Ruckus Unleashed VLAN Setup

  • 1
  • Question
  • Updated 2 weeks ago
  • Answered
I am not too savvy on the actual administration of networking devices, so I'm hoping for some advice on how to configure my network securely.

I have a gateway router which connects to a Ruckus ICX switch, which in turn has two Ruckus Unleashed APs connected to it.

Ideally, I'd like to leverage VLANs to segment the network (applying ACLs). My question is, what kind of configuration do I need to implement so that I can manage the APs from a management VLAN, but have the AP clients restricted from accessing the AP console or web UI?

Initially, I thought I'd just be able to assign the switch port to a tagged VLAN and set the AP to use that same VLAN (AP config calls this Access VLAN), but that didn't work. I tried untagged as well, but then I can't reach the AP from the management VLAN.

Any help or advice would be greatly appreciated!
Photo of Sean Wallace

Sean Wallace

  • 3 Posts
  • 0 Reply Likes

Posted 2 weeks ago

  • 1
Photo of Michael Brado

Michael Brado, Official Rep

  • 2570 Posts
  • 351 Reply Likes
Sorry Sean, we don't have mutliple VLAN service in Unleashed (yet).  Current design is one flat network, all clients connect to same.
Photo of Edward Newman

Edward Newman

  • 11 Posts
  • 3 Reply Likes
Not completely true. SSID can be tagged through Advanced options but the management traffic has to be on a flat network. APs must be on same network and not VLAN tagged.

It would be really good for you to provide Management traffic on VLAN, the same as the Zone Director version (so I know you know how to write such code.....)
Photo of NETWizz

NETWizz

  • 48 Posts
  • 15 Reply Likes
While management traffic is, indeed untagged to the AP, you can place the management traffic where you want it via a native-vlan (aka dual-mode) going out to the AP itself. Between the switches this management VLAN may be carried through various trunks using 802.1q tags via the connected interfaces being TAGGED in the respective VLAN.  The router, gateway, or layer-3 switch would have the default-gateway IP and mask for the management subnet carried by said VLAN.  The mask would simply size that as a directly-connected network local to the the device with the interface or SVI configured with the ip.  I hope that helps.

You can generally place ACLs on layer-3 interfaces, but you have to get the source, destination, protocol, order, and whether it is inbound or outbound correct for the ACLs to work.  This used to be hard for me, but after years of doing it, it's very easy now.
Photo of Edward Newman

Edward Newman

  • 11 Posts
  • 3 Reply Likes
Had to just set this up myself. I wanted APs on a management VLAN but the actual Wifi networks on separate secure VLANs.

Unleashed does not allow Management IP to be on a VLAN (unlike Zone Director / non-Unleashed version) but it does allow Wifi SSID to be assigned to specific VLANs. So configuration I used was to have a trunk port to the Ruckus AP from the switch. However it needs to be configured so the untagged traffic (from the AP) is tagged to your management VLAN and then the SSID VLANs as members. On Juniper switches this is called native-tagging. Exact configuration depends on your switch vendor.

You can then used Advanced options to define the specific VLAN tags for each SSID network.

There is no option to configure tagging for the AP management traffic within Unleashed (Ruckus Support - this would be a REALLY good option).

Hope this helps.
Photo of Sean Wallace

Sean Wallace

  • 3 Posts
  • 0 Reply Likes
Edward Newman, thank you very much for the information. Just making sure I understand...

Does this sound right?

configure my ICX switch so that both ports that the APs are connected to have dual mode on VLAN 10, and tagged for VLAN 20. Then on the APs, configure the advanced SSID option (Access VLAN) to VLAN 20.

Then any devices in the ICX configured with untagged VLAN 10 will be able to reach the AP UI and SSH services? And the clients connecting to the SSID will have packets tagged for VLAN 20 (and not be able to reach the APs UI/SSH/etc)?

Do I need to do anything special to make sure the AP clients can reach the internet?
Photo of Edward Newman

Edward Newman

  • 11 Posts
  • 3 Reply Likes
This is really a question for how you are controlling traffic between VLANs. I do this on my firewall not the switch but your mileage may vary. Trunk config sounds right. Whatever is controlling VLAN accessibility should have rules dictating what can be linked from VLAN to VLAN or Internet.
Photo of Sean Wallace

Sean Wallace

  • 3 Posts
  • 0 Reply Likes
Excellent, this is exactly what I was looking for. I'll give it a shot and see how it goes. I'll be using ACLs to control accessibility, so hopefully it all works out. Thank you very much!
Photo of NETWizz

NETWizz

  • 45 Posts
  • 12 Reply Likes
Addressing Edward Newman's "There is no option to configure tagging for the AP management traffic within Unleashed (Ruckus Support - this would be a REALLY good option)"

On the Ruckus/Brocade/Foundry it is like this on the switch side:

VLAN 10 name Management by port
tagged ethe 1/1/1
!
VLAN 20 name Wifi-Traffic by port
tagged ethe 1/1/1
!

interface ethernet 1/1/1
dual-mode 10
!

If you are using 08.0.80 code:

VLAN 10 name Management by port
untagged ethe 1/1/1
!
VLAN 20 name Wifi-Traffic by port
tagged ethe 1/1/1
!


Then you can carry that management VLAN to another switch if you want along with other VLANS by tagging them. In this case from Switch A to Switch B 1/3/1 to 1/3/1

Switch A:

VLAN 10 name Management by port
untagged ethe 1/1/1
tagged ethe 1/3/1
!
VLAN 20 name Wifi-Traffic by port
tagged ethe 1/1/1 ethe 1/3/1
!

Switch B:

VLAN 10 name Management by port
untagged ethe 1/1/48
tagged ethe 1/3/1
!
VLAN 20 name Wifi-Traffic by port
untagged ethe 1/1/1
tagged ethe 1/3/1
!

In this example, you might have a different router all together for each subnet where the management subnet goes to the router via 1/1/48 and the WiFi traffic goes to some router on 1/1/1

If it was running layer-3 code on switch B, you would have router ve 10 and router ve 20 to create the SVIs.

You would then attach any ACLs via... Presumably you would filter incoming to the management side or outgoing from the WiFi side.

interface ve 10
ip access-group NAME in

or

interface ve 20
ip access-group NAME out