Guest VLAN on Brocade 6450

Discussion in 'Networking' started by xm4rcell0x, Jul 18, 2019.

  1. xm4rcell0x

    xm4rcell0x New Member

    Joined:
    Apr 2, 2019
    Messages:
    5
    Likes Received:
    1
    hello everyone. I apologize for the question that might sound stupid, but I'm not a network expert.

    I have a pfsense router (dedicated box), a brocade switch (thx to fohdeesha for supporting me :D), and a cisco access point.

    What I would like to do is create a vlan for guests that cannot access to my LANnet. I've already set up:

    1. vlan id 57 on pfsense with subnet 10.10.57.0/24 (I know, "you have an L3 switch and you use pfsense for vlan?" well, I prefer it because it's more comfortable for me)

    2. Enabled DHCP server on pfsense for Guestnet

    3. Enabled firewall rules

    4. on the cisco access point I created a new SSID Guest with VLAN ID 57

    5. On the switch I don't know where to start... I have everything on the ve 1 interface (like a L2 switch), on port 1/1/1 I connected the router while on the 1/1/7 port I connected the access point.
    What I would like is that depending on which SSID you connect to, you are assigned to the Lan net or Guest net. How can this be done? I have already tried to configure 1/1/1 and 1/1/7 (via web gui) in dual mode (tagged and untagged) but with no results. Thanks, Marcello

    VLAN config - Click to see more photos (screenshot)



    Ah, one last thing, how do you change the brocade's DNS server? Console? it's still 192.168.1.1 (pfsense is 10.10.20.1)
     
    #1
    tommybackeast likes this.
  2. ttabbal

    ttabbal Active Member

    Joined:
    Mar 10, 2016
    Messages:
    723
    Likes Received:
    193
    I don't have that switch, but the basic idea is to set both ports to include VLAN 57 for tagged. Check for port security settings as well. Usually, adding the port to the vlan will allow the traffic, but some of them require you to enable the traffic.

    When I was learning how to set it up at home, I started with untagged. Set 2 ports to a new vlan. Check to see if you can ping them from each other and not any other port. It basically makes a small switch in a switch. Using static IP helps here so you can leave DHCP etc out of it. Then add tagging into the mix. Sometimes you need to configure the port as a trunk to get tagged traffic to work properly.

    It looks like you set the vlan ports to be used for stacking, that's usually something different. You might try with that disabled.
     
    #2
    xm4rcell0x likes this.
  3. xm4rcell0x

    xm4rcell0x New Member

    Joined:
    Apr 2, 2019
    Messages:
    5
    Likes Received:
    1
    Brocade port is dual mode in a single VLAN and tagged in several others
    How can I set up a VLAN for a guest wireless network?
    I've read some threads around the web, try to set 1/1/1 and 1/1/7 as tagged and untagged, dual mode, all the possible combination under VLAN57 ... But nothing.
    With 1/1/1-1/1/7 in 57, dual mode, both SSID works , I can ping the router but my desktop won't work and also the 2nd notebook (connected to guest net) has always a LANnet IP (vlan1 as default and 10.10.20.x) , not the 192.168.57.x

    Why you say that i've use a stack? For the x/y/z port setting?
    I've follow fohdeesha's tutorial in brocade's megathread
     
    #3
  4. ttabbal

    ttabbal Active Member

    Joined:
    Mar 10, 2016
    Messages:
    723
    Likes Received:
    193
    I was looking at the "Uplink Switch" setting, but looking again, I see that it wasn't set. Like I said, I don't have this switch.

    If you are connecting to the guest SSID and not getting a guest IP, VLAN isn't working properly.

    What I did was set the port for the pfsense machine and the AP to allow tagged traffic for the VLANs and set the default untagged VLAN on them to 1, which was the default for all ports on my switch.

    If you are breaking an unrelated port when enabling VLAN, something weird is going on. Make sure the desktop's port is set to untagged on the default VLAN you use, usually 1. Set the pfsense port to VLAN 1 and tagged traffic for the VLAN. Now set a port to untagged 57. That makes all traffic that does not request a VLAN be on 57. Plug into that one and you should get an IP from the guest range. If that doesn't work you know something is wrong with the pfsense port or configuration. The basic idea here is to split up the problem so you have some idea what to look at. That's also why I suggested 2 untagged 57 ports before, to test that you can make VLANs work at all in the simplest configuration.
     
    #4
    xm4rcell0x likes this.
  5. infoMatt

    infoMatt Member

    Joined:
    Apr 16, 2019
    Messages:
    42
    Likes Received:
    18
    @xm4rcell0x, could you post a show run?

    Ideally, you should simply define a L2 VLAN using conf t -> vlan 57 -> tagged ethernet 1/1/1 to 1/1/7; you've to set the interfaces as dual mode [native-vlan-id] to retain the traffic that was previously on the native VLAN 1.

    Do not define a router interface on that vlan, otherwise the traffic would be routed internally by the switch and, if you do not define any ACL, by default there's full visibility between networks.

    See page 414 on the "FastIron Ethernet Switch Platform and Layer 2 Switching Guide". You can find the PDF inside fohdeesha mega-firmware-zip-file.
     
    #5
    Last edited: Jul 25, 2019
    xm4rcell0x and tommybackeast like this.
  6. xm4rcell0x

    xm4rcell0x New Member

    Joined:
    Apr 2, 2019
    Messages:
    5
    Likes Received:
    1
    these are my #showrun1 ------- #showrun2 ------ #showvlan
    with these settings:
    my desktop (and all cabled devices) doesn't work.
    Cisco_NET (lan ssid) works
    Cisco_Guest (guest ssid) doesnt' work
    i don't think it's normal :(:(
     
    #6
  7. infoMatt

    infoMatt Member

    Joined:
    Apr 16, 2019
    Messages:
    42
    Likes Received:
    18
    With the config that you've posted (btw, you could have simply copy-pased in a text response...), you've defined the ports 1 and 7 as dual mode using VLAN 57 as the native (untagged) VLAN. You need to review the config of the router and tag/untag VLAN on the uplink port accordingly.
    Nothing works anymore because you've removed VLAN 1 from the uplink to the router, and thus the client can't send DHCP requests and traffic data.

    Assuming that port 1 and 7 are connected to the router and the access point, and you want the new guest as a tagged vlan, try something like this (I don't have the switch on hand at the moment, so I try to remember the commands):

    conf t
    vlan 57
    tagged e 1/1/1
    tagged e 1/1/7
    interface e 1/1/1
    dual-mode 1
    interface e 1/1/7
    dual-mode 1
    end

    on the pfSense box Guest net should be defined as a VLAN 57 over the internal ethernet interface.
     
    #7
    Last edited: Jul 26, 2019
    xm4rcell0x likes this.
  8. xm4rcell0x

    xm4rcell0x New Member

    Joined:
    Apr 2, 2019
    Messages:
    5
    Likes Received:
    1
    Thank you very much for the suggestion, everything works fine!
     
    #8
  9. infoMatt

    infoMatt Member

    Joined:
    Apr 16, 2019
    Messages:
    42
    Likes Received:
    18
    You're welcome!
    VLAN config can be a little tricky at the beginning... don't worry, just remember that untagged VLAN does not carry the identifier number with the traffic... you can link a untagged ethernet port on SW1 VLAN5 to a port of a second switch (SW2) and mark it at ingress with untagged VLAN 600... just please don't do it because it will drive you nuts when you'll have to review the config :p
     
    #9
Similar Threads: Guest VLAN
Forum Title Date
Networking Guest wireless network, what's it good for? Jul 18, 2016
Networking Captive portal on guest wifi BUT with open authentication Mar 2, 2016
Networking Aruba VLAN/routing help! Nov 18, 2019
Networking ESXi Virtual Swith Tagging / VLANs Oct 21, 2019
Networking VLAN Setup pfSense to Quanta T3048 LB8 to Proxmox Sep 29, 2019

Share This Page