Segragate WIFI guest Access Points with 2 SSID's

Posted on 2013-05-30
Last Modified: 2013-06-28
Hi experts

I have been asked to setup a free wireless network at work for our customers.

The boss wants it open to the customers, but i'm a little gunshy on having that on the same address scheme as our local network.

I've purchased 4 Motorola AP6532 units which have been pre-configured with 2 SSID's. 1 for the guest (which is open) & 1 for the Business (which is secured PSK). The AP's have a static IP address in the same range as the local network.

I have a HP 2620 Poe switch & a draytek router. The AP's are Poe from the switch (currently ports 21-24).

What i would like to do, if it's possible, is have the guest SSID on a different range to everything else. E.g 192.168.1/24.

That would leave the local network & SSID 2 (business use) on the same subnet, with internet access etc.

I'm a little confused how i would achieve this when the SSID's are on the AP's. If i have to assign an IP to the AP's, will the guest wifi network be able to access the internet as required?

Is this at all possible?

Question by:cuadmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 39209903
If I am assuming it correct, the ISP connects to Draytek Router. From Draytek, a cable is running to HP 2620.Then, 4 Motorola APs are connected to the Switch via port 21 to 24.

Looks like you can assign just ONE IP to the LAN interface to these access points. Hence, you might not be able to segregate the business (SSID 2) traffic from the local open (SSID 1)

From the manuals ""
I see the the AP has the option to assign two SSIDs. However, there is not option to assign to LAN IPs and bind each IP with each SSID.

Author Comment

ID: 39209916
"If I am assuming it correct, the ISP connects to Draytek Router. From Draytek, a cable is running to HP 2620.Then, 4 Motorola APs are connected to the Switch via port 21 to 24."

You are spot on...this is exactly how it is currently connected.

On the Draytek i've configured 'Vlan2' on port 4 & assigned it an address The Draytek port is connected to HP port 20. On the HP i've configured a separate Vlan for ports 20-24, being the Draytek Connection & the 4 AP's.

I can get the 2 subnets talking via interlan routing on the Draytek, but i'm not sure if there's a better or more secure way of doing things. If i can't separate the SSID's, i guess i'm left with little options.
LVL 10

Accepted Solution

Mohammed Rahman earned 500 total points
ID: 39210002
Assuming all 4 Motorola APs have 2 SSIDs each (business and local) so that both types of users can connect to any of the 4 available access points at any give time.

Your interest is to divide the network between business and local so that the local traffic cannot access/interfere with the business traffic (due to obvious security reasons).

Assume we have the setup as described in your post above and the APs are in BRIGDE mode and not ROUTER mode. (so that they end users can get the LAN IP address from Draytek and not APs)

User 1 is connecting as BUSINESS user and getting an IP of
User 2 is connecting as LOCAL user and getting an IP
Both, secure and open users are now on same network and doesn't serve your purpose.

Now, how will a VLAN segregate the traffic/users based on SSID? Is there an option in Draytek or the APs to associate a particular VLAN to a particular SSID?

You may attempt this:
Create two VLANs on switch.
Make Port 20 member of both VLANs (Routers port)
Make 21 and 22 member of VLAN X (Business with Wireless Key)
Make 23 and 24 member of VLAN Y (local and open network)

** This will limit the coverage as each type of user will have access to 2 APs against 4 :(
Do not enable inter VLAN routing as it will enable communication between business and local (which you do not want in the first place).

Please correct me if I am going off the track and let us know if you have any other ideas.
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.


Author Comment

ID: 39211984
Your interpretation of the network layout is spot on again :)

I'll set it up this way & let you know the results.

Author Comment

ID: 39211986
On the Vlan, should the ports be tagged, untagged or something else?
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 39224506
Tagging can only be done on a Trunk Port and not on Access ports.

When VLANs span multiple switches, VLAN Tagging is required. VLAN Tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN the packet belongs to. More specifically, switches use the VLAN ID to determine which port(s), or interface(s), to send a broadcast packet to.

In our case, we are connecting 2 APs to port 21 and 22 (that will have the wireless security enabled). And these two ports will be member of VLAN X only. Also, these ports will be Access ports and not Trunks. (Reason: We do not have the option to configure 2 SSIDs with two different IP addresses).

We are forcing port 21 and 22 to be part of one VLAN (X) and hence allowing only single network over it. As the port is configured to allow only one VLAN and not multiple, it should be forced to be in ACCESS mode.
** If you keep the port 21 and 22 as trunk, anyone from local (non secure) network can install a dummy switch emulator, make himself a member of business network VLAN and access your business network.

Hence, never configure a port as TRUNK to which the local users have access to.

So, long story short :) - Keep the port 21 and 22 as ACCESS only. So, no VLAN tagging. ONLY the port 20 must be trunk as it will have to carry two seperate VLAN traffic to Draytek router.

The same above explanation applies to port 23 and 24.

Author Comment

ID: 39224671
Ok, thanks for the explanation. I'll keep you posted.

Author Closing Comment

ID: 39286047
Sorry for the delay in responding.

Thanks for your advice. Appreciate it.

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question