Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

802.1Q tagged VLANs on the internal port

dcruz_
Occasional Contributor
‎08-21-2008 10:36:AM
‎08-21-2008 10:36:AM

Re: 802.1Q tagged VLANs on the internal port

Does the IVE support 802.1q trunking? This is the only way I can see it supporting more than 2 vlans over a single interface.

I've got an SA4000 as well and I'm trying to move our NetConnect users off of the same broadcast domain as the IVE's internal port.

0 Kudos
kenlars_
Super Contributor
‎08-21-2008 10:47:AM
‎08-21-2008 10:47:AM

Re: 802.1Q tagged VLANs on the internal port

The SA does support VLAN trunking if you purchase the IVS license, which I think is pretty cheap if you need this functionality.

You connect the SA to a switchport configured for 802.1 trunking and specify a native VLAN (this will be for the untagged traffic from the SA.) You then configure a VLAN in the network settings on the SA, giving the SA an address in that VLAN and specifying the default gateway for traffic sent to that VLAN.

To send NC traffic to the VLAN, you configure the VLAN/Source IP tab on the General section of the role configuration. All traffic for that role will be sent to that VLAN. The NC address pool must either assign users to the same subnet the VLAN address of the SA is in, or the default gateway router(s) must route the subnets which the NC addresses are in to the VLAN address of the SA, typically using static routes.

Hope this is helpful.

0 Kudos
dcruz_
Occasional Contributor
‎08-21-2008 04:11:PM
‎08-21-2008 04:11:PM

Re: 802.1Q tagged VLANs on the internal port

I actually got this to work today...

I setup the VLAN in the IVE and applied it to the role. On the switch, I created the necessary vlan and added one line to the port the IVE is connected to (this is a Cisco IOS switch) so that it looks like this:

switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport voice vlan 11

This command is meant for IP phones with a workstation attached, but it accomplishes what I need. This moves the tagged user traffic through the proper vlan (11) while keeping all untagged traffic on vlan 10. The big limitation here is that this won't scale beyond just a single untagged vlan and a single tagged one, which is where a trunk would come in.

Regardless, I'm going to try it this weekend anyway to see if it works if I set the port to be a trunk port rather than an access port.
Message Edited by dcruz on 08-21-2008 04:11 PM
Message Edited by dcruz on 08-21-2008 04:12 PM
0 Kudos
kenlars_
Super Contributor
‎08-22-2008 01:13:PM
‎08-22-2008 01:13:PM

Re: 802.1Q tagged VLANs on the internal port

The port to the SA internal interface on my Cisco switch is configured as -

interface GigabitEthernet0/2
description VRAliMUScingh13-1.2.3.4
switchport trunk native vlan 2
switchport trunk allowed vlan 2,100
switchport mode trunk
speed 100
duplex full

This allows vlans 2 and 100, and marks untagged traffic as vlan 2. Of course, you could modify the "switchport trunk allowed vlan 2,100" statement to allow any vlans you wanted to carry.

0 Kudos
dcruz_
Occasional Contributor
‎08-25-2008 10:35:AM
‎08-25-2008 10:35:AM

Re: 802.1Q tagged VLANs on the internal port

I changed the port from an access port to a trunk port and it works fine. I don't have an IVS license.
0 Kudos
Yves_
Occasional Contributor
‎09-16-2008 12:04:PM
‎09-16-2008 12:04:PM

Re: 802.1Q tagged VLANs on the internal port

Hi,

@kenlars wrote:

Assignment to VLANs is done on a role basis. So, you need to do the following -

  1. Create the VLANs
  2. Create two roles and figure out how you are going to do role-mapping for the realm
  3. For each role, assign the VLAN in the VLAN/Source IP tab of the General setting for the role
  4. For each role, define NC Connection profiles which assign the appropriate address pool

Can we do the same thing, but using a DHCP server instead of the Juniper SA local address pool? If yes, how can I do it?

Thanks.

Yves

0 Kudos
netadmin_
Occasional Contributor
‎09-16-2008 12:12:PM
‎09-16-2008 12:12:PM

Re: 802.1Q tagged VLANs on the internal port

I don't have IVS license as well, how do you change the SA-4000 Internal Port from an Access Port to a Trunk Port?

Thanks in advance

0 Kudos
kenlars_
Super Contributor
‎09-16-2008 12:34:PM
‎09-16-2008 12:34:PM

Re: 802.1Q tagged VLANs on the internal port

Yves -

I've never used DHCP with VLANs, but I don't think there is any reason it would not work. I assume the DHCP request would be sent over the VLAN associated with the role.

0 Kudos
Yves_
Occasional Contributor
‎09-16-2008 12:53:PM
‎09-16-2008 12:53:PM

Re: 802.1Q tagged VLANs on the internal port

Kenlars -

We try it and the DHCP request seems to always come from the default internal IP address as source address, not from the VLAN interface assigned by the role mapping.

If we use the Juniper local IP address pool, everything is OK, but when we use DHCP server, it doesn't works. The user receive the address assigned to his role.

Thanks.

Yves

0 Kudos
kenlars_
Super Contributor
‎09-16-2008 12:55:PM
‎09-16-2008 12:55:PM

Re: 802.1Q tagged VLANs on the internal port

Netadmin -

Others have reported in this thread that you get VLAN functionality even if you don't have the IVS license. I don't see the VLAN tab on any of the SA's that I have on which I don't have an IVS license, and I see the tab on all SA's I have which have an IVS license. The description of VLANs in the Admin Guide is within the IVS section. It still is a mystery to me as to how you could define a VLAN if you do not have an IVS license.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.