Apr 22, 2013

UniFi and switch VLAN configuration

9:18 PM No comments

Introduction

This deployment example is to demonstrate switch VLAN configurations for UniFi APs. This is for demonstration ONLY and experienced IT should already be familiar with below contents. We are NOT suggesting how your network should be configured, and we will NOT support if these switch configurations failed your network. The reader of this document is expected to have VLAN and switch knowledge. Remember, this is an EXAMPLE, don’t just simply apply, please think through first and make sure the configuration is properly modified according to your environment.

Deployment

In this example, we will trunk 4 different switches (Netgear, HP, Cisco, D-Link) and use AirRouter as the DHCP server also the gateway to internet. We choose 4 different switch brands to demonstrate UAP interoperability. We will create 4 WLANs (vlan10_mgmt, vlan20_user, vlan30_finance, vlan40_guest) in 4 different VLAN id (10, 20, 30, 40) each. To make things a little bit more complicated, we didn't use the default VLAN 1, but set VLAN 10 to be untagged to carry UniFi AP management traffic. It shall be fairly easy for readers to change management VLAN from VLAN 10 back to use default VLAN 1. In the end, a UAP can be plugged into any of these switches to provide wireless connectivity.

Network Diagram



Network VLAN & IP range

  • Management, VLAN 10, 10.0.10.x
  • User, VLAN 20, 10.0.20.x
  • Finance, VLAN 30, 10.0.30.x
  • Guest, VLAN 40, 10.0.40.x

Management IP addresses

  • AirRouter 10.0.10.1
  • Netgear GS748TP 10.0.10.2
  • Controller 10.0.10.3
  • HP ProCurve 2650-PWR 10.0.10.4
  • Cisco 2970 switch 10.0.10.6
  • D-Link DGS-3120-24PC 10.0.10.7

AirRouter

  1. The AirRouter is running v5.5.
  2. We will use AirRouter in SOHO Router mode for simplification. We will leverage it as the gateway, NAT and the DHCP server for for all VLANs. We are NOT going to use its Wireless capability in this example since that is not our main focus here.
  3. Following AirRouter user guide, plug in the laptop into one of the ports. Set the laptop and the AirRouter in the same subnet. We can then configure AirRouter through web browser in its default IP address.
  4. "Network" tab
  5. Set Network Mode to "SOHO Router"
  6. Choose "Advanced" Configuration Mode
  7. Set your WAN according to your WAN connection. In our setup, I choose DHCP.
  8. Expand "LAN Network Settings"
    • IP Address: 10.0.0.1 (We don't really use this part in this example)
    • Netmask: 255.255.255.0
    • DHCP Server: Enabled
    • Range Start: 10.0.0.100
    • Range Stop: 10.0.0.254
    • Netmask: 255.255.255.0
    • Primary DNS: x.x.x.x
    • Secondary DNS: 8.8.8.8
  9. Expand "VLAN Network"
    • Add "LAN1", "10", "Management"
    • Add "LAN1", "20", "User"
    • Add "LAN1", "30", "Finance"
    • Add "LAN1", "40", "Guest"
  10. In "LAN Network Settings"
    • Add LAN "LAN1.10"
    • Add LAN "LAN1.20"
    • Add LAN "LAN1.30"
    • Add LAN "LAN1.40"
  11. For LAN Interface LAN1.10
    • IP Address: 10.0.10.1
    • Netmask: 255.255.255.0
    • DHCP Server: Enbled
    • Range Start: 10.0.10.100
    • Range Stop: 10.0.10.254
    • Netmask: 255.255.255.0
    • DNS Proxy: Enable
  12. For LAN Interface LAN1.20
    • IP Address: 10.0.20.1
    • Netmask: 255.255.255.0
    • DHCP Server: Enbled
    • Range Start: 10.0.20.100
    • Range Stop: 10.0.20.254
    • Netmask: 255.255.255.0
    • DNS Proxy: Enable
  13. For LAN Interface LAN1.30
    • IP Address: 10.0.30.1
    • Netmask: 255.255.255.0
    • DHCP Server: Enbled
    • Range Start: 10.0.30.100
    • Range Stop: 10.0.30.254
    • Netmask: 255.255.255.0
    • DNS Proxy: Enable
  14. For LAN Interface LAN1.40
    • IP Address: 10.0.40.1
    • Netmask: 255.255.255.0
    • DHCP Server: Enbled
    • Range Start: 10.0.40.100
    • Range Stop: 10.0.40.254
    • Netmask: 255.255.255.0
    • DNS Proxy: Enable

Netgear GS748TP Configuration Steps

  1. Port 1 and 2 will be our trunk. Port 2 is connected to the AirRouter and port 1 will be connected to the next switch.
  2. In this example, we will reserve port 3 to 12 for server usage. In other words, we will not touch these ports configuration.
  3. We will set port 13 to port 48 as our AP ports. These will have untagged VLAN 10 and tagged VLAN 20,30,40.
  4. Connecting laptop (static IP to 192.168.0.100, e.g.) to the Netgear switch, port 1 is the one I am connecting to, using default IP and password
  5. Eventually we are putting management network onto vlan id 10, but no rush into configuring management IP, we need to make sure that ports are configured properly first.
  6. Go to “Switching” tab > “VLAN” panel
  7. In “VLAN Configuration”, create 4 VLANs (10 - Management, 20 - User, 30 - Finance, 40 - Gust)
  8. Go to “Advanced” > “VLAN Membership”
  9. For VLAN ID 10, we want ports 13 to 48 untagged to carry UniFi management traffic
  10. For VLAN ID 20, 30, 40, we want ports 13 to 48 tagged to carry WLAN traffic
  11. For the trunk port 1 and 2, we want all VLANs tagged
  12. Because the default VLAN for all ports is VLAN id 1, we want to change that to management vlan (id 10). Go to “Advanced” > “Port PVID Configuration”.
  13. Set PVID of port 13 to 48 to VLAN id 10
  14. Now we can configure the management IP for the Netgear switch
  15. Go to “System” tab, “IP Configuration” panel
  16. Choose “Static IP Address”, IP address “10.0.10.2”, Subnet Mask “255.255.255.0”, Gateway “10.0.10.1”, Management VLAN ID “10”. Click “Apply”. Note that, after clicking “Apply”, you won’t be able to access the switch using the default address (current web access session will be terminated).
  17. Connect [AirRouter] [LAN Port 1] ------ [Netgear GS748TP][Port 2]
  18. Now we should have the DHCP capability (provided by AirRouter)
  19. Change laptop IP to DHCP, and then connect the laptop to port 13 (or any other port between 13 - 48). The laptop should get a 10.0.10.x IP address.
  20. Now we can connect back to switch (10.0.10.2) using browser
  21. We can now change the PVID of ports 1 to 12 also to VLAN id 10. All 48 ports can be configure at one time, so it is actually not really required to do configure PVID twice, but it is safer to do it this way. In the case of mis-configuration of the ports, we can still have a connection back to the Netgear switch.
  22. Now we are all set, we shall be able to plug in an AP (on port 13 to 48) and configure multiple SSIDs in different VLANs.

UniFi Controller Configuration Steps

  1. AP adoption process has been described in user guide and FAQ, and we will omit those steps here.
  2. To create WLAN, go to “Settings” > “Wireless Networks” on the controller.
  3. Create WLAN “vlan10_mgmt” (e.g.), wpa-psk security. Do NOT set VLAN ID. This is because the VLAN 10 is already untagged on the AP plugged-in ports so we will let switch take care of that.
  4. Create WLAN “vlan20_user” in Open (e.g). In “Advanced” panel, check “VLAN” and “Use VLAN ID” to 20.
  5. Create WLAN “vlan30_finance” in PSK (e.g.). In “Advanced” panel, check “VLAN” and “Use VLAN ID” to 30.
  6. Create WLAN “vlan40_guest” in Open (e.g.) and check “Guest Policy”. In “Advanced” panel, check “VLAN” and “Use VLAN ID” to 40.
  7. Wait for the config provision to AP and you should these 4 SSIDs being broadcasted in the air.
  8. Use a laptop to connect to each WLAN and verify if the laptop can get a corresponding DHCP IP address.
    • vlan10_mgmt 10.0.10.x
    • vlan20_user 10.0.20.x
    • vlan30_finance 10.0.30.x
    • vlan40_guest 10.0.40.x
  9. Now you are all set with WLAN creation.



HP ProCurve 2650-PWR Configuration Steps

  1. We will add this HP switch into the network
  2. Since most ports are mainly 10/100, the plan is to do a trunk to link between HP [port 49 (Gigabit)] and Netgear switch [port 1], and allows AP to be connected on port 13 to 48. We will also set port 50 to be trunk so that it can connect to the Cisco switch later.
  3. Follow manuals for initial setup. I temporary connect HP switch [port 1] to AirRouter [port 3] to get an IP and use that to manage the switch.
  4. In the HP switch web access, go to “Configuration” tab > “VLAN Configuration” panel.
  5. Click “ADD/REMOVE VLANs”
    • VLAN Name - management. 802.1Q VLAN ID - 10. “Add VLAN”
    • VLAN Name - user. 802.1Q VLAN ID - 20. “ADD VLAN”
    • VLAN Name - finance. 802.1Q VLAN ID - 30. “ADD VLAN”
    • VLAN Name - guest. 802.1Q VLAN ID - 40. “ADD VLAN”
  6. Click “Configuration” > “VLAN Configuration”, you can see the 4 VLANs have been created.
  7. Click “Modify” for VLAN 10
  8. For port 49 and 50, which we planned to use as trunk (to connect to Netgear switch, etc.), change “MODE” to Tagged. Click “Apply”
  9. For port 13 to 48, which we planned to connect APs, change “MODE” to Untagged. Click “Apply”.
  10. Click “Modify” for VLAN 20
  11. For port 13 - 50, change “MODE” to Tagged and click “Apply”.
  12. Click “Modify” for VLAN 30
  13. For port 13 - 50, change “MODE” to Tagged and click “Apply”.
  14. Click “Modify” for VLAN 40
  15. For port 13 - 50, change “MODE” to Tagged and click “Apply”.
  16. Now we can setup a management IP address on VLAN 10
  17. Go to “Configuration” > “IP Configuration”
  18. Set default gateway “10.0.10.1”, VLAN “management”, IP Configuration “Manual”, IP Address “10.0.10.4”, Subnet Mask “255.255.255.0”. Click “Apply” (Note that connection will be dropped after clicking “Apply”)
  19. Connect the trunk between HP switch [port 49] and Netgear switch [port 1]
  20. Remember that earlier in Netgear switch configuration, we have already configured its port 1 to be a trunk.
  21. Disconnect the connection between HP and AirRouter.
  22. In browser, put the new management IP in the URL and you should be able
  23. Now this switch is also set, you can plug in APs into port 13 to 48 and the controller shall be able to adopt it.

Cisco 2970 Configuration Steps

  1. Reset the switch to the factory default state and we will configure the switch using console port.
  2. To add vlans
    1. config t
    2. vlan 10
    3. exit
    4. vlan 20
    5. exit
    6. vlan 30
    7. exit
    8. vlan 40
    9. exit
  3. We are going to make port 1 and port 2 as trunk that can connect to other switches. For port 3 -24, we will allow APs to connect
    1. (config t)
    2. interface vlan 10
    3. ip address 10.0.10.6 255.255.255.0
    4. ip helper-address 10.0.10.1
    5. exit
    6. interface vlan 20
    7. ip helper-address 10.0.20.1
    8. exit
    9. interface vlan 30
    10. ip helper-address 10.0.30.1
    11. exit
    12. interface vlan 40
    13. ip helper-address 10.0.40.1
    14. exit
    15. interface range gigabitEthernet 0/1-2
    16. switchport trunk encapsulation dot1q
    17. switchport mode trunk
    18. switchport trunk allowed vlan 10,20,30,40
    19. exit
    20. interface range gigabitEthernet 0/3-24
    21. switchport trunk allowed vlan 10,20,30,40
    22. switchport trunk native vlan 10
    23. exit
  4. All done, we can now connect its port 2 to HP switch and plug in an UAP into a port between 3 to 24. The controller shall be able to adopt the AP.



D-Link DGS-3120-24PC

  1. We now add this D-Link switch into the network
  2. We will have Its port 2 connects to the Cisco 2970 switch port 1 and form a trunk for VLAN traffic. For the port 3 to port 24, we will use for APs.
  3. Plug laptop into port 1, configure IP and subnet according to the switch default setup.
  4. Web browse into the switch using its default ip address, username and password
  5. Left panel > L2 Features > VLAN > 802.1Q VLAN Settings
    1. Right panel > Add/Edit VLAN
      • VID: 10, VLAN Name: mgmt
      • port 1 & 2: tagged
      • port 3 - 24: untagged
      • click “Apply”
    2. VID: 20, VLAN Name: user
      • port 1 - 24: tagged
      • click “Apply”
    3. VID: 30, VLAN Name: finance
      • port 1 - 24: tagged
      • click “Apply”
    4. VID: 40, VLAN Name: guest
      • port 1 - 24: tagged
      • click “Apply”
    5. VID: 1, default VLAN
      • change port 3 to 24 to “Not Member”
  6. We have VLAN configured on these ports, now configure trunk
  7. Left panel > L2 Features > VLAN > VLAN Trunk Settings
  8. check port 2 (since we are connected on port 1, we don’t want to mess it now)
  9. click “Apply”
  10. Let’s connect the trunk between Cisco 2970 (port 1) (which we configured earlier) and D-Link DGS-3120 (port 2)
  11. We now should be able to get a 10.0.10.x ip address on Port 3 - 24 (DHCP assigned from AirRouter). Try plug in something and see if that is the case.
  12. If that is good, we can then change the management IP address for the D-Link to 10.0.10.7
  13. Left panel > Management > IP Interface > System IP Address Setting
  14. Management VLAN Name: mgmt
    • IP Address: 10.0.10.7
    • Subnet Mask: 255.255.255.0
    • Gateway: 10.0.10.1
    • Click “Apply”
  15. A dialog pops up and ask you to use the new IP interface to manage the switch. Plug the laptop from port 1 to a port between port 3 to port 24.
  16. Use the new ip address 10.0.10.7 to access the DLink switch
  17. In this deployment, we don’t use default VLAN 1, thus I am removing defaullt VLAN (VID 1) on port 1 & 2.
  18. Add/Edit VLAN
    1. VID 1
    2. port 1 & 2 > Not Member
  19. Configure port 1 also into the trunk for future connection to another switch.
    1. Left panel > L2 Features > VLAN Trunk Setting
    2. check port 1
    3. click “Apply”
  20. All done. Connect APs between port 3 to port 24 to see if it is working.

Posted in:

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Computer Tricks and Tips