Send dhcp-users mailing list submissions to
dhcp-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
dhcp-users-requ...@lists.isc.org
You can reach the person managing the list at
dhcp-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."
Today's Topics:
1. guest network using tagged VLANs (Steve Sapovits)
2. Re: guest network using tagged VLANs (Rudy Zijlstra)
3. Re: guest network using tagged VLANs (Steve Sapovits)
4. Re: guest network using tagged VLANs (Rudy Zijlstra)
5. Re: guest network using tagged VLANs (Steve Sapovits)
----------------------------------------------------------------------
Message: 1
Date: Sun, 12 Jan 2020 16:44:36 -0500
From: Steve Sapovits <steve...@comcast.net>
To: dhcp-users@lists.isc.org
Subject: guest network using tagged VLANs
Message-ID: <6978347e-cfdd-3bcf-d51c-ed5637757...@comcast.net>
Content-Type: text/plain; charset=utf-8; format=flowed
I'm wondering if this is possible ... I can't seem to find anything that
really matches.
Suppose I have a wireless access point (WAP) configured just as an AP --
no router or DHCP functionality enabled on the WiFi device.
WAP is connected to a switch with two tagged VLANs.
Switch is connected to machine running ISC DHCP.?? Connection is from a
switch port assigned to both VLANS.
In the ISC DHCP configuration for the VLAN subnet, some rules (for
example MAC address) are used to assign an address from one of the two
VLAN subnets.? For example, known MAC addresses get IPs from VLAN1.?
Unknown MAC addresses get IP addresses from VLAN2.
Since different interfaces are specified as subnets in the DHCP
configuration, I don't see that I can specify one set of rules for the
combined (trunk) VLAN.? So what I'd end up with is two subnet
specifications where a client address may come from either the same
subnet or from the other VLAN subnet.? Having an address range from a
different subnet alone seems like it might not work (configuration might
be rejected).?? Beyond that, would it then even work ...
I don't really have everything needed to actually test this, which is
why I ask.
--
Steve Sapovits
steve...@comcast.net
------------------------------
Message: 2
Date: Sun, 12 Jan 2020 22:54:49 +0100
From: Rudy Zijlstra <r...@grumpydevil.homelinux.org>
To: dhcp-users@lists.isc.org
Subject: Re: guest network using tagged VLANs
Message-ID:
<70d9ff08-2442-5669-d289-1bbec2506...@grumpydevil.homelinux.org>
Content-Type: text/plain; charset=utf-8
On 12/01/2020 22.44, Steve Sapovits wrote:
>
> I'm wondering if this is possible ... I can't seem to find anything
> that really matches.
>
> Suppose I have a wireless access point (WAP) configured just as an AP
> -- no router or DHCP functionality enabled on the WiFi device.
>
> WAP is connected to a switch with two tagged VLANs.
>
> Switch is connected to machine running ISC DHCP.?? Connection is from
> a switch port assigned to both VLANS.
>
> In the ISC DHCP configuration for the VLAN subnet, some rules (for
> example MAC address) are used to assign an address from one of the two
> VLAN subnets.? For example, known MAC addresses get IPs from VLAN1.?
> Unknown MAC addresses get IP addresses from VLAN2.
>
> Since different interfaces are specified as subnets in the DHCP
> configuration, I don't see that I can specify one set of rules for the
> combined (trunk) VLAN.? So what I'd end up with is two subnet
> specifications where a client address may come from either the same
> subnet or from the other VLAN subnet.? Having an address range from a
> different subnet alone seems like it might not work (configuration
> might be rejected).?? Beyond that, would it then even work ...
>
> I don't really have everything needed to actually test this, which is
> why I ask.
You can solve this on condition that the WAP itself is VLAN aware and
than use 2 SSID. One assigned the your normal VLAN and the second to the
guest VLAN.
On the DHCP server you than have no problem, as each of the VLAN can
have it's own subnet definition.
Cheers
Rudy
------------------------------
Message: 3
Date: Sun, 12 Jan 2020 17:15:30 -0500
From: Steve Sapovits <steve...@comcast.net>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>, Rudy Zijlstra
<r...@grumpydevil.homelinux.org>
Subject: Re: guest network using tagged VLANs
Message-ID: <f7019588-cdf3-f702-7039-7a3e8379e...@comcast.net>
Content-Type: text/plain; charset=utf-8; format=flowed
On 1/12/2020 4:54 PM, Rudy Zijlstra wrote:
>
> On 12/01/2020 22.44, Steve Sapovits wrote:
>> I'm wondering if this is possible ... I can't seem to find anything
>> that really matches.
>>
>> Suppose I have a wireless access point (WAP) configured just as an AP
>> -- no router or DHCP functionality enabled on the WiFi device.
>>
>> WAP is connected to a switch with two tagged VLANs.
>>
>> Switch is connected to machine running ISC DHCP.?? Connection is from
>> a switch port assigned to both VLANS.
>>
>> In the ISC DHCP configuration for the VLAN subnet, some rules (for
>> example MAC address) are used to assign an address from one of the two
>> VLAN subnets.? For example, known MAC addresses get IPs from VLAN1.
>> Unknown MAC addresses get IP addresses from VLAN2.
>>
>> Since different interfaces are specified as subnets in the DHCP
>> configuration, I don't see that I can specify one set of rules for the
>> combined (trunk) VLAN.? So what I'd end up with is two subnet
>> specifications where a client address may come from either the same
>> subnet or from the other VLAN subnet.? Having an address range from a
>> different subnet alone seems like it might not work (configuration
>> might be rejected).?? Beyond that, would it then even work ...
>>
>> I don't really have everything needed to actually test this, which is
>> why I ask.
> You can solve this on condition that the WAP itself is VLAN aware and
> than use 2 SSID. One assigned the your normal VLAN and the second to the
> guest VLAN.
>
> On the DHCP server you than have no problem, as each of the VLAN can
> have it's own subnet definition.
Reading some networking forums, it sounds like not all WAP devices
retain guest separation if they're not in full router mode.
So, assuming a WAP that can't do the VLAN separation, is there a way to
make the guest separation on the ISC DHCP side?
--
Steve Sapovits
steve...@comcast.net
------------------------------
Message: 4
Date: Sun, 12 Jan 2020 23:20:11 +0100
From: Rudy Zijlstra <r...@grumpydevil.homelinux.org>
To: Steve Sapovits <steve...@comcast.net>, Users of ISC DHCP
<dhcp-users@lists.isc.org>
Subject: Re: guest network using tagged VLANs
Message-ID:
<56302c96-f2b4-ff18-d366-13e0bda02...@grumpydevil.homelinux.org>
Content-Type: text/plain; charset=utf-8
On 12/01/2020 23.15, Steve Sapovits wrote:
>
>> On the DHCP server you than have no problem, as each of the VLAN can
>> have it's own subnet definition.
>
>
> Reading some networking forums, it sounds like not all WAP devices
> retain guest separation if they're not in full router mode.
>
> So, assuming a WAP that can't do the VLAN separation, is there a way
> to make the guest separation on the ISC DHCP side?
>
>
When the WAP does not support VLAN separation, i think it already fails
at the switch. How would the switch be able to differentiate? The switch
will always tag an untagged packet to the same VLAN.
------------------------------
Message: 5
Date: Sun, 12 Jan 2020 17:56:56 -0500
From: Steve Sapovits <steve...@comcast.net>
To: Rudy Zijlstra <r...@grumpydevil.homelinux.org>, Users of ISC DHCP
<dhcp-users@lists.isc.org>
Subject: Re: guest network using tagged VLANs
Message-ID: <75db42f9-fbe7-7705-0a9a-6f00f2e6d...@comcast.net>
Content-Type: text/plain; charset=utf-8; format=flowed
On 1/12/2020 5:20 PM, Rudy Zijlstra wrote:
>
> On 12/01/2020 23.15, Steve Sapovits wrote:
>>> On the DHCP server you than have no problem, as each of the VLAN can
>>> have it's own subnet definition.
>>
>> Reading some networking forums, it sounds like not all WAP devices
>> retain guest separation if they're not in full router mode.
>>
>> So, assuming a WAP that can't do the VLAN separation, is there a way
>> to make the guest separation on the ISC DHCP side?
>>
>>
> When the WAP does not support VLAN separation, i think it already fails
> at the switch. How would the switch be able to differentiate? The switch
> will always tag an untagged packet to the same VLAN.
You would use a switch that allows a single port to be assigned to both
VLANs, then run that cable to a NIC on the DHCP server. Then configure
the DHCP server to listen on both VLAN subnets. From my understanding of
DHCP, that should be enough for the client to discover the DHCP server
to start the transaction.? So it would seem to come down to whether ISC
DHCP can return an address that's outside of the subnet it's listening
on.? My understanding is that a trunk port (one assigned to all VLANs)
assigns the right VLAN ID to any untagged packets.?? So the right VLAN
ID should be added once the client gets its IP address and that flows
back to the trunk port on the VLAN switch.
Caveat here is I'm really not an expert ...
--
Steve Sapovits
steve...@comcast.net
------------------------------
Subject: Digest Footer
_______________________________________________
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
------------------------------
End of dhcp-users Digest, Vol 135, Issue 3
******************************************
