Segragate WIFI guest Access Points with 2 SSID's

Hi experts

I have been asked to setup a free wireless network at work for our customers.

The boss wants it open to the customers, but i'm a little gunshy on having that on the same address scheme as our local network.

I've purchased 4 Motorola AP6532 units which have been pre-configured with 2 SSID's. 1 for the guest (which is open) & 1 for the Business (which is secured PSK). The AP's have a static IP address in the same range as the local network.

I have a HP 2620 Poe switch & a draytek router. The AP's are Poe from the switch (currently ports 21-24).

What i would like to do, if it's possible, is have the guest SSID on a different range to everything else. E.g 192.168.1/24.

That would leave the local network & SSID 2 (business use) on the same subnet, with internet access etc.

I'm a little confused how i would achieve this when the SSID's are on the AP's. If i have to assign an IP to the AP's, will the guest wifi network be able to access the internet as required?

Is this at all possible?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed RahmanCommented:
If I am assuming it correct, the ISP connects to Draytek Router. From Draytek, a cable is running to HP 2620.Then, 4 Motorola APs are connected to the Switch via port 21 to 24.

Looks like you can assign just ONE IP to the LAN interface to these access points. Hence, you might not be able to segregate the business (SSID 2) traffic from the local open (SSID 1)

From the manuals ""
I see the the AP has the option to assign two SSIDs. However, there is not option to assign to LAN IPs and bind each IP with each SSID.
cuadminAuthor Commented:
"If I am assuming it correct, the ISP connects to Draytek Router. From Draytek, a cable is running to HP 2620.Then, 4 Motorola APs are connected to the Switch via port 21 to 24."

You are spot on...this is exactly how it is currently connected.

On the Draytek i've configured 'Vlan2' on port 4 & assigned it an address The Draytek port is connected to HP port 20. On the HP i've configured a separate Vlan for ports 20-24, being the Draytek Connection & the 4 AP's.

I can get the 2 subnets talking via interlan routing on the Draytek, but i'm not sure if there's a better or more secure way of doing things. If i can't separate the SSID's, i guess i'm left with little options.
Mohammed RahmanCommented:
Assuming all 4 Motorola APs have 2 SSIDs each (business and local) so that both types of users can connect to any of the 4 available access points at any give time.

Your interest is to divide the network between business and local so that the local traffic cannot access/interfere with the business traffic (due to obvious security reasons).

Assume we have the setup as described in your post above and the APs are in BRIGDE mode and not ROUTER mode. (so that they end users can get the LAN IP address from Draytek and not APs)

User 1 is connecting as BUSINESS user and getting an IP of
User 2 is connecting as LOCAL user and getting an IP
Both, secure and open users are now on same network and doesn't serve your purpose.

Now, how will a VLAN segregate the traffic/users based on SSID? Is there an option in Draytek or the APs to associate a particular VLAN to a particular SSID?

You may attempt this:
Create two VLANs on switch.
Make Port 20 member of both VLANs (Routers port)
Make 21 and 22 member of VLAN X (Business with Wireless Key)
Make 23 and 24 member of VLAN Y (local and open network)

** This will limit the coverage as each type of user will have access to 2 APs against 4 :(
Do not enable inter VLAN routing as it will enable communication between business and local (which you do not want in the first place).

Please correct me if I am going off the track and let us know if you have any other ideas.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

cuadminAuthor Commented:
Your interpretation of the network layout is spot on again :)

I'll set it up this way & let you know the results.
cuadminAuthor Commented:
On the Vlan, should the ports be tagged, untagged or something else?
Mohammed RahmanCommented:
Tagging can only be done on a Trunk Port and not on Access ports.

When VLANs span multiple switches, VLAN Tagging is required. VLAN Tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN the packet belongs to. More specifically, switches use the VLAN ID to determine which port(s), or interface(s), to send a broadcast packet to.

In our case, we are connecting 2 APs to port 21 and 22 (that will have the wireless security enabled). And these two ports will be member of VLAN X only. Also, these ports will be Access ports and not Trunks. (Reason: We do not have the option to configure 2 SSIDs with two different IP addresses).

We are forcing port 21 and 22 to be part of one VLAN (X) and hence allowing only single network over it. As the port is configured to allow only one VLAN and not multiple, it should be forced to be in ACCESS mode.
** If you keep the port 21 and 22 as trunk, anyone from local (non secure) network can install a dummy switch emulator, make himself a member of business network VLAN and access your business network.

Hence, never configure a port as TRUNK to which the local users have access to.

So, long story short :) - Keep the port 21 and 22 as ACCESS only. So, no VLAN tagging. ONLY the port 20 must be trunk as it will have to carry two seperate VLAN traffic to Draytek router.

The same above explanation applies to port 23 and 24.
cuadminAuthor Commented:
Ok, thanks for the explanation. I'll keep you posted.
cuadminAuthor Commented:
Sorry for the delay in responding.

Thanks for your advice. Appreciate it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.