CommScope RUCKUS Community Forums

sean_wallace_i6 · ‎11-02-2018

I am not too savvy on the actual administration of networking devices, so I'm hoping for some advice on how to configure my network securely.

I have a gateway router which connects to a Ruckus ICX switch, which in turn has two Ruckus Unleashed APs connected to it.

Ideally, I'd like to leverage VLANs to segment the network (applying ACLs). My question is, what kind of configuration do I need to implement so that I can manage the APs from a management VLAN, but have the AP clients restricted from accessing the AP console or web UI?

Initially, I thought I'd just be able to assign the switch port to a tagged VLAN and set the AP to use that same VLAN (AP config calls this Access VLAN), but that didn't work. I tried untagged as well, but then I can't reach the AP from the management VLAN.

Any help or advice would be greatly appreciated!

edward_newman_3 · ‎11-02-2018

https://support.ruckuswireless.com/articles/000006352

sean_wallace_i6 · ‎11-02-2018

Edward Newman, thank you very much for the information. Just making sure I understand...

Does this sound right?

configure my ICX switch so that both ports that the APs are connected to have dual mode on VLAN 10, and tagged for VLAN 20. Then on the APs, configure the advanced SSID option (Access VLAN) to VLAN 20.

Then any devices in the ICX configured with untagged VLAN 10 will be able to reach the AP UI and SSH services? And the clients connecting to the SSID will have packets tagged for VLAN 20 (and not be able to reach the APs UI/SSH/etc)?

Do I need to do anything special to make sure the AP clients can reach the internet?

edward_newman_3 · ‎11-02-2018

This is really a question for how you are controlling traffic between VLANs. I do this on my firewall not the switch but your mileage may vary. Trunk config sounds right. Whatever is controlling VLAN accessibility should have rules dictating what can be linked from VLAN to VLAN or Internet.

sean_wallace_i6 · ‎11-02-2018

Excellent, this is exactly what I was looking for. I'll give it a shot and see how it goes. I'll be using ACLs to control accessibility, so hopefully it all works out. Thank you very much!

netwizz · ‎11-02-2018

Addressing Edward Newman's "There is no option to configure tagging for the AP management traffic within Unleashed (Ruckus Support - this would be a REALLY good option)"

On the Ruckus/Brocade/Foundry it is like this on the switch side:

VLAN 10 name Management by port
tagged ethe 1/1/1
!
VLAN 20 name Wifi-Traffic by port
tagged ethe 1/1/1
!

interface ethernet 1/1/1
dual-mode 10
!

If you are using 08.0.80 code:

VLAN 10 name Management by port
untagged ethe 1/1/1
!
VLAN 20 name Wifi-Traffic by port
tagged ethe 1/1/1
!

Then you can carry that management VLAN to another switch if you want along with other VLANS by tagging them. In this case from Switch A to Switch B 1/3/1 to 1/3/1

Switch A:

VLAN 10 name Management by port
untagged ethe 1/1/1
tagged ethe 1/3/1
!
VLAN 20 name Wifi-Traffic by port
tagged ethe 1/1/1 ethe 1/3/1
!

Switch B:

VLAN 10 name Management by port
untagged ethe 1/1/48
tagged ethe 1/3/1
!
VLAN 20 name Wifi-Traffic by port
untagged ethe 1/1/1
tagged ethe 1/3/1
!

In this example, you might have a different router all together for each subnet where the management subnet goes to the router via 1/1/48 and the WiFi traffic goes to some router on 1/1/1

If it was running layer-3 code on switch B, you would have router ve 10 and router ve 20 to create the SVIs.

You would then attach any ACLs via... Presumably you would filter incoming to the management side or outgoing from the WiFi side.

interface ve 10
ip access-group NAME in

or

interface ve 20
ip access-group NAME out

CommScope RUCKUS Community Forums

Ruckus Unleashed VLAN Setup