guest network using tagged VLANs

>
> I'm wondering if this is possible ... I can't seem to find anything
> that really matches.
>
> Suppose I have a wireless access point (WAP) configured just as an AP
> -- no router or DHCP functionality enabled on the WiFi device.
>
> WAP is connected to a switch with two tagged VLANs.
>
> Switch is connected to machine running ISC DHCP.   Connection is from
> a switch port assigned to both VLANS.
>
> In the ISC DHCP configuration for the VLAN subnet, some rules (for
> example MAC address) are used to assign an address from one of the two
> VLAN subnets.  For example, known MAC addresses get IPs from VLAN1. 
> Unknown MAC addresses get IP addresses from VLAN2.
>
> Since different interfaces are specified as subnets in the DHCP
> configuration, I don't see that I can specify one set of rules for the
> combined (trunk) VLAN.  So what I'd end up with is two subnet
> specifications where a client address may come from either the same
> subnet or from the other VLAN subnet.  Having an address range from a
> different subnet alone seems like it might not work (configuration
> might be rejected).   Beyond that, would it then even work ...
>
> I don't really have everything needed to actually test this, which is
> why I ask.

>
> On 12/01/2020 22.44, Steve Sapovits wrote:
>> I'm wondering if this is possible ... I can't seem to find anything
>> that really matches.
>>
>> Suppose I have a wireless access point (WAP) configured just as an AP
>> -- no router or DHCP functionality enabled on the WiFi device.
>>
>> WAP is connected to a switch with two tagged VLANs.
>>
>> Switch is connected to machine running ISC DHCP.   Connection is from
>> a switch port assigned to both VLANS.
>>
>> In the ISC DHCP configuration for the VLAN subnet, some rules (for
>> example MAC address) are used to assign an address from one of the two
>> VLAN subnets.  For example, known MAC addresses get IPs from VLAN1.
>> Unknown MAC addresses get IP addresses from VLAN2.
>>
>> Since different interfaces are specified as subnets in the DHCP
>> configuration, I don't see that I can specify one set of rules for the
>> combined (trunk) VLAN.  So what I'd end up with is two subnet
>> specifications where a client address may come from either the same
>> subnet or from the other VLAN subnet.  Having an address range from a
>> different subnet alone seems like it might not work (configuration
>> might be rejected).   Beyond that, would it then even work ...
>>
>> I don't really have everything needed to actually test this, which is
>> why I ask.
> You can solve this on condition that the WAP itself is VLAN aware and
> than use 2 SSID. One assigned the your normal VLAN and the second to the
> guest VLAN.
>
> On the DHCP server you than have no problem, as each of the VLAN can
> have it's own subnet definition.

>
>> On the DHCP server you than have no problem, as each of the VLAN can
>> have it's own subnet definition.
>
>
> Reading some networking forums, it sounds like not all WAP devices
> retain guest separation if they're not in full router mode.
>
> So, assuming a WAP that can't do the VLAN separation, is there a way
> to make the guest separation on the ISC DHCP side?
>
>

>
> On 12/01/2020 23.15, Steve Sapovits wrote:
>>> On the DHCP server you than have no problem, as each of the VLAN can
>>> have it's own subnet definition.
>>
>> Reading some networking forums, it sounds like not all WAP devices
>> retain guest separation if they're not in full router mode.
>>
>> So, assuming a WAP that can't do the VLAN separation, is there a way
>> to make the guest separation on the ISC DHCP side?
>>
>>
> When the WAP does not support VLAN separation, i think it already fails
> at the switch. How would the switch be able to differentiate? The switch
> will always tag an untagged packet to the same VLAN.

>
> You would use a switch that allows a single port to be assigned to
> both VLANs, then run that cable to a NIC on the DHCP server. Then
> configure the DHCP server to listen on both VLAN subnets. From my
> understanding of DHCP, that should be enough for the client to
> discover the DHCP server to start the transaction.  So it would seem
> to come down to whether ISC DHCP can return an address that's outside
> of the subnet it's listening on.  My understanding is that a trunk
> port (one assigned to all VLANs) assigns the right VLAN ID to any
> untagged packets.   So the right VLAN ID should be added once the
> client gets its IP address and that flows back to the trunk port on
> the VLAN switch.
>
> Caveat here is I'm really not an expert ...

>
>
> Reading more about this, I think I'm wrong.  If a packet hits a trunk
> port (Cisco anyway) with no tag, it gets a default tag.
>
> I don't think a trunk port is intended for what I was thinking.
>
> I don't think you can connect anything not sending tagged VLAN packets
> to a trunk port.  So I think that brings us back to your original
> point -- make sure the WAP can do the tagging.
>
> Otherwise, it would seem to require two WAPs.
>

> To expand on Rudy's reply ...
> As said, configure the AP to connect one SSID to one VLAN, and another
> SSID to another VLAN - this is then functionally equivalent to having
> two APs on separate physical LANs.
> At the DHCP server, have the daemon listen on the two VLAN interfaces
> and define subnets to match. Again, this is functionally the same as
> having two interfaces connected to two seoarate LANs.
> The rest just happens automagically - no special rules in your DHCP
> config.
> This is something I've done a few times both internally and for
> clients.
>
> Simon
> _______________________________________________
> dhcp-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/dhcp-users