How to determine if a particular type of device uses only a particular subnet

I have two private IP scopes at my site.  This was created due to us running out of IP addresses.  Most of the devices use the DHCP server to obtain their IP.  I also have two WLANS set up.  One for employees and others for guest usage.  I want the personal devices of our employees to use one of the subnets exclusively and only use the guest WLAN. I am using a Cisco 2500 Wireless Lan Controller.
SalongeAsked:
Who is Participating?
 
masnrockConnect With a Mentor Commented:
Got it. I was under the assumption that you already had VLANs in place. I'd recommend that you create a guest VLAN that uses (for example) 10.100.200.x. For the sake of this example, I will assume you assign that VLAN an ID of 200. Then in your controller, have the guest WLAN associated with the ID that you give the new VLAN, which would be 200 in this case.
0
 
AkinsdNetwork AdministratorCommented:
Just map that subnet to the guest wlan

You can use advanced ip scanner to see which devices are connected to the subnet
https://advanced-ip-scanner.en.softonic.com/
0
 
Fred MarshallPrincipalCommented:
You say that you want the personal devices of the employees to use the Guest WLAN.
In a way this is easy and also may be difficult.  The first approach is to simply tell them which network to use.  The issue is that they will probably know the employees business WLAN credentials as well.  So, how to manage the separation?  One way is to not give out the company WLAN credentials and have designated people install them on the devices that need it.

You also say that there are 2 WLANS set up.  Do they each have their own subnet?  What are the subnets?

You created this in order to increase the number of available addresses.  This implies that the Guest and Company subnets aren't separated in any way.  Is that correct?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
masnrockCommented:
You could utilize 802.1X and certificates for the main network, which should accomplish your goal.
0
 
SalongeAuthor Commented:
Fred - They know which WLAN to use and yes that is the easy part, but I want that particular WLAN to use a particular scope.  We have two scopes in the subnet at our location.  I hope I am saying this correctly.  When one scope has all of its IP's in use, then it rolls over to the other.  I just want all the guest devices to use one particular WLAN.  This way I can tell if they are following the directives to put all personal devices on the particular WLAN.

Akinsd - How would I map the WLAN to a particular scope with this tool?
0
 
masnrockCommented:
When they connect to the guest network, they are on a guest subnet is what I am assuming here. But since you want to prevent the non company equipment from connecting to the corporate wireless in the first place, you need something that will do a check of some sort, which is where something like NPS would come into play.
0
 
SalongeAuthor Commented:
Masnrock

No they are not.  When they connect to the guest network, they use which every IP is available in either scope.  So this is my dilemma.  I have IP address - 10.100.90.xxx and I have IP addresses 10.100.10.xxx  I want our guest access to use the latter of 10.100.10.xxxx.  My question is how can I assure this?
0
 
AkinsdNetwork AdministratorCommented:
Verify that the dhcp is not configured as a superscope

on The WLAN tab of the controller, link the SSID to an interface.
Then go to the controller tab, and specify the VLAN and IP range to be used by that interface
0
 
masnrockCommented:
So what I've suggested can be used in conjunction with an IP scanner, RMM, or system management tool. However, if you want something that actually enforces keeping personal devices off of the main network, that's when you get into certificates and 802.1X. What is the size of the organization this is for?
0
 
SalongeAuthor Commented:
Akinsd - It is a superscope.

Masnrock - We are talking about 75 people at this site.
0
 
masnrockCommented:
You need to create a separate VLAN then, with it's own subnet and DHCP range as pointed out in #a41969638.

Based on the information you've provided, it looks like there is no separation of the subnets right now. The way you have things built now, everything is going to the exact same network, hence why you needed to create the superscope. Once you get the VLANs in place and the guest WLAN pointing to the guest VLAN as suggested, you should no longer require the superscope.

My mention of 802.1X w/ certifcate authentication is for actually enforcing through an automated means. MAC address authentication is bad because the MAC can be spoofed.
0
 
Fred MarshallPrincipalCommented:
Probably the most typical approach is to set the Guests up with their own Guest LAN or VLAN.  Generally they would not get access to the company LAN but that's an option.

MAC address assignment is less secure because the MAC can be spoofed.  But the approach still provides maybe everything one might want .. in some cases and possibly not yours here.

Presumably with the Cisco 2500 you have Cisco access points.  Right?  2 of them or .... ?  What is the rest of the setup?
0
 
masnrockCommented:
How did this end up turning out?
0
 
SalongeAuthor Commented:
Sorry, I haven't responded.  What I did was to attach the guest wifi network to its separate vlan with its on IP address.  So now when users connect to the prohibited wireless router, I can tell by looking at my DHCP server.  If I see their device, I know they are not connecting to the one set up for guest.
0
 
Fred MarshallPrincipalCommented:
Guests should not have the passphrase for the non-guest network.  So that shouldn't be a problem.  At least in the context of the original question where there are office folks and guests .. separate groups.
0
 
masnrockCommented:
The problem was that all of the networks were using the same set of IP addresses, so there was no way to discern between them if you looked a the addresses in use, even if the user was connecting to the correct wireless network. The VLAN corrected that because rather than using a shared pool of IPs, there was a totally separate one.
0
 
SalongeAuthor Commented:
I was able to create a VLan with a separate ID and then I associated that VLan with the guest wireless in the Controller.  So when people connect to the guest wireless, they use the IP within the VLan.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.