0

I have multiple access points. Every AP has two configured SSIDs: one for clients devices (open) and one for some utility devices that will be used by clients devices (secured). I would like the utility devices not to be directly discoverable by clients devices, therefore the SSID separation. Also, every SSID is assigned to a VLAN (assume 10 and 20). Every AP is connected to a switch which is also connected to a router for Internet access. Every switch port with AP connected is configured as trunk port since tagged traffic for multiple VLANs will transit via this port. I also have a server that I would like to act as proxy for part of the traffic between clients devices and utility devices. If my understanding is correct, this server should be connected to the switch and configured to be part of the two VLANs. I have the following questions:

  1. I would like every VLAN to have its own IP addressing (e.g. 192.168.10.1/24 for VLAN 10 and 192.168.20.1/24 for VLAN 20). Where should it be configured? Can the router (which also is a DHCP server) provide the addresses for the VLANs?

  2. Should the switch port on which the server is connected be in trunking mode?

Of course, if you think anything looks wrong and is not a "best practice" way to solve my problem, please advise.

The AP model is Aruba Instant. The switch is an HP 2530. The router is currently an home router that I use for the tests.

manash
  • 159
  • 2
  • 10

1 Answers1

1

The HP 2530 is a layer 2 switch that doesn’t support routing. Your “home” router likely doesn’t support multiple vLAN interfaces.

In this scenario, the only thing you can do is configure the server as a router. To do so would require 3 interfaces and that the server is configured as a DHCP server.

One interface would connect to the router for internet connectivity. The other two interfaces would connect to separate switch ports. One port would be configured on one vLAN (non-tagging), and the other port on the other vLAN (non-tagging). Alternatively, if your server supports it and is configured properly you could combine the two port requirement for each vLAN, in to a single port using a trunk port on the switch.

The server would be configured as the default gateway on each subnet and would act as a DHCP server, assigning appropriate addresses on each subnet.

I’d recommend checking out VyOS if you need a simple router platform you can install on your server. Use ACL rules on your “router” to act as a firewall as needed.

Appleoddity
  • 3,488
  • 2
  • 13
  • 33
  • Do you mean that in a real configuration, if the router supports VLANs, you would recommend a different solution? I also wonder if all the traffic coming from clients or utility devices will transit via this server? If yes, isn't it an issue? Are regular servers used for that purpose? – manash Apr 17 '18 at 05:49
  • Using a server as a router/firewall is a waste of hardware, but it’s certainly capable of doing it. All traffic will go through the server. There isn’t any connection directly between the switch and router. – Appleoddity Apr 17 '18 at 12:09
  • Actually, I only have one interface on the server therefore traffic for the 3 "logical" interfaces will flow through this physical interface which is connected to the switch. Any issue with that? – manash Apr 20 '18 at 05:12
  • As long as the port is in trunk mode and you have defined the 3 virtual interfaces on the server using each vLAN ID. – Appleoddity Apr 20 '18 at 11:53