This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Ruckus Unleashed VLAN Setup

sean_wallace_i6
New Contributor II

‎11-02-2018 04:22 PM

I am not too savvy on the actual administration of networking devices, so I'm hoping for some advice on how to configure my network securely.

I have a gateway router which connects to a Ruckus ICX switch, which in turn has two Ruckus Unleashed APs connected to it.

Ideally, I'd like to leverage VLANs to segment the network (applying ACLs). My question is, what kind of configuration do I need to implement so that I can manage the APs from a management VLAN, but have the AP clients restricted from accessing the AP console or web UI?

Initially, I thought I'd just be able to assign the switch port to a tagged VLAN and set the AP to use that same VLAN (AP config calls this Access VLAN), but that didn't work. I tried untagged as well, but then I can't reach the AP from the management VLAN.

Any help or advice would be greatly appreciated!
9 REPLIES 9

michael_brado
Esteemed Contributor II

‎11-02-2018 04:44 PM

Sorry Sean, we don't have mutliple VLAN service in Unleashed (yet).  Current design is one flat network, all clients connect to same.
0 Kudos

edward_newman_3
New Contributor III
In response to michael_brado

‎11-02-2018 04:55 PM

Not completely true. SSID can be tagged through Advanced options but the management traffic has to be on a flat network. APs must be on same network and not VLAN tagged.

It would be really good for you to provide Management traffic on VLAN, the same as the Zone Director version (so I know you know how to write such code.....)
0 Kudos

netwizz
Contributor III
In response to michael_brado

‎11-02-2018 09:26 PM

While management traffic is, indeed untagged to the AP, you can place the management traffic where you want it via a native-vlan (aka dual-mode) going out to the AP itself. Between the switches this management VLAN may be carried through various trunks using 802.1q tags via the connected interfaces being TAGGED in the respective VLAN.  The router, gateway, or layer-3 switch would have the default-gateway IP and mask for the management subnet carried by said VLAN.  The mask would simply size that as a directly-connected network local to the the device with the interface or SVI configured with the ip.  I hope that helps.

You can generally place ACLs on layer-3 interfaces, but you have to get the source, destination, protocol, order, and whether it is inbound or outbound correct for the ACLs to work.  This used to be hard for me, but after years of doing it, it's very easy now.
0 Kudos

edward_newman_3
New Contributor III

‎11-02-2018 04:53 PM

Had to just set this up myself. I wanted APs on a management VLAN but the actual Wifi networks on separate secure VLANs.

Unleashed does not allow Management IP to be on a VLAN (unlike Zone Director / non-Unleashed version) but it does allow Wifi SSID to be assigned to specific VLANs. So configuration I used was to have a trunk port to the Ruckus AP from the switch. However it needs to be configured so the untagged traffic (from the AP) is tagged to your management VLAN and then the SSID VLANs as members. On Juniper switches this is called native-tagging. Exact configuration depends on your switch vendor.

You can then used Advanced options to define the specific VLAN tags for each SSID network.

There is no option to configure tagging for the AP management traffic within Unleashed (Ruckus Support - this would be a REALLY good option).

Hope this helps.
0 Kudos
Copyright © 2024 Khoros, LLC