|
windows
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Guest VLAN can connect but can't get an IPBusiness Server 2003 Premium in a 2-NIC configuration and static IP. ========================== All AP's have a static IP on the internal domain (192.168.16.x). Primary AP is wired to the switch. I have 2 VLAN's set up for wireless - one to allow access to the LAN and the other for Guests. All AP's are in AP mode - any other mode and I can't use multiple SSID's/VLAN's. Primary SSID is set for LAN access, and the first MSSID is set for Guest access. Setup works fine for the wired AP on both SSID's, but I can't get abything more than a connection with the other SSID's. It tries to acquire an IP and fails/times out. Nothing remarkable on the firewall log (ISA 2004), or in the client or server Event logs. Any ideas? How do you recommend I troubleshoot it? -- Mike Webb Platte River Whooping Crane Maintenance Trust, Inc. a 501 (c)(3) conservation non-profit organization "Mike Webb" <Mike_W***@whoopingcrane.org> wrote in message We need to fix some terminology here,...don't be offended,...but we can't do news:Oq5saVoCIHA.4712@TK2MSFTNGP04.phx.gbl... > Running D-Link AP's and switch (DWL-2200's and DES-3828). Network is Small > Business Server 2003 Premium in a 2-NIC configuration and static IP. > ========================== anything if we don't know what each other is talking about..... > All AP's have a static IP on the internal domain (192.168.16.x). That's not a Domain,..it is an IP Segment. There is no relationship at all between Domains and IP Ranges. The can be dozens of domains on a single IP segment,...and there can also be dozens of IP segments on a single domain. > Primary AP is wired to the switch. All APs have to be wired to a switch. This implies that some other AP isn't wired to anything. > I have 2 VLAN's set up for wireless - one to allow access to the LAN and VLans are tied to the IP segments,..you only mentioned > the other for Guests. 192.168.16.0,...what's the other one. > All AP's are in AP mode - any other mode and I can't use multiple .....And you can't have VLANs if you didn't actually create a VLAN and have a > SSID's/VLAN's. LAN Router configured to do the routing between the VLANs. Just simply configuring a VLAN on an isolated Switch or AP does nothing more than create an unreachable virtual IP segment. > Primary SSID is set for LAN access, and the first MSSID is set for Guest What is a MSSID?> access. > Setup works fine for the wired AP on both SSID's, All APs are wireless or they aren't an AP. Of course they are also all wired on the LAN side of them, but I have no idea what you mean by a "wired AP" -vs- a ?? wireless AP?? >but I can't get abything more than a connection with the other SSID's. What "other" SSID?> It tries to acquire an IP and fails/times out. Well you can not have VLANs without a LAN Router. Creating VLANs only does just that,...it creates the VLAN from that one particular device's perspective,...but it in no way provides for a means the route between VLANs,...that requires a LAN Router. ISA has the ability to act as a very retrictive but limited LAN Router, but you have not indicated that you have set it up to be that. Once a LAN Router is established between two VLANs it must have DHCP Relay configured on it so that it will pass DHCP Queries to the DHCP Server from the opposite segment. But you would not do that on ISA, in part because it is on the same box as the DHCP Server in the case of SBS. The DHCP Server requires a separate distinct Scope for each IP Segment (no Superscopes!!). -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- Ok, I'll answer you below in-line.
Show quote > We need to fix some terminology here,...don't be offended,...but we can't > do anything if we don't know what each other is talking about..... > >> All AP's have a static IP on the internal domain (192.168.16.x). > > That's not a Domain,..it is an IP Segment. There is no relationship at all > between Domains and IP Ranges. The can be dozens of domains on a single > IP segment,...and there can also be dozens of IP segments on a single > domain. > >>My mistaks. >> Primary AP is wired to the switch. > > All APs have to be wired to a switch. This implies that some other AP > isn't wired to anything. >>>> I guess I was misinformed then when I started this proccess a year ago. >>>> The local Microsoft dealer here suggested the switch and AP's, and >>>> D-Link has not said anything about all AP's having to be wired. >> I have 2 VLAN's set up for wireless - one to allow access to the LAN and >> the other for Guests. > > VLans are tied to the IP segments,..you only mentioned > 192.168.16.0,...what's the other one. >>>> I didn't know that. On the switch I have them tied to 192.168.16.x (my >>>> default VLAN), 192.168.17.x (wireless LAN access), and 192.168.18.x >>>> (Guest access). I did this under L3 Features > IP Interface Settings. >> All AP's are in AP mode - any other mode and I can't use multiple >> SSID's/VLAN's. > > ....And you can't have VLANs if you didn't actually create a VLAN and have > a LAN Router configured to do the routing between the VLANs. Just simply > configuring a VLAN on an isolated Switch or AP does nothing more than > create an unreachable virtual IP segment. >>>> I'll contact D-Link to ffind out what they recommend for this point. >>>> (hardware) >> Primary SSID is set for LAN access, and the first MSSID is set for Guest >> access. > > What is a MSSID? >>>> Multiple SSID (must be a D-Link term) >> Setup works fine for the wired AP on both SSID's, > > All APs are wireless or they aren't an AP. Of course they are also all > wired on the LAN side of them, but I have no idea what you mean by a > "wired AP" -vs- a ?? wireless AP?? >>>> Wireless AP is one that is not wired/cabled to anything. >>but I can't get abything more than a connection with the other SSID's. > > What "other" SSID? >>>> The SSID's on each of the other AP's. >> It tries to acquire an IP and fails/times out. > > Well you can not have VLANs without a LAN Router. Creating VLANs only > does just that,...it creates the VLAN from that one particular device's > perspective,...but it in no way provides for a means the route between > VLANs,...that requires a LAN Router. ISA has the ability to act as a very > retrictive but limited LAN Router, but you have not indicated that you > have set it up to be that. >>>>OK > Once a LAN Router is established between two VLANs it must have DHCP Relay > configured on it so that it will pass DHCP Queries to the DHCP Server from > the opposite segment. But you would not do that on ISA, in part because > it is on the same box as the DHCP Server in the case of SBS. >>>>OK > The DHCP Server requires a separate distinct Scope for each IP Segment (no > Superscopes!!). >>> OK > -- > Phillip Windell > www.wandtv.com > > The views expressed, are my own and not those of my employer, or > Microsoft, or anyone else associated with me, including my cats. > ----------------------------------------------------- > > "Mike Webb" <Mike_W***@whoopingcrane.org> wrote in message Ok, let's see if I can clarify some things.news:uAAKKmqCIHA.3400@TK2MSFTNGP03.phx.gbl... > I guess I was misinformed then when I started this proccess a year ago. They are wireless between themself and the Users.> The local Microsoft dealer here suggested the switch and AP's, and D-Link > has not said anything about all AP's having to be wired. They are wired between themself and the LAN > I didn't know that. On the switch I have them tied to 192.168.16.x (my Ok, good. That means this is a Layer3 Switch which is a Switch and a LAN > default VLAN), 192.168.17.x (wireless LAN access), and 192.168.18.x (Guest > access). I did this under L3 Features > IP Interface Settings. Router built into the same piece of hardware. When speaking of the Layer3 abilities I will call it a router. When speaking of the Layer2 function I will call it a Switch. So I will treat it as if it were two different devices even though it is all built into one box. You need to think of it that way to understand what it is going on with it. The three VLANs will group the Switches ports into three groups. You plug the correct AP into it's proper group of ports. Each group of switch ports represent one "router interface". Then enable the routing abilities and configure the DHCP Relay (sometimes called Helper Addresses) that point to the IP# of the DHCP Server Configure ACLs on the Router to control what the Guest IP Segment is allowed to access,...if you don't the Guest segment means nothing at all and it is just another segment with the same access as anything else. On the DHCP Server you will have three scopes,...three regular scopes,...no superscopes. Configure ech scope according to what it needs. >> All APs are wireless or they aren't an AP. Of course they are also all No. That would be a useless piece of hardware needlessly burning >> wired on the LAN side of them, but I have no idea what you mean by a >> "wired AP" -vs- a ?? wireless AP?? > Wireless AP is one that is not wired/cabled to anything. electricity. An AP is only wireless between itself and the Clients with Wireless Nics,...but the other side of it needs to be wired into the LAN or it does not do anything. An AP is the same thing as a Switch but it just doesn't need wires to connect the Clients to it,...but it still needs to be physically attached to the LAN. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- Great info, thanks.
As to your last point, what do you recommend then for the remote buildings? They are all within 400 yards of the main antenna. I would like to get the signal to each of them so that any client anywhere in those buildings can connect. Show quote "Phillip Windell" <philwind***@hotmail.com> wrote in message news:u88D7Y0CIHA.4584@TK2MSFTNGP03.phx.gbl... > "Mike Webb" <Mike_W***@whoopingcrane.org> wrote in message > news:uAAKKmqCIHA.3400@TK2MSFTNGP03.phx.gbl... > > Ok, let's see if I can clarify some things. > >> I guess I was misinformed then when I started this proccess a year ago. >> The local Microsoft dealer here suggested the switch and AP's, and D-Link >> has not said anything about all AP's having to be wired. > > They are wireless between themself and the Users. > They are wired between themself and the LAN > >> I didn't know that. On the switch I have them tied to 192.168.16.x (my >> default VLAN), 192.168.17.x (wireless LAN access), and 192.168.18.x >> (Guest access). I did this under L3 Features > IP Interface Settings. > > Ok, good. That means this is a Layer3 Switch which is a Switch and a LAN > Router built into the same piece of hardware. When speaking of the Layer3 > abilities I will call it a router. When speaking of the Layer2 function I > will call it a Switch. So I will treat it as if it were two different > devices even though it is all built into one box. You need to think of it > that way to understand what it is going on with it. > > The three VLANs will group the Switches ports into three groups. You plug > the correct AP into it's proper group of ports. Each group of switch > ports represent one "router interface". > > Then enable the routing abilities and configure the DHCP Relay (sometimes > called Helper Addresses) that point to the IP# of the DHCP Server > > Configure ACLs on the Router to control what the Guest IP Segment is > allowed to access,...if you don't the Guest segment means nothing at all > and it is just another segment with the same access as anything else. > > On the DHCP Server you will have three scopes,...three regular > scopes,...no superscopes. Configure ech scope according to what it needs. > >>> All APs are wireless or they aren't an AP. Of course they are also all >>> wired on the LAN side of them, but I have no idea what you mean by a >>> "wired AP" -vs- a ?? wireless AP?? > >> Wireless AP is one that is not wired/cabled to anything. > > No. That would be a useless piece of hardware needlessly burning > electricity. An AP is only wireless between itself and the Clients with > Wireless Nics,...but the other side of it needs to be wired into the LAN > or it does not do anything. > > An AP is the same thing as a Switch but it just doesn't need wires to > connect the Clients to it,...but it still needs to be physically attached > to the LAN. > > > -- > Phillip Windell > www.wandtv.com > > The views expressed, are my own and not those of my employer, or > Microsoft, or anyone else associated with me, including my cats. > ----------------------------------------------------- > > "Mike Webb" <Mike_W***@whoopingcrane.org> wrote in message Most typical APs are only going to reach about 350feet (not yards) and news:ekkLSZ1CIHA.4952@TK2MSFTNGP02.phx.gbl... > Great info, thanks. > > As to your last point, what do you recommend then for the remote > buildings? They are all within 400 yards of the main antenna. I would > like to get the signal to each of them so that any client anywhere in > those buildings can connect. anything over 100 feet or so is going to have the speed degrade down to a crawl. The longer the distance, the slower it goes. Run cabling to each building. The maximum cable length is 100 yards. Anything longer than that will require a repeater or bridge (can use a cheap hub or switch) and a powered weather proof building to put it in. You can optionally use Fiber Optic to get more distance and the distance varies with what exact type of Fiber you use and whether the Fiber Optic hardware uses Laser emitters or LED emiters. Another option is high-end ($$$$) wireless technology that may possibly even get into microwave technology. Regaurdless of the specific details of the wireless devices, you will be building a Wireless Bridge to jump the gap between the buildings. This is *NOT* the same thing as the wireless link between a Client and an Access Point. A bridged link runs one AP in "Infrastructure Mode" and the other in "Acces Point Mode" (kind of like Master/Slave) and they are locked to only communicating with each other and nothing else. Once you jump the gap you have to go back to cable to get down into the building where you can then hook up a standard AP within the building to have the users connect to that. Depending on the size of those it may take several APs to cover the building. Ours is a single floor and roughly 200 feet by 150 feet and would take about 4 APs. *Important*,..you cannot go 100% wireless in the building because most wireless nics in machines do not activate and connect until after the user has logged in and reached the Desktop,...this means a new user cannot log on because their is no cached profile on the machine. The machine has to be connected by cable the first time to logon so that the user profile gets created. They are fine from that point unless you have a Password Expiration Policy. One source for equipment that may be reasonably priced is from Tranzeo (www.tranzeo.com). We have a couple of their TR-5A Series Devices to span the between our TV Station's main building and the Tranmitter building about 14 miles away and operate at 5.7 ghz.. They run over a pair of parabolic dish antennas mounted about 150 feet high that are also aready running a 7ghz signal that carries out 1 Analog and 2 HDTV broadcast signals. Unfortunately we are having trouble with them that we suspect is interference from someone else's signal and have not nailed it down yet. Granted that this is more powerful than you need, but Tranzeo probably has some lighter weight stuff at a lower cost. There could be more to the story as well, but I don't know your exact situation and don't know how much info or ideas you want me the bury you with. You might want to consider just having a fast internet connection at each building and connecting them with a Site-to-Site VPN (aka a Router-to-Router VPN) by using routing devices designed for that purpose. A Site-to-Site VPN is a specific type,...do not confuse it with the common Remote Access VPN. The building would use VPN to communicate with each other, but for Internet access they would use their own independent Internet Link with their own independent Firewall. The Firewall and the VPN Device are often the same device. Once the buildings are linked you can use APs on the interior of the buildings for wireless access. Bottom line for wireless,...wirless networks only *supplement* or expand a wired network,...they never replace it. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- Thanks for the thorough reply, and kind remarks. I've learned a lot from
reading your posts. Looks like there was poor communication between myself and the vendors last year when I stareted this - else I'd never have goten into this hole. Thanks again. Mike Show quote "Phillip Windell" <philwind***@hotmail.com> wrote in message news:uQoHp%231CIHA.5712@TK2MSFTNGP05.phx.gbl... > "Mike Webb" <Mike_W***@whoopingcrane.org> wrote in message > news:ekkLSZ1CIHA.4952@TK2MSFTNGP02.phx.gbl... >> Great info, thanks. >> >> As to your last point, what do you recommend then for the remote >> buildings? They are all within 400 yards of the main antenna. I would >> like to get the signal to each of them so that any client anywhere in >> those buildings can connect. > > Most typical APs are only going to reach about 350feet (not yards) and > anything over 100 feet or so is going to have the speed degrade down to a > crawl. The longer the distance, the slower it goes. > > Run cabling to each building. The maximum cable length is 100 yards. > Anything longer than that will require a repeater or bridge (can use a > cheap hub or switch) and a powered weather proof building to put it in. > You can optionally use Fiber Optic to get more distance and the distance > varies with what exact type of Fiber you use and whether the Fiber Optic > hardware uses Laser emitters or LED emiters. > > Another option is high-end ($$$$) wireless technology that may possibly > even get into microwave technology. Regaurdless of the specific details > of the wireless devices, you will be building a Wireless Bridge to jump > the gap between the buildings. This is *NOT* the same thing as the > wireless link between a Client and an Access Point. A bridged link runs > one AP in "Infrastructure Mode" and the other in "Acces Point Mode" (kind > of like Master/Slave) and they are locked to only communicating with each > other and nothing else. > > Once you jump the gap you have to go back to cable to get down into the > building where you can then hook up a standard AP within the building to > have the users connect to that. Depending on the size of those it may > take several APs to cover the building. Ours is a single floor and > roughly 200 feet by 150 feet and would take about 4 APs. > > *Important*,..you cannot go 100% wireless in the building because most > wireless nics in machines do not activate and connect until after the user > has logged in and reached the Desktop,...this means a new user cannot log > on because their is no cached profile on the machine. The machine has to > be connected by cable the first time to logon so that the user profile > gets created. They are fine from that point unless you have a Password > Expiration Policy. > > One source for equipment that may be reasonably priced is from Tranzeo > (www.tranzeo.com). We have a couple of their TR-5A Series Devices to span > the between our TV Station's main building and the Tranmitter building > about 14 miles away and operate at 5.7 ghz.. They run over a pair of > parabolic dish antennas mounted about 150 feet high that are also aready > running a 7ghz signal that carries out 1 Analog and 2 HDTV broadcast > signals. Unfortunately we are having trouble with them that we suspect is > interference from someone else's signal and have not nailed it down yet. > Granted that this is more powerful than you need, but Tranzeo probably has > some lighter weight stuff at a lower cost. > > There could be more to the story as well, but I don't know your exact > situation and don't know how much info or ideas you want me the bury you > with. > > You might want to consider just having a fast internet connection at each > building and connecting them with a Site-to-Site VPN (aka a > Router-to-Router VPN) by using routing devices designed for that purpose. > A Site-to-Site VPN is a specific type,...do not confuse it with the common > Remote Access VPN. The building would use VPN to communicate with each > other, but for Internet access they would use their own independent > Internet Link with their own independent Firewall. The Firewall and the > VPN Device are often the same device. Once the buildings are linked you > can use APs on the interior of the buildings for wireless access. > > Bottom line for wireless,...wirless networks only *supplement* or expand a > wired network,...they never replace it. > > -- > Phillip Windell > www.wandtv.com > > The views expressed, are my own and not those of my employer, or > Microsoft, or anyone else associated with me, including my cats. > ----------------------------------------------------- > >  |
|||||||||||||||||||||||
Other interesting topics