Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to determine if a particular type of device uses only a particular subnet

Posted on 2017-01-18
18
Medium Priority
?
153 Views
Last Modified: 2017-03-14
I have two private IP scopes at my site.  This was created due to us running out of IP addresses.  Most of the devices use the DHCP server to obtain their IP.  I also have two WLANS set up.  One for employees and others for guest usage.  I want the personal devices of our employees to use one of the subnets exclusively and only use the guest WLAN. I am using a Cisco 2500 Wireless Lan Controller.
0
Comment
Question by:Salonge
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
  • 3
  • +1
18 Comments
 
LVL 18

Expert Comment

by:Akinsd
ID: 41968887
Just map that subnet to the guest wlan

You can use advanced ip scanner to see which devices are connected to the subnet
https://advanced-ip-scanner.en.softonic.com/
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41968892
You say that you want the personal devices of the employees to use the Guest WLAN.
In a way this is easy and also may be difficult.  The first approach is to simply tell them which network to use.  The issue is that they will probably know the employees business WLAN credentials as well.  So, how to manage the separation?  One way is to not give out the company WLAN credentials and have designated people install them on the devices that need it.

You also say that there are 2 WLANS set up.  Do they each have their own subnet?  What are the subnets?

You created this in order to increase the number of available addresses.  This implies that the Guest and Company subnets aren't separated in any way.  Is that correct?
0
 
LVL 31

Expert Comment

by:masnrock
ID: 41968901
You could utilize 802.1X and certificates for the main network, which should accomplish your goal.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Salonge
ID: 41969508
Fred - They know which WLAN to use and yes that is the easy part, but I want that particular WLAN to use a particular scope.  We have two scopes in the subnet at our location.  I hope I am saying this correctly.  When one scope has all of its IP's in use, then it rolls over to the other.  I just want all the guest devices to use one particular WLAN.  This way I can tell if they are following the directives to put all personal devices on the particular WLAN.

Akinsd - How would I map the WLAN to a particular scope with this tool?
0
 
LVL 31

Expert Comment

by:masnrock
ID: 41969532
When they connect to the guest network, they are on a guest subnet is what I am assuming here. But since you want to prevent the non company equipment from connecting to the corporate wireless in the first place, you need something that will do a check of some sort, which is where something like NPS would come into play.
0
 

Author Comment

by:Salonge
ID: 41969629
Masnrock

No they are not.  When they connect to the guest network, they use which every IP is available in either scope.  So this is my dilemma.  I have IP address - 10.100.90.xxx and I have IP addresses 10.100.10.xxx  I want our guest access to use the latter of 10.100.10.xxxx.  My question is how can I assure this?
0
 
LVL 31

Accepted Solution

by:
masnrock earned 2000 total points
ID: 41969638
Got it. I was under the assumption that you already had VLANs in place. I'd recommend that you create a guest VLAN that uses (for example) 10.100.200.x. For the sake of this example, I will assume you assign that VLAN an ID of 200. Then in your controller, have the guest WLAN associated with the ID that you give the new VLAN, which would be 200 in this case.
0
 
LVL 18

Expert Comment

by:Akinsd
ID: 41969642
Verify that the dhcp is not configured as a superscope

on The WLAN tab of the controller, link the SSID to an interface.
Then go to the controller tab, and specify the VLAN and IP range to be used by that interface
0
 
LVL 31

Expert Comment

by:masnrock
ID: 41969655
So what I've suggested can be used in conjunction with an IP scanner, RMM, or system management tool. However, if you want something that actually enforces keeping personal devices off of the main network, that's when you get into certificates and 802.1X. What is the size of the organization this is for?
0
 

Author Comment

by:Salonge
ID: 41969702
Akinsd - It is a superscope.

Masnrock - We are talking about 75 people at this site.
0
 
LVL 31

Expert Comment

by:masnrock
ID: 41969708
You need to create a separate VLAN then, with it's own subnet and DHCP range as pointed out in #a41969638.

Based on the information you've provided, it looks like there is no separation of the subnets right now. The way you have things built now, everything is going to the exact same network, hence why you needed to create the superscope. Once you get the VLANs in place and the guest WLAN pointing to the guest VLAN as suggested, you should no longer require the superscope.

My mention of 802.1X w/ certifcate authentication is for actually enforcing through an automated means. MAC address authentication is bad because the MAC can be spoofed.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 41970144
Probably the most typical approach is to set the Guests up with their own Guest LAN or VLAN.  Generally they would not get access to the company LAN but that's an option.

MAC address assignment is less secure because the MAC can be spoofed.  But the approach still provides maybe everything one might want .. in some cases and possibly not yours here.

Presumably with the Cisco 2500 you have Cisco access points.  Right?  2 of them or .... ?  What is the rest of the setup?
0
 
LVL 31

Expert Comment

by:masnrock
ID: 41991326
How did this end up turning out?
0
 

Author Comment

by:Salonge
ID: 42027268
Sorry, I haven't responded.  What I did was to attach the guest wifi network to its separate vlan with its on IP address.  So now when users connect to the prohibited wireless router, I can tell by looking at my DHCP server.  If I see their device, I know they are not connecting to the one set up for guest.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 42027576
Guests should not have the passphrase for the non-guest network.  So that shouldn't be a problem.  At least in the context of the original question where there are office folks and guests .. separate groups.
0
 
LVL 31

Expert Comment

by:masnrock
ID: 42027583
The problem was that all of the networks were using the same set of IP addresses, so there was no way to discern between them if you looked a the addresses in use, even if the user was connecting to the correct wireless network. The VLAN corrected that because rather than using a shared pool of IPs, there was a totally separate one.
0
 

Author Comment

by:Salonge
ID: 42048092
I was able to create a VLan with a separate ID and then I associated that VLan with the guest wireless in the Controller.  So when people connect to the guest wireless, they use the IP within the VLan.
0

Featured Post

Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question