PowerConnect 3524 VLAN Configuration for GUESTS (noob question)

Are you wanting to just add a separate VLAN that you will be calling guest? Or for security reasons, actually have a Guest VLAN? The PowerConnect™ 3524/3548 platform has enhanced 802.1x capabilities by adding support for guest VLANs. Guest VLANs provides limited network access to an unauthorized ports on the switch. A device can have only one global guest VLAN. The guest VLAN is defined using the

dot1x guest-vlan interface Configuration mode command.

User Guidelines

•Use the dot1x guest-vlan enable Interface Configuration mode command to enable unauthorized users on an interface to access the guest VLAN.

• If the guest VLAN is defined and enabled, the port automatically joins the guest VLAN when the

port is unauthorized and leaves it when the port becomes authorized

For Guest VLAN configuration, you would be looking at something similar to this.

console(config)# vlan database

console(config-vlan)#vlan 1000

console(config-vlan)#exit

console(config)# interface vlan 1000

console(config-if)# dot1x guest-vlan

console(config-if)#exit

console(config)#exit

console#

Enable the port to automatically assign the Guest VLAN to unauthorized users by typing dot1x port-control auto and pressing .

console(config)# interface ethernet g1

console(config-if)# dot1x guest-vlan enable

console(config-if)# dot1x port-control auto 05-Jan-2000 03:28:44 %SEC-W-PORTUNAUTHORIZED: Port g10 is unAuthorized 05-Jan-2000 03:28:44 %LINK-I-Up: Vlan 99

console(config-if)#exit

console(config)#exit

console#

If you are just adding an additional VLAN to segregate traffic. Then we need to change the VLAN port settings from General to Access. On Frame type change to admit all. It sounds like you have the Trunk setup correctly.

Thank you Daniel for your answer. Unfortunately, I'm not any further ahead. After following your instructions (without error) I plugged in my test PC to port 23 and was able to ping the internet (good), but also ping my network server (bad).

I would prefer to use the web-based console if possible.

To answer your first question, I want to segregate the traffic on the LAN. The "guest" VLAN should be separate from the office VLAN, and the guests should be able to ping and interact with each other while having internet access.

I still have the same configuration as in my previous message. It's frustrating because it feels like I'm doing everything right via the web-interface, but the test results do not match expectations.

Thank you for your assistance, it's really appreciated.

It does sound like we are on the right path, but maybe missing something small. Can you pull the running config from the switch for us and paste it here? We can look through it and see if we can spot any recommended changes.

Thanks.

Hello Daniel,

I removed some of port settings that were unnecessary; otherwise here's a copy/paste. You will see ports e1 (internet), e23/24 which are intended to be segregated from the office.

interface range ethernet e(13-18)

shutdown

exit

interface ethernet e1

description "firewall-router (direct)"

exit

interface ethernet e23

description "lab wired guest (22)"

exit

interface ethernet e24

description "WIFI (direct)"

exit

interface ethernet e1

switchport mode trunk

exit

interface range ethernet e(23-24)

switchport mode general

exit

vlan database

vlan 1000

exit

interface ethernet e23

switchport general allowed vlan add 1000 untagged

exit

interface ethernet e1

switchport trunk allowed vlan add 1000

exit

interface vlan 1000

name "Internet Only"

exit

voice vlan oui-table add 0001e3 Siemens_AG_phone________

voice vlan oui-table add 00036b Cisco_phone_____________

voice vlan oui-table add 00096e Avaya___________________

voice vlan oui-table add 000fe2 H3C_Aolynk______________

voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone

voice vlan oui-table add 00d01e Pingtel_phone___________

voice vlan oui-table add 00e075 Polycom/Veritel_phone___

voice vlan oui-table add 00e0bb 3Com_phone______________

interface ethernet e23

dot1x port-control auto

exit

interface vlan 1

ip address 192.168.1.200 255.255.255.0

exit

ip default-gateway 192.168.1.1

username admin password 02f283a52227a605bc7dd71f3842fed1 level 15 encrypted

snmp-server community Dell_Network_Manager rw view DefaultSuper

Default settings:

Service tag:

SW version

Fast Ethernet Ports

==========================

no shutdown

speed 100

duplex full

negotiation

flow-control off

mdix auto

no back-pressure

Gigabit Ethernet Ports

=============================

no shutdown

speed 1000

duplex full

negotiation

flow-control off

mdix auto

no back-pressure

interface vlan 1

interface port-channel 1 - 15

spanning-tree

spanning-tree mode STP

qos basic

qos trust cos

Once again, thank you for your assistance.

Looking at the config, it looks like there are some commands missing for the guest VLAN. Since we are wanting to do most things through the Web interface, I did some research on this, and how to do it through the GUI. It looks like it is done under Switch>Network security>Port Based Authentication.

 

Page 262

ftp://ftp.dell.com/Manuals/all-products/esuprt_ser_stor_net/esuprt_powerconnect/powerconnect-3548_user%27s%20guide_en-us.pdf

 

I took a screen shot of the configuration I think will work.

 

The idea is that you enabled port based authentication. Enabled the Guest VLAN, so that any unauthenticated  connections still have limited access on the guest VLAN. Then we set authentication method to none and admin interface control to unauthorized. This should automatically default any connection on that port to the guest VLAN.

 

Lets test that out and see what the outcome is.

Some other ideas that we can try.

Under the authentication method change from NONE to Radius or Radius,NONE. The idea is that when the client is plugged into the port it cannot authenticate and gets put onto the guest Vlan.

If that still does not work, then we can test connectivity by assigning a static IP address to the client, then see if we can ping inside and outside the network.

Keep us updated,

Thanks.