Solved

Segragate WIFI guest Access Points with 2 SSID's

Posted on 2013-05-30
8
837 Views
Last Modified: 2013-06-28
Hi experts

I have been asked to setup a free wireless network at work for our customers.

The boss wants it open to the customers, but i'm a little gunshy on having that on the same address scheme as our local network.

I've purchased 4 Motorola AP6532 units which have been pre-configured with 2 SSID's. 1 for the guest (which is open) & 1 for the Business (which is secured PSK). The AP's have a static IP address in the same range as the local network.

I have a HP 2620 Poe switch & a draytek router. The AP's are Poe from the switch (currently ports 21-24).

What i would like to do, if it's possible, is have the guest SSID on a different range to everything else. E.g 192.168.1/24.

That would leave the local network & SSID 2 (business use) on the same subnet, with internet access etc.

I'm a little confused how i would achieve this when the SSID's are on the AP's. If i have to assign an IP to the AP's, will the guest wifi network be able to access the internet as required?

Is this at all possible?

Thanks
0
Comment
Question by:cuadmin
  • 5
  • 3
8 Comments
 
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 39209903
If I am assuming it correct, the ISP connects to Draytek Router. From Draytek, a cable is running to HP 2620.Then, 4 Motorola APs are connected to the Switch via port 21 to 24.

Looks like you can assign just ONE IP to the LAN interface to these access points. Hence, you might not be able to segregate the business (SSID 2) traffic from the local open (SSID 1)

From the manuals "http://downloads.visionid.ie/manuals/AP6532.pdf"
I see the the AP has the option to assign two SSIDs. However, there is not option to assign to LAN IPs and bind each IP with each SSID.
0
 
LVL 2

Author Comment

by:cuadmin
ID: 39209916
"If I am assuming it correct, the ISP connects to Draytek Router. From Draytek, a cable is running to HP 2620.Then, 4 Motorola APs are connected to the Switch via port 21 to 24."

You are spot on...this is exactly how it is currently connected.

On the Draytek i've configured 'Vlan2' on port 4 & assigned it an address 192.168.1.1. The Draytek port is connected to HP port 20. On the HP i've configured a separate Vlan for ports 20-24, being the Draytek Connection & the 4 AP's.

I can get the 2 subnets talking via interlan routing on the Draytek, but i'm not sure if there's a better or more secure way of doing things. If i can't separate the SSID's, i guess i'm left with little options.
0
 
LVL 10

Accepted Solution

by:
Mohammed Rahman earned 500 total points
ID: 39210002
Assuming all 4 Motorola APs have 2 SSIDs each (business and local) so that both types of users can connect to any of the 4 available access points at any give time.

Your interest is to divide the network between business and local so that the local traffic cannot access/interfere with the business traffic (due to obvious security reasons).

Assume we have the setup as described in your post above and the APs are in BRIGDE mode and not ROUTER mode. (so that they end users can get the LAN IP address from Draytek and not APs)

User 1 is connecting as BUSINESS user and getting an IP of 192.168.1.10
User 2 is connecting as LOCAL user and getting an IP 192.168.1.11
Both, secure and open users are now on same network and doesn't serve your purpose.

Now, how will a VLAN segregate the traffic/users based on SSID? Is there an option in Draytek or the APs to associate a particular VLAN to a particular SSID?

You may attempt this:
Create two VLANs on switch.
Make Port 20 member of both VLANs (Routers port)
Make 21 and 22 member of VLAN X (Business with Wireless Key)
Make 23 and 24 member of VLAN Y (local and open network)

** This will limit the coverage as each type of user will have access to 2 APs against 4 :(
Do not enable inter VLAN routing as it will enable communication between business and local (which you do not want in the first place).

Please correct me if I am going off the track and let us know if you have any other ideas.
0
 
LVL 2

Author Comment

by:cuadmin
ID: 39211984
Hi
Your interpretation of the network layout is spot on again :)

I'll set it up this way & let you know the results.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 2

Author Comment

by:cuadmin
ID: 39211986
On the Vlan, should the ports be tagged, untagged or something else?
0
 
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 39224506
Tagging can only be done on a Trunk Port and not on Access ports.

When VLANs span multiple switches, VLAN Tagging is required. VLAN Tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN the packet belongs to. More specifically, switches use the VLAN ID to determine which port(s), or interface(s), to send a broadcast packet to.

In our case, we are connecting 2 APs to port 21 and 22 (that will have the wireless security enabled). And these two ports will be member of VLAN X only. Also, these ports will be Access ports and not Trunks. (Reason: We do not have the option to configure 2 SSIDs with two different IP addresses).

We are forcing port 21 and 22 to be part of one VLAN (X) and hence allowing only single network over it. As the port is configured to allow only one VLAN and not multiple, it should be forced to be in ACCESS mode.
** If you keep the port 21 and 22 as trunk, anyone from local (non secure) network can install a dummy switch emulator, make himself a member of business network VLAN and access your business network.

Hence, never configure a port as TRUNK to which the local users have access to.

So, long story short :) - Keep the port 21 and 22 as ACCESS only. So, no VLAN tagging. ONLY the port 20 must be trunk as it will have to carry two seperate VLAN traffic to Draytek router.

The same above explanation applies to port 23 and 24.
0
 
LVL 2

Author Comment

by:cuadmin
ID: 39224671
Ok, thanks for the explanation. I'll keep you posted.
0
 
LVL 2

Author Closing Comment

by:cuadmin
ID: 39286047
Sorry for the delay in responding.

Thanks for your advice. Appreciate it.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now