In our example, we will configure multiple VLANs for a network with the topology shown in the figure below.
This configuration will be implemented as an example at Site 5 in our Experience Lab and to view this configuration in action, please refer to the article “[E-LAB] Zyxel Experience Lab: Site 5 (Nebula)”.
More configuration details:
- VLAN 30 traffic is passed between port 3 of Switch-1 and Switch-2.
- Switch-1, Switch-2, and the AP must obtain a dynamic IP from the VLAN 30 interface of the firewall.
- SSID1 wireless clients must obtain a dynamic IP from the firewall's VLAN 10 interface
- SSID2 wireless clients must obtain a dynamic IP from the firewall's VLAN 20 interface.
- The PC must be able to reach the firewall's VLAN 30 interface.
In the figure below, you can see how this topology looks from the Nebula side. In our example, we have additional devices at our site; however, these are not required. Our setup includes two ISPs, stacked switches, and a firewall in high availability (HA) mode, but these elements are not essential for this configuration. To replicate this setup, a single ISP, one firewall, two switches, and one access point (AP) are sufficient.
STEP1 - Firewall settings
The first step is to create the three required VLANs: VLAN10, VLAN20, and VLAN30, as illustrated in the figure below. In our setup, we configured these VLANs using the local web interface of the USG FLEX 500H firewall. To add VLANs, access the firewall's web interface (these configurations can also be performed via the Nebula interface). Navigate to Network > Interface > Add Internal Interface to create the VLANs. While configuring VLANs, do not forget to enable DHCP for each VLANs.
DHCP Server - Enable
Also, in the photo below, you can see the same settings on the Nebula side.
Switch settings - Management VLAN: 30 192.168.30.0/24
Switch-1, Switch-2, and AP should obtain dynamic IP from the Firewall’s VLAN 30 interface. In Nebula settings, go to “Devices”, then “Switches”, then select Switch 1 (in our case it is the XGS2220).
Click on the edit button next to “LAN IP.” The button looks like a pen with a leaf. Then specify the required VLAN
— in our case, VLAN30—and save the changes. (Make the same settings for the second switch! )
After the changes are applied, the switch's IP address will change. The switch should get the IP address from VLAN30. Sometimes, it may take longer than expected to apply the changes.
Make the same settings for the second switch!
Spanning Tree Protocol (STP) should be disabled.
Change the PVID of the Switch-1 Uplink port to 100 or else the default PVID 1 configured on all ports will cause a storm from the Firewall’s traffic.
In our case, we need a switch that is connected to the firewall.
Go to Site-wide - Devices - Switches - Select the required switch
Scroll to the bottom of the page and select “Configure Ports”
Select “aplink port” and change the PVID to 100, then save the changes.
Configuring ports on switches
Switch 1:
- Port 8: Designated as the uplink port, connecting to the firewall. (We configured this port in the previous steps, so you don't need to do anything with it.)
- Port 3: Connects to Switch 2 for inter-switch communication (For this port, we need to specify VLAN30 as shown in the photo below)
Switch 2:
- Port 3: Connects to Switch 1 for inter-switch communication. (For this port, we need to specify VLAN30 as shown in the photo below)
- Port 7: Connects to the wireless access point. (For this port, we need to specify VLAN30 as shown in the photo below)
- Port 6: Connects to the user's laptop. (For this port, we need to specify VLAN30 as shown in the photo below)
Access Point Settings
Change the Management VLAN ID for the AP in Nebula
Go to Site-wide - Devices - Access points - WBE660S
Management VLAN ID should be set to 30 and save the changes. Your AP will then obtain an IP address from VLAN30
Next, let's configure the SSID on the access point. We need SSID1 clients to get IP address from VLAN10 and SSID2 clients to get IP address from VLAN20.
Check the result:
Comments
0 commentsPlease sign in to leave a comment.