Unsolved
This post is more than 5 years old
10 Posts
0
63179
PowerConnect 3524 VLAN Configuration for GUESTS (noob question)
Hello,
I apologize in advance for asking a question that has probably been asked a thousand times.
I have a PowerConnect 3524 that is mostly in default/factory mode. I want to add a VLAN that will be for "guests" only, who will have internet access only.
I've created a VLAN called "internet" (ID=1000) and I've added port 1 (fa0/1) (internet port) as "T". I've also added port (23) as "U", which has my test PC. All other ports are listed under VLAN 1 as "U".
The Port configuration 1 (internet) is:
- Port VLAN mode: Trunk
- Reserve vlan for internal use: none
The Port configuration for 23 (my test PC) is:
- Port VLAN mode: General
- Dynamic: unchecked
- PVID: 1000 (my "internet" vlan)
- Frame type: admit tag only
- Ingress filtering: enable
- Reserve vlan for internal use: none
The PC connected to port 23 ("internet" vlan) is unable to get an IP address, which should be provided by the firewall/router on port 1, which is ALSO a member of the "internet" vlan.
I've read the instructions several times over and I'm just not seeing the expected behavior. Any help/suggestions would be surely appreciated.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
March 13th, 2013 09:00
Are you wanting to just add a separate VLAN that you will be calling guest? Or for security reasons, actually have a Guest VLAN? The PowerConnect™ 3524/3548 platform has enhanced 802.1x capabilities by adding support for guest VLANs. Guest VLANs provides limited network access to an unauthorized ports on the switch. A device can have only one global guest VLAN. The guest VLAN is defined using the
dot1x guest-vlan interface Configuration mode command.
User Guidelines
•Use the dot1x guest-vlan enable Interface Configuration mode command to enable unauthorized users on an interface to access the guest VLAN.
• If the guest VLAN is defined and enabled, the port automatically joins the guest VLAN when the
port is unauthorized and leaves it when the port becomes authorized
For Guest VLAN configuration, you would be looking at something similar to this.
console(config)# vlan database
console(config-vlan)#vlan 1000
console(config-vlan)#exit
console(config)# interface vlan 1000
console(config-if)# dot1x guest-vlan
console(config-if)#exit
console(config)#exit
console#
Enable the port to automatically assign the Guest VLAN to unauthorized users by typing dot1x port-control auto and pressing .
console(config)# interface ethernet g1
console(config-if)# dot1x guest-vlan enable
console(config-if)# dot1x port-control auto 05-Jan-2000 03:28:44 %SEC-W-PORTUNAUTHORIZED: Port g10 is unAuthorized 05-Jan-2000 03:28:44 %LINK-I-Up: Vlan 99
console(config-if)#exit
console(config)#exit
console#
If you are just adding an additional VLAN to segregate traffic. Then we need to change the VLAN port settings from General to Access. On Frame type change to admit all. It sounds like you have the Trunk setup correctly.
Nathan P
10 Posts
0
March 14th, 2013 07:00
Thank you Daniel for your answer. Unfortunately, I'm not any further ahead. After following your instructions (without error) I plugged in my test PC to port 23 and was able to ping the internet (good), but also ping my network server (bad).
I would prefer to use the web-based console if possible.
To answer your first question, I want to segregate the traffic on the LAN. The "guest" VLAN should be separate from the office VLAN, and the guests should be able to ping and interact with each other while having internet access.
I still have the same configuration as in my previous message. It's frustrating because it feels like I'm doing everything right via the web-interface, but the test results do not match expectations.
Thank you for your assistance, it's really appreciated.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
March 14th, 2013 07:00
It does sound like we are on the right path, but maybe missing something small. Can you pull the running config from the switch for us and paste it here? We can look through it and see if we can spot any recommended changes.
Thanks.
Nathan P
10 Posts
0
March 14th, 2013 08:00
Hello Daniel,
I removed some of port settings that were unnecessary; otherwise here's a copy/paste. You will see ports e1 (internet), e23/24 which are intended to be segregated from the office.
interface range ethernet e(13-18)
shutdown
exit
interface ethernet e1
description "firewall-router (direct)"
exit
interface ethernet e23
description "lab wired guest (22)"
exit
interface ethernet e24
description "WIFI (direct)"
exit
interface ethernet e1
switchport mode trunk
exit
interface range ethernet e(23-24)
switchport mode general
exit
vlan database
vlan 1000
exit
interface ethernet e23
switchport general allowed vlan add 1000 untagged
exit
interface ethernet e1
switchport trunk allowed vlan add 1000
exit
interface vlan 1000
name "Internet Only"
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
interface ethernet e23
dot1x port-control auto
exit
interface vlan 1
ip address 192.168.1.200 255.255.255.0
exit
ip default-gateway 192.168.1.1
username admin password 02f283a52227a605bc7dd71f3842fed1 level 15 encrypted
snmp-server community Dell_Network_Manager rw view DefaultSuper
Default settings:
Service tag:
SW version
Fast Ethernet Ports
==========================
no shutdown
speed 100
duplex full
negotiation
flow-control off
mdix auto
no back-pressure
Gigabit Ethernet Ports
=============================
no shutdown
speed 1000
duplex full
negotiation
flow-control off
mdix auto
no back-pressure
interface vlan 1
interface port-channel 1 - 15
spanning-tree
spanning-tree mode STP
qos basic
qos trust cos
Once again, thank you for your assistance.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
March 14th, 2013 09:00
Looking at the config, it looks like there are some commands missing for the guest VLAN. Since we are wanting to do most things through the Web interface, I did some research on this, and how to do it through the GUI. It looks like it is done under Switch>Network security>Port Based Authentication.
Page 262
ftp://ftp.dell.com/Manuals/all-products/esuprt_ser_stor_net/esuprt_powerconnect/powerconnect-3548_user%27s%20guide_en-us.pdf
I took a screen shot of the configuration I think will work.
The idea is that you enabled port based authentication. Enabled the Guest VLAN, so that any unauthenticated connections still have limited access on the guest VLAN. Then we set authentication method to none and admin interface control to unauthorized. This should automatically default any connection on that port to the guest VLAN.
Lets test that out and see what the outcome is.
Nathan P
10 Posts
0
March 14th, 2013 13:00
Hello Daniel,
Thank you for your ongoing assistance, I truly appreciate it.
Unfortunately my testing was not positive. I did copy your screenshot (going to Switch > Ports > Port Coniguration) and when I tested my TestPC (still on port 23) it couldn't ping the internet.
I checked my firmware version and it is out of date (2.0.0.29) so I am downloading 2.0.0.51. I'm also downloading the PDF so that I can refer to it also. I will apply the firmware to the switch tomorrow morning before office hours. Let's hope for a better outcome! :)
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
March 15th, 2013 08:00
Some other ideas that we can try.
Under the authentication method change from NONE to Radius or Radius,NONE. The idea is that when the client is plugged into the port it cannot authenticate and gets put onto the guest Vlan.
If that still does not work, then we can test connectivity by assigning a static IP address to the client, then see if we can ping inside and outside the network.
Keep us updated,
Thanks.