Segragate WIFI guest Access Points with 2 SSID's

Posted on 2013-05-30
Last Modified: 2013-06-28
Hi experts

I have been asked to setup a free wireless network at work for our customers.

The boss wants it open to the customers, but i'm a little gunshy on having that on the same address scheme as our local network.

I've purchased 4 Motorola AP6532 units which have been pre-configured with 2 SSID's. 1 for the guest (which is open) & 1 for the Business (which is secured PSK). The AP's have a static IP address in the same range as the local network.

I have a HP 2620 Poe switch & a draytek router. The AP's are Poe from the switch (currently ports 21-24).

What i would like to do, if it's possible, is have the guest SSID on a different range to everything else. E.g 192.168.1/24.

That would leave the local network & SSID 2 (business use) on the same subnet, with internet access etc.

I'm a little confused how i would achieve this when the SSID's are on the AP's. If i have to assign an IP to the AP's, will the guest wifi network be able to access the internet as required?

Is this at all possible?

Question by:cuadmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 39209903
If I am assuming it correct, the ISP connects to Draytek Router. From Draytek, a cable is running to HP 2620.Then, 4 Motorola APs are connected to the Switch via port 21 to 24.

Looks like you can assign just ONE IP to the LAN interface to these access points. Hence, you might not be able to segregate the business (SSID 2) traffic from the local open (SSID 1)

From the manuals ""
I see the the AP has the option to assign two SSIDs. However, there is not option to assign to LAN IPs and bind each IP with each SSID.

Author Comment

ID: 39209916
"If I am assuming it correct, the ISP connects to Draytek Router. From Draytek, a cable is running to HP 2620.Then, 4 Motorola APs are connected to the Switch via port 21 to 24."

You are spot on...this is exactly how it is currently connected.

On the Draytek i've configured 'Vlan2' on port 4 & assigned it an address The Draytek port is connected to HP port 20. On the HP i've configured a separate Vlan for ports 20-24, being the Draytek Connection & the 4 AP's.

I can get the 2 subnets talking via interlan routing on the Draytek, but i'm not sure if there's a better or more secure way of doing things. If i can't separate the SSID's, i guess i'm left with little options.
LVL 10

Accepted Solution

Mohammed Rahman earned 500 total points
ID: 39210002
Assuming all 4 Motorola APs have 2 SSIDs each (business and local) so that both types of users can connect to any of the 4 available access points at any give time.

Your interest is to divide the network between business and local so that the local traffic cannot access/interfere with the business traffic (due to obvious security reasons).

Assume we have the setup as described in your post above and the APs are in BRIGDE mode and not ROUTER mode. (so that they end users can get the LAN IP address from Draytek and not APs)

User 1 is connecting as BUSINESS user and getting an IP of
User 2 is connecting as LOCAL user and getting an IP
Both, secure and open users are now on same network and doesn't serve your purpose.

Now, how will a VLAN segregate the traffic/users based on SSID? Is there an option in Draytek or the APs to associate a particular VLAN to a particular SSID?

You may attempt this:
Create two VLANs on switch.
Make Port 20 member of both VLANs (Routers port)
Make 21 and 22 member of VLAN X (Business with Wireless Key)
Make 23 and 24 member of VLAN Y (local and open network)

** This will limit the coverage as each type of user will have access to 2 APs against 4 :(
Do not enable inter VLAN routing as it will enable communication between business and local (which you do not want in the first place).

Please correct me if I am going off the track and let us know if you have any other ideas.
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.


Author Comment

ID: 39211984
Your interpretation of the network layout is spot on again :)

I'll set it up this way & let you know the results.

Author Comment

ID: 39211986
On the Vlan, should the ports be tagged, untagged or something else?
LVL 10

Expert Comment

by:Mohammed Rahman
ID: 39224506
Tagging can only be done on a Trunk Port and not on Access ports.

When VLANs span multiple switches, VLAN Tagging is required. VLAN Tagging is the practice of inserting a VLAN ID into a packet header in order to identify which VLAN the packet belongs to. More specifically, switches use the VLAN ID to determine which port(s), or interface(s), to send a broadcast packet to.

In our case, we are connecting 2 APs to port 21 and 22 (that will have the wireless security enabled). And these two ports will be member of VLAN X only. Also, these ports will be Access ports and not Trunks. (Reason: We do not have the option to configure 2 SSIDs with two different IP addresses).

We are forcing port 21 and 22 to be part of one VLAN (X) and hence allowing only single network over it. As the port is configured to allow only one VLAN and not multiple, it should be forced to be in ACCESS mode.
** If you keep the port 21 and 22 as trunk, anyone from local (non secure) network can install a dummy switch emulator, make himself a member of business network VLAN and access your business network.

Hence, never configure a port as TRUNK to which the local users have access to.

So, long story short :) - Keep the port 21 and 22 as ACCESS only. So, no VLAN tagging. ONLY the port 20 must be trunk as it will have to carry two seperate VLAN traffic to Draytek router.

The same above explanation applies to port 23 and 24.

Author Comment

ID: 39224671
Ok, thanks for the explanation. I'll keep you posted.

Author Closing Comment

ID: 39286047
Sorry for the delay in responding.

Thanks for your advice. Appreciate it.

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question