Guest VLAN on Brocade 6450

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

xm4rcell0x

New Member
Apr 2, 2019
6
1
3
hello everyone. I apologize for the question that might sound stupid, but I'm not a network expert.

I have a pfsense router (dedicated box), a brocade switch (thx to fohdeesha for supporting me :D), and a cisco access point.

What I would like to do is create a vlan for guests that cannot access to my LANnet. I've already set up:

  1. vlan id 57 on pfsense with subnet 10.10.57.0/24 (I know, "you have an L3 switch and you use pfsense for vlan?" well, I prefer it because it's more comfortable for me)

  2. Enabled DHCP server on pfsense for Guestnet

  3. Enabled firewall rules

  4. on the cisco access point I created a new SSID Guest with VLAN ID 57

  5. On the switch I don't know where to start... I have everything on the ve 1 interface (like a L2 switch), on port 1/1/1 I connected the router while on the 1/1/7 port I connected the access point.
What I would like is that depending on which SSID you connect to, you are assigned to the Lan net or Guest net. How can this be done? I have already tried to configure 1/1/1 and 1/1/7 (via web gui) in dual mode (tagged and untagged) but with no results. Thanks, Marcello

VLAN config - Click to see more photos (screenshot)



Ah, one last thing, how do you change the brocade's DNS server? Console? it's still 192.168.1.1 (pfsense is 10.10.20.1)
 
  • Like
Reactions: tommybackeast

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
I don't have that switch, but the basic idea is to set both ports to include VLAN 57 for tagged. Check for port security settings as well. Usually, adding the port to the vlan will allow the traffic, but some of them require you to enable the traffic.

When I was learning how to set it up at home, I started with untagged. Set 2 ports to a new vlan. Check to see if you can ping them from each other and not any other port. It basically makes a small switch in a switch. Using static IP helps here so you can leave DHCP etc out of it. Then add tagging into the mix. Sometimes you need to configure the port as a trunk to get tagged traffic to work properly.

It looks like you set the vlan ports to be used for stacking, that's usually something different. You might try with that disabled.
 
  • Like
Reactions: xm4rcell0x

xm4rcell0x

New Member
Apr 2, 2019
6
1
3
Brocade port is dual mode in a single VLAN and tagged in several others
How can I set up a VLAN for a guest wireless network?
I've read some threads around the web, try to set 1/1/1 and 1/1/7 as tagged and untagged, dual mode, all the possible combination under VLAN57 ... But nothing.
With 1/1/1-1/1/7 in 57, dual mode, both SSID works , I can ping the router but my desktop won't work and also the 2nd notebook (connected to guest net) has always a LANnet IP (vlan1 as default and 10.10.20.x) , not the 192.168.57.x

Why you say that i've use a stack? For the x/y/z port setting?
I've follow fohdeesha's tutorial in brocade's megathread
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
I was looking at the "Uplink Switch" setting, but looking again, I see that it wasn't set. Like I said, I don't have this switch.

If you are connecting to the guest SSID and not getting a guest IP, VLAN isn't working properly.

What I did was set the port for the pfsense machine and the AP to allow tagged traffic for the VLANs and set the default untagged VLAN on them to 1, which was the default for all ports on my switch.

If you are breaking an unrelated port when enabling VLAN, something weird is going on. Make sure the desktop's port is set to untagged on the default VLAN you use, usually 1. Set the pfsense port to VLAN 1 and tagged traffic for the VLAN. Now set a port to untagged 57. That makes all traffic that does not request a VLAN be on 57. Plug into that one and you should get an IP from the guest range. If that doesn't work you know something is wrong with the pfsense port or configuration. The basic idea here is to split up the problem so you have some idea what to look at. That's also why I suggested 2 untagged 57 ports before, to test that you can make VLANs work at all in the simplest configuration.
 
  • Like
Reactions: xm4rcell0x

infoMatt

Active Member
Apr 16, 2019
222
100
43
@xm4rcell0x, could you post a show run?

Ideally, you should simply define a L2 VLAN using conf t -> vlan 57 -> tagged ethernet 1/1/1 to 1/1/7; you've to set the interfaces as dual mode [native-vlan-id] to retain the traffic that was previously on the native VLAN 1.

Do not define a router interface on that vlan, otherwise the traffic would be routed internally by the switch and, if you do not define any ACL, by default there's full visibility between networks.

See page 414 on the "FastIron Ethernet Switch Platform and Layer 2 Switching Guide". You can find the PDF inside fohdeesha mega-firmware-zip-file.
 
Last edited:

infoMatt

Active Member
Apr 16, 2019
222
100
43
these are my #showrun1 ------- #showrun2 ------ #showvlan
with these settings:
my desktop (and all cabled devices) doesn't work.
Cisco_NET (lan ssid) works
Cisco_Guest (guest ssid) doesnt' work
i don't think it's normal :(:(
With the config that you've posted (btw, you could have simply copy-pased in a text response...), you've defined the ports 1 and 7 as dual mode using VLAN 57 as the native (untagged) VLAN. You need to review the config of the router and tag/untag VLAN on the uplink port accordingly.
Nothing works anymore because you've removed VLAN 1 from the uplink to the router, and thus the client can't send DHCP requests and traffic data.

Assuming that port 1 and 7 are connected to the router and the access point, and you want the new guest as a tagged vlan, try something like this (I don't have the switch on hand at the moment, so I try to remember the commands):

conf t
vlan 57
tagged e 1/1/1
tagged e 1/1/7
interface e 1/1/1
dual-mode 1
interface e 1/1/7
dual-mode 1
end

on the pfSense box Guest net should be defined as a VLAN 57 over the internal ethernet interface.
 
Last edited:
  • Like
Reactions: xm4rcell0x

xm4rcell0x

New Member
Apr 2, 2019
6
1
3
You need to review the config of the router and tag/untag VLAN on the uplink port accordingly.
conf t
vlan 57
tagged e 1/1/1
tagged e 1/1/7
interface e 1/1/1
dual-mode 1
interface e 1/1/7
dual-mode 1
end
Thank you very much for the suggestion, everything works fine!
 

infoMatt

Active Member
Apr 16, 2019
222
100
43
Thank you very much for the suggestion, everything works fine!
You're welcome!
VLAN config can be a little tricky at the beginning... don't worry, just remember that untagged VLAN does not carry the identifier number with the traffic... you can link a untagged ethernet port on SW1 VLAN5 to a port of a second switch (SW2) and mark it at ingress with untagged VLAN 600... just please don't do it because it will drive you nuts when you'll have to review the config :p
 
  • Like
Reactions: xm4rcell0x