Hi, total newbie. First Adtran products. 2-1534P switches stacked and 1 150 WAP. I am trying to set them up so that the 150 has one VAP that is for our employees with security and on our internal network scheme 192.168.1.0 and a second VAP for guests with a password we will provide but that does not have access to our network with an address such as 10.10.90.0
I would like the guest access to grab a dhcp address in the 10.10.90.0 range.
I have 3 vlans set up.
vlan1 default
vlan2 security cameras
vlan3 guest access
Any nudge in the right direction would be appreciated.
Thanks in advance
@dgardner - The Sonicwall's route for 10.10.90.0 /24 needs to be changed to point to 192.168.1.20 (VLAN 1's IP address) instead of 192.168.1.25 (Access Point's IP address). The Access Point IP is an optional setting and is only used when there is a Radius server involved. Other than that, your route table looks correct. Please reply to this post with the latest configuration of the 1534, if this does not resolve your issue.
Thanks,
Noor
@dgardner - Thanks for asking your question. There are several aspects of this application to keep in mind while setting this up. I'll try to go over at a higher-level what you'll need to configure. Feel free to ask any questions though, if you have any.
First, I am not sure if the 1534s you have are 1st or 2nd Generation. You can usually tell by looking at the part number. 1st Gens have a part number that starts with " 1700..", while 2nd Gens have a part number that starts with "1702...".
DHCP
If you have a 1st Gen 1534, keep in mind you will only be able to configure one DHCP range on it. The reason for this is because the 1st Gen 1534s are pure layer 2 switches. 2nd Gen 1534s, however, have the capability to do a light version of Layer 3 switching. This allows the creation of multiple VLAN interfaces thus allowing multiple DHCP ranges to be configured as well. More details on how to configure DHCP scope can be found in the guide Configuring DHCP in AOS.
Wireless
Since you plan to have 2 wireless networks set up (internal and guest), you will need be sure that the switchport the NetVanta 150 is plugging into is set as a trunk. The reason for this is because each wireless network will associate itself with a VLAN you have created for your users. You will also want to ensure that the NetVanta 150 also has 802.1q enabled to allow it to trunk as well.
You will need to configure 2 Virtual Access Points (VAPs). VAPs are distinguished by an SSID and is what you will map to a VLAN ID. You can also set up your wireless security settings within this configuration as well.
More details, including a step-by-step on how to configure the wireless portion, can be found in the guide Configuring Wireless in AOS.
Firewall
You mentioned that you would like to restrict your Guest VLAN/wireless network from accessing your internal network. The best way to do this is to add a Security Zone/Access Policy on the Guest VLAN that will deny traffic destined for your internal network, but allow all other traffic through.
Information about the firewall menu can be found in this guide: https://supportforums.adtran.com/docs/DOC-2902
Please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
Noor,
Thanks. I must be close because a lot of what you say I think I have.
They are second gen switches. I actually have two but just concerned with making one work now. I have configured a dhcp range of 10.10.90.10 - 10.10.90.20. I just can't seem to figure out how I assign that to the VAP that I created.
I have the 2 VAP created and the ones that is on default VLAN1 works ok and picks up the DHCP from our firewall as it is set up to do
I will attach a couple of screen shots, maybe that can help.
Thanks
@dgardner - The DHCP scope is automatically broadcast out the interface that has an IP address assigned from the same network. For example, in your case, you have configured a scope from the network 10.10.90.0 with a subnet mask of 255.255.255.0. For the scope to be broadcast out the correct VLAN, you would need to assign the VLAN 3 interface an IP address from the 10.10.90.0 /24 network.
Do you have an IP address assigned to VLAN 3? If not, you will need to assign it one. To do this on the web interface, navigate to DATA -> VLANS on the panel on the left. From there click on "VLAN0003". Once on the configuration page, make sure that 'Vlan Interface Configuration' is enabled. Once that is enabled you will be able to set an IP address under the 'IP Settings' section. As mentioned above, the IP address should be in the 10.10.90.0 network.
In addition, you will need to modify your DHCP scope so that the default gateway for the 10.10.90.0 scope is set to the IP address you assigned to VLAN 3.
I hope this helps. If not, please reply to this post with your configuration file. Please be sure to remove any information that is sensitive to your network.
Let us know if you have any questions.
Thanks,
Noor
@dgardner - Everything in your configuration looks correct. Based on your symptoms, I would suggest that you confirm that the NetVanta 150 is plugged into port 24 since it is configured as a trunk. If this is not the case, then whichever port the NetVanta 150 is plugging into will need to be configured for trunk mode.
Please do not hesitate to let us know if you have any further questions.
Thanks,
Noor
You were correct.Pilot error! wrong port. Follow up. Is it safe to assume that I then need to set the default router address to the address of my 192.168 router, in my case the sonic wall device, in order for the guests to get outside access. And create a route back to the vlan in the sonic wall of course?
@dgardner - Yes, you are absoulutely correct. You will need to add a default route on the 1534 that points to your Sonicwall as the path for outside access. This route will allow networks that are using the 1534 as its default gateway to properly route out the Sonicwall to get out to the internet.
Let us know if you have any further questions.
Thanks,
Noor
Would that be the default gateway entry or would I need to enter a route in the routing table
Thank you
@dgardner - You will need to enter a route in the route table. In the web interface, this can be done by navigating to DATA -> Router/Bridge -> Route Table. The 'destination address' will be 0.0.0.0, as will the 'destination mask'. The 'gateway' will need to be selected as an address and you will need to specify the IP address of the Sonicwall (your next-hop). This can also be done in the CLI in config mode by entering the following command: ip route 0.0.0.0 0.0.0.0 <next-hop IP>.
The default gateway setting is used only by the 1534 while it is acting as a layer 2/switch device. For example, if you were to disable the "ip routing" functionality of the 1534, it would not be able to act as a default gateway for clients. However, if you wanted the 1534, itself, to reach outside networks, then you would configure the default gateway setting.
Let us know if you have any further questions.
Thanks,
Noor
HI Noor,
I did that and I still am having an issue. If I ping out front a machine on the guest lan, the ping goes out and comes back thru the sonic wall but never makes it back to the device itself. I am attaching a screen shot of a capture front the sonic wall that shows the ping returning. Any ideas?
@dgardner - Does the Sonicwall have a route for the 10.10.90.x network that points to the 1534? I believe you would need this for the traffic to get back. Could you reply to this post with the route table of the 1534 and a screenshot of the route table of the Sonicwall?
In the web interface, the route table for the 1534 can be retrieved by navigating to DATA -> Router/Bridge -> Route Table. If you scroll to the bottom of the page, it will show what the current route table looks like. Also, you can view this in the CLI by issuing the "show ip route" command.
Thanks,
Noor
Noor,
Here are the screen shots. Yes the sonic wall has a route back to the 1534. I was on with sonic wall tech support and we actually tried the main address of the 1534, the VLAN ip of 10.10.90.1 and the ip address of the NV150. They all have the same result. The capture shows that the ping is trying to get sent to the 10.10.90.10 device but it just times out at the device. 192.168.1.2 is the sonic wall .20 is the 1534 .25 is the 150 10.10.90.1 is the VLAN interface
thanks again for sticking with me.
@dgardner - The Sonicwall's route for 10.10.90.0 /24 needs to be changed to point to 192.168.1.20 (VLAN 1's IP address) instead of 192.168.1.25 (Access Point's IP address). The Access Point IP is an optional setting and is only used when there is a Radius server involved. Other than that, your route table looks correct. Please reply to this post with the latest configuration of the 1534, if this does not resolve your issue.
Thanks,
Noor
noor,
Weird because I tried that before and did not work with ping. I tried again the .20 and it works for web access which is all I want. Ping does not work but that is ok.
Thanks again for all of the assistance