WIFI vs VLAN

[idscomm]

Hello,

I am still learning and experiencing with VLAN and here is the issue I am having now, I got a Baystack 5520-24-PWR which supports PoE, plan is to move my Unifi Access Point to the switch and create VLAN.

Let's say my Network is:
My LAN is in: 192.168.1.X/24
My Trusted WIFI is in: 192.168.55.X/24
My hotspot is in: 192.168.99.X/24

All my Networks connect to my Check Point Firewall 600 which is also acting as a Router supporting tagged VLAN....  My Unifi Access Point IP is 192.168.55.5 and needs to talk to the controller in 192.168.1.100

What I did is isolate Ports 23-24 of the Switch in one Strict VLAN (the other VLAN is the default management where ports 1-22 are included. my LAN 192.168.1.X devices are connected).  I connected the Access Point in port 23 and link back to the Firewall the port 24.  I have 2 SSIDs on my Unifi, one is the trusted one in the 192.168.55.X (untagged) the other one is the Hotspot in a VLAN in the 192.168.99.X. (tagged 99). 

Basically I want to let all 192.168.55.X traffic go through and also let 192.168.99.X (VLAN 99) go, the Firewall assigned the IPs.

How can I get this to work...?    It's a pretty simple configuration.....

It seems that only the 192.168.55.X go through or 192.168.99.X depending how I configure my switch, in between untag PVID and TagPVID playing with the PVID and I am in strict mode...

Not sure if this is clear enough....  Help would be appreciated, and let me know if you need more details, I attached a little drawing just in case, sometimes it's easier to see than read!

Thanks so much!!!

Dom

[Telair]

OK, so the switch is just doing L2 VLAN's and not routing at all.  Your CheckPoint firewall is doing the routing for the VLAN's.  Let's create some VLAN number for what you have given us.

My LAN is in: 192.168.1.X/24 = VLAN 1
My Trusted WIFI is in: 192.168.55.X/24 = VLAN 55
My hotspot is in: 192.168.99.X/24 = VLAN 99

I am thinking VLAN 1 (untagged) on ports 1-22 plus the switch management IP is in this range.  VLAN 55 and 99 both tagged on port 23 which then connects to your AP.  I am assuming your AP understands the tagged networks.  Then port 24 is tagged with VLAN's 1, 55 and 99 in to your CheckPoint and the CheckPoint is the default gateway for each VLAN.  Typically what I do with AP's around here is set them all to tunnel back to the controller and then let the controller deal with which SSID is allowed to the internal networks vs. just being dumped out on the Internet.  Don't have to deal with different subnets for guests and corporate users.  Maybe see if your controller can do something similar?

[idscomm]

Thanks for your answer Telair.

No the switch has no IP assigned to VLAN and yes Check Point is supporting Tagged VLAN and routing everything.  Check Point Is acting as router and also manage the Internet Connection. 

Ok, so I found a way today to have everything on track.  Let me know if it sounds about right and as per best practice.

I moved my Access Point on my LAN so I don't have to worry about him contacting the controller.  They are now on the same Network.

I have 2 Tagged VLAN 55 and 99 on the Access Point, depending on the VLAN people connect, they get an IP, either 192.168.55.X (VLAN55) or 192.168.99.x (VLAN99).

I have 8 Ports on my Check Point and I can manage each of them separately if I want ie: Bridge, VLAN. Separate Network, etc.  Quite handy actually!  My switch (Port 1) is connected back to the Check Point Firewall Port 1 (Check Points Ports 1-5 are in use by the LAN 192.168.1.x as regular switch which gave me fault tolerance for some servers.  Duals Nic Servers are connected 1 NIC on the Baystack, the other one on the Check Point Ports 1-5). 

Port 6 on the Check Point is "unassigned" so not in use.  I created the 2 VLAN there and linked this one

On the Switch Port 1-23 are VLAN1 (Management/Default), untagged, basically all the device can talk to each other including the AP.  Port 23 is where the AP is connected, so it's part of VLAN1 but also part of Tagged VLAN 55 and 99.  The port is set to "Untag PVID Only".  VLAN 55 and VLAN 99 use Ports 23-24 only on the Switch.

Port 24 of the switch goes back to my Check Point Port 6 (the VLAN one), the switch is set as Tag All.  So traffic going through Port 24 is sent to the Check Point Firewall Port 6 where my VLANS are configured.  Setting the Switch to TAG ALL only send the TAGGED VLAN 55 or 99.

Does this sound about right?  It is working, I have no spoofing entry in my Firewall logs which I had before with another configuration.  It was working but I'd say was not optimal. 

Let me know what you think.... : )  Should I configure the Switch to do L3 instead?  What role would Check Point play in this type of configuration?  I did not think there was a way to configure the switch to do L3 as I needed to have 2 Tagged VLANS on the same port... was not sure about the IP addressing in this situation.

Thanks!!!

Dom

[Telair]

OK, that sounds like it should be working.  As long as you are not doing heavy routing between different VLAN's your CheckPoint box should be happy as the router for your network.  If you start doing a lot of routing the CheckPoint box is quickly going to become a bottleneck.  That's when maybe you look at using the switch's routing functions since it is far, far faster at routing than the CheckPoint box.  Untill then though, that looks pretty good for a small setup.

[idscomm]

Thanks again Telair, appreciate your input so much.  Like I said, learning curve for me here, old Net Admin recycling and going back where I left 7 years ago.... 

I did not know that about the Firewall Vs the Switch.  Like I said, since VLAN and L3 Switch is fairly new for me, I will try to find some reading and learn how to do it the proper and more efficient way.  I'd like to have the Switch route my traffic instead of the firewall like you said. 

I know I can assign IP addresses to VLAN (if I am not mistaken) and assign an IP for the DHCP Server like id helper on CISCO once again if I am right.  Not sure how to do this process on my Nortel.  I will have to read on it. 

If I understand the principle, Port 24 which is TAG Only (forwarding the Tagged VLAN to my Firewall) is acting as Trunk right?  If I want to have my switch do the routing, could my switch and Check Point Firewall do the job on my entire Network or do I need another device (Router)?

Thanks!

[Telair]

Depending on your specific model of CheckPoint 600 unit it can push 750Mb-1500Mb/sec while the switch can route at 48000Mb/sec.  However, if you need rules between subnets, it still need to be piped up to something that can enforce a rule base.  The switch just isn't made to do that.  It's great for if you say had a bunch of server on one or more subnets and a bunch of clients on a different subnet.  If you make the switch the router it will handle the routing at line speed on-board without blinking.  Where as if you had to funnel all that through the CheckPoint it would choke and die.

If you enable the routing engine and put IP addresses on the VLAN's on the switch it will start routing between the VLAN's.  In that case you set your DHCP forwarders (helpers) from the VLAN's to your DHCP and set the switch as the default gateway.  You can use static and RIP routing with no additional license.  If you want OSPF or iBGP, that costs money.

When you set a port to tagged, it is then able to trunk any number of VLAN's over it as long as the device on the other end understands tagged VLAN's.  As explained above, yes the switch could do the routing.  But then you loose the ability to do firewall policies between them.  If that's not a concern then go ahead.  If you need rules between VLAN's then you still need to pipe the information up to a firewall.