Wednesday, June 5, 2019

Private Isolated VLAN & non-PVLAN Trunk ports

Here is my issue, I am trying to stop client A from talking to client B. I have Guest Isolation enabled on my UniFi AP’s and it works BUT only when two clients are on the same AP. If I have client’s connected to two different APs they can talk to each other. I want to setup PVLAN Isolation on my switch to prevent the 2 clients from talking while on different WAPs.

The issue I run into is getting my non-private VLAN99 traffic untagged on those wireless AP uplinks. Once I change those ports GE1/15, 16 or 17 from “Trunk” to “Private VLAN – Host” I am unable to add VLAN 99 as anything other than a community VLAN. Not sure what I am doing wrong here. Seems like a common setup, but just can’t get it working a %100.

I essentially need to convert my LAG (GE1/15 & 1/16) & GE1/17 to a type of port which contains tagged traffic from my Private VLAN400/Isolated VLAN410, but also is configured so that any untagged traffic is VLAN99.

Hope this makes sense, thanks in advance!

PS…. The gear I have in place is the gear I have in place. I can’t change the switch, APs or firewall. I also know this isn’t a catalyst switch and might be limited but to limit this specific functionality doesn’t seem right.

Here is my horrible network diagram: https://snag.gy/iNeqyP.jpg

Here are my VLAN descriptions:

· VLAN 10 – Default VLAN, connected to X0 on SonicWALL

· VLAN 99 – Wireless Access Point Management VLAN, connected to sub interface on X0. This VLAN needs to allow devices on it to communicate with each other and need to be able to connect to the internet.

· VLAN 100 – Network Management VLAN, connected to sub interface on X0. This VLAN needs to allow devices on it to communicate with each other and need to be able to connect to the internet.

· VLAN 400 – Primary Private VLAN for my isolated VLAN 410

· VLAN 410 – Private Isolated VLAN - Guest Wireless VLAN, connected to X2 on my SonicWALL. Devices on this VLAN need access to the internet only, they should not be able to talk to any device on their own VLAN or any other VLAN. Essentially, I would just like these devices to access the X2 SonicWALL Gateway IP

· VLAN 500 - Primary Private VLAN for my isolated VLAN 510

· VLAN 510- Private Isolated VLAN - Guest Wired VLAN, connected to X3 on my SonicWALL. Devices on this VLAN need access to the internet only, they should not be able to talk to any device on their own VLAN or any other VLAN. Essentially, I would just like these devices to access the X3 SonicWALL Gateway IP

Here are my switch port descriptions on my Cisco SMB SG350 switch:

· GE1/3 – Uplink to SonicWALL X0 interface & 2 x SonicWALL Virtual Interface VI:99 & VI:100. Trunk port, VLAN 10 UnTagged, VLANs 99/100 Tagged

· GE1/4- Uplink to SonicWALL X2 interface – Private VLAN Promiscuous port, Primary PVLAN 400, Isolated VLAN 410

· GE1/5- Uplink to SonicWALL X3 interface – Private VLAN Promiscuous port, Primary PVLAN 500, Isolated VLAN 510

· GE1/15 – Uplink to UniFi HD wireless access point – member of LACP LAG#1. This is a port I am having issues with. I need VLAN 99 (a non-private VLAN) to be the untagged VLAN of this LAG BUT I also need the Primary PVLAN 400 & Isolated VLAN 410 tagged on this port. My AP’s will tag client traffic as VLAN 410

· GE1/16 – Uplink to UniFi HD wireless access point – member of LACP LAG#1. This is a port I am having issues with. I need VLAN 99 (a non-private VLAN) to be the untagged VLAN of this LAG BUT I also need the Primary PVLAN 400 & Isolated VLAN 410 tagged on this port. My AP’s will tag client traffic as VLAN 410

· GE1/17 – Uplink to UniFi AP Pro wireless access point. This is a port I am having issues with. I need VLAN 99 (a non-private VLAN) to be the untagged VLAN of this LAG BUT I also need the Primary PVLAN 400 & Isolated VLAN 410 tagged on this port. My AP’s will tag client traffic as VLAN 410

Much thanks in advance!!!



No comments:

Post a Comment