7 Replies Latest reply on Sep 6, 2013 10:20 AM by levi

    How to create DHCP pools for two different VLANs on 1335 switch

    ovais New Member

      Hi Support,

      I have a Netvanta 3400 firewall which is currently configured to work as a DHCP server for our LAN. I am going to setup ADTRAN vWLAN in our office and i need to have two SSIDs i.e. Corporate and Guest. I have also recently purchased a Netvanta 1335 switch in order to manage my VLANs.

      As for the configuration on the switch, I created two VLANs namely "Corporate" with "VLAN ID 10" and VLAN "Guest" with "VLAN ID 11". I also created two DHCP pools in the DHCP settings on the switch and this is where my confusion starts,

      How do i assign these two DHCP pools to the my VLAN interfaces?

      I don't see any options to set the IP address range during the DHCP pool settings as well?

      Is it better that i use firewall with two DHCP pools to provide IP addresses to two different VLANs or i should use switch for this purpose and disable the DHCP server on firewall? in the later case, what would be the gateway for the two DHCP pools? do i have to make some static routes to bring the data to firewall?

       

      All i need to do is to create two VLANs with their own DHCP IP pools to handle two SSIDs. i know my knowledge is limited about networking, Please assist me with this.

      May be a sample configuration if you have would help me.

       

      Thanks a lot. 

        • Re: How to create DHCP pools for two different VLANs on 1335 switch
          levi Employee

          ovais:

           

          Thank you for asking this question in the support community.

           

          Here is an example on how to create a DHCP pool:  How do you set up a DHCP pool?

           

          Here is the Configuring DHCP in AOS guide for reference.

           

          This post may be helpful as well:  Re: Wireless Guest Access

           

          On AOS units you do not have to "assign" the DHCP pool to a VLAN/interface.  The unit knows that if the network referenced in the DHCP pool (network <ipv4 address> <subnet mask>) and the network on the VLAN/interface are the same, that is where it should administer DHCP addressing.

           

          For your application, you can have either the "firewall" or the NV1335 act as the DHCP server.  I would recommend if you are going to use the NV1335 only as a switch (with no routing capabilities) then you use the other device as the DHCP server and default-gateway for the network.  If you are going to use the NV1335 to route between VLANs, then it should be the default-gateway and DHCP server for the various networks.

           

          I hope that answers your questions, but please do not hesitate to reply with any additional questions or information.  I will be happy to help in any way I can.

           

          Levi

            • Re: How to create DHCP pools for two different VLANs on 1335 switch
              ovais New Member

              Hello Levi,

              Thank you very much for the reply and your suggestions. i could not try these suggestions earlier because the only time i could play with network is the weekend i.e. Friday and Saturday here in the Middle East. So, to cut the story short, below is what i tried and also the issues i faced:

               

              1. I configured 4 switch ports as trunk ports, two of those are connected to the APs, one connects the server that is running vWLAN controller software and the fourth is the Gig port which I am using as an up link to my Netvanta 3400 firewall.
              2. Created 2 DHCP pools on the firewall for 192.168.11.0 (VLAN 1 interface) and 192.168.12.0 (VLAN 2 interface). To create VLAN 1 I actually edited the "default" VLAN on the switch (is it ok?).
              3. Rest of the ports on the switch are access ports part of VLAN 1 i.e. Corporate VLAN.  
              4. The firewall LAN interface is 192.168.11.2 which serves as the gateway for 192.168.11.0 network. i read in the article you sent that the port on the firewall that connects to the switch has to be 802.1q, when i change the IP settings in the firewall for LAN interface to 802.1q instead of static 192.68.11.2 i lose the connectivity to the firewall.


              Questions:

              1. Do i need to enable 802.1q tagging on both ports i mean the firewall LAN interface and also the up link port where the firewall connects with the switch?
              2. If yes, then how do i do it on the switch, where do i enable it in the switch for that specific port, I do not see any options?
              3. I believe the other trunk ports where my APs and vWLAN server connects need to untagged, Is it correct?
              4. how do I change the port to be tagged OR untagged?  
              5. For first DHCP pool the network is 192.168.11.0, range is 192.168.11.10 --->100 and gateway is the LAN interface of the firewall i.e. 192.168.11.2. For the second DHCP pool the network is 192.168.12.0, range is 192.168.12.10 ---> 100, what would be the gateway of this DHCP server? Do I set it as 192.168.11.2 as and later create a route on switch to route all traffic from 192.168.12.0 to 192.168.11.2?   
              6. Do I need some routing to bring traffic from 192.168.12.0 i.e. guest VLAN or VLAN 2 to the 192.168.11.2 i.e. gateway or LAN interface of the firewall?

               

              would appreciate your help so that i solve this jumbled puzzle .

               

              Ovais 

                • Re: How to create DHCP pools for two different VLANs on 1335 switch
                  levi Employee

                  ovais:

                   

                  I will try to answer your questions as best as I can.  It appears you are only missing a few key aspects in the configuration.

                   

                  Based on the information you provided, it appears you will need to add the keyword native to VLAN 1 in the NV3430 "firewall" because that is the untagged VLAN for the network.  When you change the Ethernet port on the NV 3430 to an 802.1q trunk port, you will have to specify a VLAN-ID on the Ethernet subinterfaces.  In your case, I recommend adding the command vlan-id 1 native to the VLAN one subinterface and the vlan-id 2 command to the VLAN two subinterface.  I think this will resolve a majority of your problems/questions.

                   

                  The configuration would look similar to the following:

                   

                  interface eth 0/1

                    encapsulation 802.1q

                    no shutdown

                  !

                  interface eth 0/1.1

                    vlan-id 1 native

                    ip address  192.168.11.2  255.255.255.0

                    no shutdown

                  interface eth 0/1.2

                    vlan-id 2

                    ip address  192.168.12.2  255.255.255.0

                    no shutdown

                   

                  Specific answers to your questions:

                   

                  1. Do i need to enable 802.1q tagging on both ports i mean the firewall LAN interface and also the up link port where the firewall connects with the switch?
                    1. You will need to configure the Router/Firewall for encapsulation 802.1q trunking (as noted above), and configure the port on the switch as "trunk."

                  2. If yes, then how do i do it on the switch, where do i enable it in the switch for that specific port, I do not see any options?
                    1. On the switch interface configuration, the command is (config-swx 0/x)# switchport mode trunk; in the web interface it is Data > Switch > Ports > Membership > Trunk

                  3. I believe the other trunk ports where my APs and vWLAN server connects need to untagged, Is it correct?
                    1. Typically, APs are connected via trunk ports and the native VLAN (VLAN one in most cases) is sent as untagged, which is how it is configured by default.

                  4. how do I change the port to be tagged OR untagged?
                    1. See the native keyword above.

                  5. For first DHCP pool the network is 192.168.11.0, range is 192.168.11.10 --->100 and gateway is the LAN interface of the firewall i.e. 192.168.11.2. For the second DHCP pool the network is 192.168.12.0, range is 192.168.12.10 ---> 100, what would be the gateway of this DHCP server? Do I set it as 192.168.11.2 as and later create a route on switch to route all traffic from 192.168.12.0 to 192.168.11.2?
                    1. The default-gateway for the DHCP pool will be the router/firewall's Ethernet sub-interface IP address.  In your case it will be 192.168.11.2 for VLAN 1 and 192.168.12.2 for VLAN 2 (see above example). 

                  6. Do I need some routing to bring traffic from 192.168.12.0 i.e. guest VLAN or VLAN 2 to the 192.168.11.2 i.e. gateway or LAN interface of the firewall?
                    1. In the ADTRAN unit, this routing will be done automatically by the router/firewall.

                   

                  I hope I have answered your questions, but let me know what other questions you have or if you would like further explanations.

                   

                  Levi

                  1 of 1 people found this helpful
                    • Re: How to create DHCP pools for two different VLANs on 1335 switch
                      ovais New Member

                      Hi Levi,

                      I tried the configuration exactly as you mentioned here but every time i select the Eth0 interface in the firewall GUI as 802.1q and input sub interface ID and VLAN ID (i also check on Native VLAN option) the unit hangs and i lose connectivity to it. same thing happens when i use the telnet and execute the commands

                      enable ---> configure terminal ---> interface eth 0/1 ---> encapsulation 802.1q and that's it, after this the unit hangs and the Telnet session is terminated.

                      From the connection point of view the firewall is connected to the gigabit port 1 on the switch which is configured as a trunk port.

                      Any suggestions please?

                        • Re: How to create DHCP pools for two different VLANs on 1335 switch
                          levi Employee

                          ovais:

                           

                          Are you logging into the unit via the IP address on the Ethernet interface where you are making the changes?  You will need to either console into the unit with a serial connection, or HTTP/Telnet/SSH to an IP address that you are not modifying.  For example, if you are making changes to the Ethernet 0/1 interface on the ADTRAN unit, you will have to login to Ethernet 0/2, WAN interface, or simply use a console connection.  If you are logging in to the IP address assigned to Ethernet 0/1, when you apply the changes to this interface, you may lose connectivity to it via this interface.

                           

                          Let me know what other questions you have.

                           

                          Levi

                          1 of 1 people found this helpful
                          • Re: How to create DHCP pools for two different VLANs on 1335 switch
                            levi Employee

                            ovais:

                             

                            Do you still have questions on this topic?  If you do, do not hesitate to reply to this post.

                             

                            Levi

                    • Re: How to create DHCP pools for two different VLANs on 1335 switch
                      levi Employee

                      ovais:

                       

                      I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                      Thanks,

                       

                      Levi