vSZ-D Tunnelling WLAN with VLAN Tag What i am missing

  • 1
  • Question
  • Updated 1 month ago
  • Answered
The problem is when i create WLAN and tagged it with DATA VLAN ID 234 , (i used Tunnel WLAN traffic to the controller) my client can't get IP address from DATA VLAN, try it with static IP address assignment, my device still can't ping my DATA VLAN Gateway 10.26.0.1
 I look around the configuration and still not working. What i am missing
Vsz-H version 3.5.1.0.862
Vsz-D version 3.5.1.0.862
AP-R700 Router Cisco DHCP-SERVER and Gateway

SW-Juniper

Virtual :
Vsz-D Data interface IP 10.26.0.5
MGMT interface IP 10.1.115.16 Vsz-H
MGMT interface IP 10.1.115.15

AP IP 10.1.115.17
all port Trunk.
My Topology
Photo of Lasha Chavleshvili

Lasha Chavleshvili

  • 10 Posts
  • 1 Reply Like

Posted 1 year ago

  • 1
Photo of Michael Brado

Michael Brado, Official Rep

  • 2847 Posts
  • 398 Reply Likes
Hi Lasha,

   I can see/understand your diagram, but it appears you are missing some things.

In VMware, you need to setup a new port group for the DataPlane.  You need to make this port
a trunk by allowing all VLANs.  Enable Promiscuous mode and then, since you are running a
vSwitch, you need to go to the vSZ-D Console, and configure the data interface to tag the data
VLAN for it.

The Client WLAN VLAN should be different than the data VLAN from the data interface.  You don't
want your client having access to that VLAN I'd assume.

To recap:

1 - Create new portgroup with All VLANs allowed and promiscuous mode accept in the security tab.
2 - Console to the vSZ-D and go to configure, interface data, VLAN 234 to tagthe data interface VLAN.
3 - Create a new VLAN for the clients and then configure that on the AP so thatthey get their IPs from there.  The vSZ-D data interface VLAN and theclient access VLAN should never be the same (not that they can't). 
4 - Ensure the switch port allows the newly created client VLAN.
5 - Ensure DHCP is set for the new VLAN, not VLAN 234 as that is the interfaceof the vSZ-D Data Interface.
6 - Ensure the AP can talk to the vSZ-D Data interface and the controlinterface.

For reference, from the AP to the vSZ-D Data Interface, by default, you should allow ports 23233 on both TCP and UDP.
From the AP to the control plane, you need port 22, 443, and any other port you may require for captive portals, see the firewall configuration guide on our support site under Best Practice Documents section.
https://support.ruckuswireless.com/products/116-bpg_smartzone 

I hope this helps.
(Edited)
Photo of Rafael Rocha

Rafael Rocha

  • 14 Posts
  • 1 Reply Like
Micheal, can you explain better how to make the data interface be a trunk port ?
I was only able to ''tag'' one vlan on it, wit the command vlan "X".
Photo of heyBud

heyBud

  • 1 Post
  • 0 Reply Likes
This post helped me figure out the vSZ-D configuration.  My ap's have establed GRE tunnels back to the dataplane.  Thanks!

I will say that the ap's did not establish the GRE tunnel until after a wlan configured for tunneling was put in place.
(Edited)
Photo of Rafael Rocha

Rafael Rocha

  • 14 Posts
  • 1 Reply Like
Thank you Michael, this should be in the documention, very helpful !!!
Can you clarify, because I not able to make my vSZ-DP, data interface be a trunk port... I can only "tag'' one vlan with the command vlan "X", and that is it, I tried different syntax but did not work....
So, how can I have differents ssid with differents vlan pools, and make it enter the data interface from my DP ??
I understand that I should have my vnic as a trunk port, but I do not understand how to make the data interface be a trunk port.
 
Here my config of it:
data iface:
name: pow0

vlan: 0
proto: static
addr: 192.168.1.117
netmask: 255.255.255.0
gateway: 192.168.1.1


Photo of Harald Thomas

Harald Thomas

  • 9 Posts
  • 2 Reply Likes
Hi Rafael,

on the VMware host you can use different port groups depending on your license.
the normal vSwitch can handle:
  • untagged (whatever comes untagged on the physical NIC/s comes untagged to the VM)
  • tagged (the network with the selected VLAN Tag comes tagged on the physical NIC/s and will be an access port in the VLAN to the VM; tagged outside of the VM will be turned to access facing the VM)
  • 4095 (replication of all VLANs from the physical NIC/s to the VM, untagged will stay untagged, tagged will stay tagged; no selection possible)
on a distibuted vSwich (only Enterprise plus license) you have an addition feature:
  • selective VLANs (you can select multiple VLANs to be delivered to the VM, all will be tagged)
For the vSZ-D to access multi VLANs for multi SSIDs you need 4095 or selective VLANs.
AND on the PG all security option (promiscuous mode, etc...) must be set to "accept".

Now the vSZ-D part:
On the data interface only the VLAN/IP for the APs to connect to has to be configured. Depending on your configuration you need to specify a VLAN for the interface.
All other VLANs will be configured in the SSID configuration.

cheers,
Harald

Photo of Rafael Rocha

Rafael Rocha

  • 14 Posts
  • 1 Reply Like
Thank you for you answer Harald !!
I was able to make it work. 
Still, I am having trouble with my tunnel ssids that use the captive portal from the controller.
My guess is that  my management port is not tagged correctly, because I can't see how from the data interface my unauthenticated wireless traffic will be intercept without my controller being my gateway nor inlane. 
Did you have any advice where I should look ? Is there a different configuration in smartzone pertain tunnel traffic that I should do to make the captive portal work ??? 
Photo of Harald Thomas

Harald Thomas

  • 9 Posts
  • 2 Reply Likes
Hi Rafael,

can you pls send the vlan configuration of the physical switch ports that are connected to the uploads of your vswitch and the configuration of the port groups connected to the management and data interface.

cheers,
Harald
Photo of Rafael Rocha

Rafael Rocha

  • 14 Posts
  • 1 Reply Like
Hi harald, sorry, I can't send. This configuration was of a client that I helped. The switches was not my responsibility. I only instructed and let the client investigated and fixed by himself. The last part of the problem was physical switch missing one vlan connect to the vmware server and fault/broken ethernet cable.
You could make the ports vlan trunk all, it should work only need to make sure about the native vlan.


Photo of Harald Thomas

Harald Thomas

  • 9 Posts
  • 2 Reply Likes
Are you using a vSwitch or a distributed vSwitch?

Photo of Rafael Rocha

Rafael Rocha

  • 14 Posts
  • 1 Reply Like
Only vswitch was configured in the vmware server host.  I only enable as accept the promiscuous mode and the other two options in the security settings (just to be sure) and put the virtual interface as vlan all(4095). I don't remember what else I did do. But it was simple. I just follow what Micheal describe and the rest was a network problem. 

Photo of Harald Thomas

Harald Thomas

  • 9 Posts
  • 2 Reply Likes
Is everything except the portal working as expected?