Segregate wireless clients to VLAN and Option 82 DHCP

  • 1
  • Question
  • Updated 2 months ago
I have been having issues lately running out of ip addresses on my Windows Server 2012R2 DC because the wireless mobile devices are just too numerous. I would like to get all of the wireless traffic onto it's own VLAN and use Option 82 so that my DHCP server will hand out IP Addresses to the clients from a pool created specifically for the new VLAN. My current network is as follows.

VLAN 1 Default: 192.168.2.x/24
VLAN 10 Voice VLAN 10.10.10.x/24 (this is for my VoIP Phones/Devices
VLAN 20 WLAN 10.10.20.x/24 (I created this VLAN specifically to use with the wireless network)

I have HP Procurve L3 switches that I have created all the VLAN's on. 
I also have a Sonicwall firewall UTP that I created a virtual interface on using 10.10.20.251 as the ip address VLAN 20 and bound that to the LAN interface.

I attempted to read through the admin guide and configure the Zone Director 1100 but just could not get any further for some reason as I am not sure exactly what the settings on the ZD1100 should be or what ports need to be tagged/untagged on the switches in order for this all to function correctly? Would someone be willing to walk me through this a little deeper so that I can get this working? I have setup the DHCP scope policy to use Relay Agent Information and enumerated the MAC Addresses of the AP's should I also enumerate the ZD1100 MAc Address too? Thank you for any and all assistance.
Photo of Michael Mayo

Michael Mayo

  • 3 Posts
  • 0 Reply Likes
  • Frustrated and Annoyed

Posted 3 months ago

  • 1
Photo of brian koomen

brian koomen

  • 5 Posts
  • 0 Reply Likes
I would be interested in doing this as well.  I am trying to set this up to put all my WIFI traffic on another IP subnet for reporting and isolation purposes.
Photo of Tim Morton

Tim Morton

  • 14 Posts
  • 4 Reply Likes
Hi Michael,

First off, how many wireless devices are you talking about? 100? 200? 500?

Secondly, let your your VLAN on yor HP switch do the work for you. You are using other interfaces on your SonicWall so I am assuming that your SonicWall is doing the routing on your network. Depending on your ProCurve switch and your SonicWall model, I would recommend that you let the ProCurve do the routing - That willt ake the pressure/load off of the SW and make thing easier on your network (Just my opinion)

On the ProCurve, use UNTAGGED for the ports that the APs and the ZD are plugged into (ie AP 1, 2 and 3 are plugged into switch ports 10,11,2 - untagged 10-12)

Then make sure that you use TAGGED on any switch uplink ports (ie switch 2 is plugged into switch 1 port 48 - tagged 48)

One more item for you - use the IP HELPER COMMAND command on your ProCurve VLAN (ip helper-address 192.168.2.x - where your server address is X)

On your Windows DHCP server, create your scope. If you will have more than 240 wireless devices using the same SSID, consider creatingf a larger network. Use a /23 instead of /24. I use 240 as a number so incase you need room to grow, you can do the work now or have to redo some things later.

On your ZoneDirector, you can just leave the VLAN tagging options as default since you will have already put the APs and ZD on their own VLAN by untagging the port.

Why are you using the DHCP address policies (option 82)? That's just a complication... KISS :) Let the ProCurve ip helper take care of things...

I almost forgot... On your DHCP server, add SERVER option 43 and put the IP address of your ZD in there. That way, if you decide to put your ZD on another VLAN, the APs will know where to find it.

Let me know if you have more questions and how this works out for you!

Tim
Global CTI
Ruckus, ProCurve and Microsoft Certified
Photo of Michael Mayo

Michael Mayo

  • 3 Posts
  • 0 Reply Likes
Tim,
        Do I configure the ZD and AP's on the 10.10.20.x subnet? I am not familiar with Option 43 will have to research that one. If I don't use Option 82 how does the DHCP server know to give out addresses to the wireless clients in the 10.10.20.x subnet that I setup for this purpose? I probably will have less than 100 clients at any given time so no need to increase the size of the VLAN subnet. What should the ZD1100 Access VLAN settings be? Thanks for your assistance.

I have the following HP Switches
3 HP 2910al-48G-PoE Switch
1 HP Switch 3500yl-24G-PoE+
1 HP 2920-48G-POE+ Switch
Sonicwall is a NSA 2600
ZD1100
2 R500 AP's
1 7962 AP
1 Staff WLAN
1 Guest WLAN
Photo of Michael Mayo

Michael Mayo

  • 3 Posts
  • 0 Reply Likes
Hey Tim are you still following this? I have been banging my head against the wall since last week trying to get this working?
Photo of Tim Morton

Tim Morton

  • 14 Posts
  • 4 Reply Likes
Hi Michael,

Sorry for my delayed response... My Ruckus emails were getting caught in the SPAM filter.

You can put the ZD and the AP's on the same VLAN or they can be on different VLANS. That is the reason for DHCP option 43; it tells the AP's where to find the ZD.

As for your other DHCP question, when you use VLANS and the ip helper-address command together, DHCP is smart enough to know what address pool to use. I use VLANS in almost 99% of all environments and have never had to use option 82.

If you are using a single wireless VLAN, then I would put the AP and the ZP on the same one (ie VLAN 30). They would both be UNTAGGED on their own ports. 

If you use 2 VLANS (ie one for typical WIFI access and another for guest access) you can put the ZD and the AP's on VLAN 30 (UNTAGGED on those ports) and then create a nother VLAN, such as 31, and then use the TAGGED command on the AP port so tat the ports pass VLAN 30 as the default VLAN and VLAN 31 as a "passthrough". The main SSID will keep the default VLAN ID in the ZD (1) and then the guest SSID you will change the VLAN ID to 31.
Photo of brian koomen

brian koomen

  • 5 Posts
  • 0 Reply Likes
You mention in previous post to add IP address of the ZD to the server option #43.  Option #43 on windows DHCP is "vendor specific info".  No place to put an IP address in that option.  Can you clarify?  Thanks.
Photo of Tim Morton

Tim Morton

  • 14 Posts
  • 4 Reply Likes
On the left hand side (ASCII) put in the IP address of the Zone Director


 
Photo of brian koomen

brian koomen

  • 5 Posts
  • 0 Reply Likes
Thanks for the screen shot.