How to properly design 2 Guest Wireless networks and not to connect to the corporate network.

Pkafkas
Pkafkas used Ask the Experts™
on
What is a better design regarding a company wireless network?

At my work we have 2 Guest Wireless Networks.  

1.  Guest Wireless (SSID) (172.20.102.0/24)
2.  BYOD Wireless (SSID) (172.20.103.0/24)

These 2 SSIDs are not routed to our company network in any way.  We have 2 wireless routers/controllers for high availability, our corporate network SSIDs provide DHCP from our internal DHCP server; but, both guest wireless SSIDs use the controllers for the DHCP server.  The only problem is that

Controller 1 has 1/2 of each individual DHCP scope and it has the default gateway of 102.1 and 103.1


Controller 2 has the other 1/2 of each individual scope and it has the default gateway of 102.127 and 103.127.

The Wireless Guest Lans work great and they have no connection to the corporate network; but, I noticed that if either controller is off-line the guest users must do an ipconfig /release to clear out the IP settings (default gateway for that SSSID in order to receive the correct IP settings from the other controller (Controller 2).  Hence the guest access is not a seamless fail-over process.  If you are connected to a controller 2 ( a unique gateway IP address) and already have controller 1's Default gateway ip address cacahed in memory … you will not be able to connect to the internet from controller 2 until you perform an ipconfig /release.  


Is there a better way to design the Guest Wifi Access for these 2 x GUest SSID's?  Currenlty we have 1 older WiFi Controller in production; but, it was thought to have 2 controllers for the new setup and provide High Availability.  The current WiFi setup doe snot have this DHCP design problem.

Any Ideas for a better design and easier guest access transition to truly benefit from H.A.?  The corporate networks are unaffected because their network ip addresses are originating from our corporate network and not from the Wireless controllers
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Hence the guest access is not a seamless fail-over process.

If the two kinds of devices can be on the same network (not on Corporate), use a couple of Ubiquiti Access points keyed to a main wireless router.   Then moving about will be transparent.
PkafkasNetwork Engineer

Author

Commented:
The wirelrss devices (wireless controllers) do need to be on the corporate network and we do not wish the 2 x SSIDs to be able to router to each other either.  The wireless controllers will need to route corporate Wi-Fi connections to the Access Points as well.

Unless are you saying to add 2 additional devices such as Ubiquiti A.P.'s or anything that can provide DHCP (or a NetGear Router).  

1 x NetGear Router with scope 172.20.102.0/24 - Def. Gtwy 102.1

1 x NetGear Router with scope 172.20.103.0/24 - Def. Gtwy 103.1


Then connect an access port from the NetGear to the Wireless controller that has a VLAN and IP address assigned that is within the same DHCP Scope but is an excluded IP address from DHCP.

[embed=file 1410685]

I think the above diagram should work, is this what you were thinking as well?  Or were you thinking something different?  Any thoughts?
New_Design_02.PNG
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can set one Wireless Router on your network (DHCP OFF, I use a static IP on the network). From there if you need more range, you can add a Ubiquiti AP.

Then put another Wireless Router OFF your network (DHCP ON and Different SSID - must be). Then again if you need more range, you can add a Ubiquiti AP on this one (different than the other network).

If a device switches between Guest and Company and is using vanilla DHCP, you need only disconnect from one and connect to the other. Make sure "Automatically Connect" is disabled on the unused network.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

PkafkasNetwork Engineer

Author

Commented:
Mr. John,

Remember that we will require 2 separate guest SSIDs (Guest access, BYOD access).  And these SDIDs should not communicate or be routable to each other.  

Question1:  Will the above design work for a hassle free failover if 1 wireless controller goes down in a planned or unplanned maintenance window?  Since the gateway IP addresses will not change for the user and the DHCP Server/Device source remains the same.

Quesiton2:  If yes, we will not have any control over the devices unless we are physically at that location and connecting to an available access port on the NetGear DHCP router.

a.  https://kb.netgear.com/24089/How-do-I-specify-the-pool-of-IP-addresses-assigned-by-my-Nighthawk-router
b.  https://kb.netgear.com/20486/How-to-enter-a-static-IP-address-on-a-NETGEAR-Router


I just want to verify that the above will provide a seamless failover for the guest clients.  Just like we currently have a seamless failover for the corporate clients.  But the problem is that if we are in our headquarters in Chicago and an office is in Seattle, then we will not have any control over the Guest Wireless Configuration unless we are physically at the Seattle location.  How can we get the same functionality but control everything from the headquarters and not have to be in the physical spot to control the guest DHCP configurations?  And still have 2 x Wireless controllers for High Availability?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
So long as you have guests on one network, and one access point goes down, yes it should be seamless. But NOT to the Corporate network.

Question 2: Ubiquiti Access Points can be managed from the central controller. Otherwise you do not have any control if you are not there, so you need decent security if you want that for guests.
PkafkasNetwork Engineer

Author

Commented:
Well we already have a Controller for central management access.  It sounds as if we use Ubiquity will need another central Controller just for Guest Access and connect to that separately from the original controller.

Or use a local device for guest DHCP natting.  I am concerned about security as well.  I think that the solution is either:

1.  Use 1 Wireless controller to provide DHCP to guest clients and forget about High Availability.


2.  Live with the fact that guest access will simple need to push an ipconfig /all if 1 of the controllers goes down.


I wonder what other companies recommend with this setup?  2 separate SSIDs and have 2 Wireless controllers for redundancy; but, not an additional wireless system just for guest access and the original for corporate access.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You only need one SSID for Corporate and one different SSID for Guest. If either network has more than one Access Point you can move about seamlessly.

You cannot fail over from Guest to Corporate or vice versa without compromising your Corporate network
PkafkasNetwork Engineer

Author

Commented:
We require 2 x Guest SSIDs?  

1 x SSID for BYOD (Bring your own device, no n corporate network access, just internet) (172.20.102.0/24)
1 x SSiD for Guest Access (172.20.103.0/24)
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Why?  Guest and BYOD on Guest are the same thing (to me).

If you really want two Guest SSIDs, that will work, but users may need to disconnect from one before connecting to the other.
PkafkasNetwork Engineer

Author

Commented:
Because we want to protect our corporate sponsored guests that are at our facility for work purposes from the IoT that people may bring with them like cell phones and personal tablets.

This is a higher up executive decision.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
So then use your routine and process, but that will not allow seamless transition in the event of failure. You must disconnect and reconnect. No big deal with high quality equipment.
PkafkasNetwork Engineer

Author

Commented:
Just to clarify you are suggesting to use what we have in place right now without any ubiquiti or netgear DHCP roeuters.  That would mean taht if there is a maintneace window and or a surprise then the guest access devices will need to

1. Connect to the SSID.
2.  Execute ipconfig /release from the command line.
3.  Remove the SSID from the wireless networks.
4.  Re-Connect then you are good again.

On another note, I thought about using 2 available ports on our Firewall.  1 Port for each Guest network and have the Firewall act as the DHCP server for each DHCP scope.  Then connect those Firewall Zones to an individual VLan on our core switch without an assigned IP addess to those 2 VLans (1 Vlan - BYOD, 2-VLan - Guest).

Then cross-connect the 2 vlans to each wireless controller for routing within that same VLan.  I think that may work as well.  Any thoughts?  If we have a VLan on our core switch without any assigned IP address that will not be able to route to our other corporate VLans.  And we will still have management access to the DHCP scope and route it right to the internet.   How about that?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
More or less, Yes. If you use good equipment and devices are correctly set up , there will not be much difficulty
PkafkasNetwork Engineer

Author

Commented:
Thank you for your assistance Jon.  I appreciate your feedback.  I am a little surprised no one else wieghed in, on this discussion.

Did you think the idea about the firewall is realistic?
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Just make sure the firewall allows both sets of users . That will not be difficult
PkafkasNetwork Engineer

Author

Commented:
This is what I did.  I had an idea and it works very well.  No need to add additional equipment.  I just need to make a couple of clicks.

1.  The Guest and BYOD Wireless Networks are local on each Wireless Controller (Switch).
      a.  Hence a user with 172.20.103.10 on Controller#1 cannot ping with any 172.20.103.0 client on Controller #2.

2.  The DHCP IP address scope is intentionally split up 50% on controller 1 and 50% on Controller 2.
      a.  Controller#1 gives 172.20.103.5 - 172.20.103.126
      b.  Controller#2 gives 172.20.103.127 - 254

3.  Controller 1 had DHCP Deft. Gtwy 103.1 and that IP was assigned to a local VLan on that switch.
     a.  Controller 2 had DHCP Deft. Gtwy 103.2 and that IP 103.2 was assigned to a local vlan on that switch.
     b.  Even though the 2 local VLans did not communicate with each other on that vlan at all.
     c,  The controllers/switches used a different vlan and ip address for management purposes.

4.  That was when a fail-over happened the 103.10 IP address has the dft. gateway of 103.1.
     a.  It failed over to the other wireless switch which did not have 103.1 assigned to its VLan for internal routing purposes.
     b.  Internal routing to the local switch.  That same VLan is not connected to any other network.
     c.  Any network route that the 103.0 subnet does not know where to route to is sent to the internet only VLAN.  
     d.  So the 103.0 subnet on both controllers are not routing to eachother or any other network.
     e.  The internet only vlan has its own unique IP address for each wireless controller and each ahas its own connection to the internet only vlan.
     f. The heartbeat checks are on the management vlan, not assocaited with the 103.0 vlan at all.  
     g. The 103.0 network is isolated to each controller.

5.  What I ended up trying out, is I just changed the locally assigned VLan 103.0 IP address on each controller to be 103.1.
    a,  I also cahnged the For DHCP scope Default gateway settings on each controller to be 103.1 as well.
    b.  This way when 103.10 failed over to the other controller, then the other controller was already using 103.1 for its local internal routing.
    c.  An ipconfig /release is not necessary and the failover works like a champ!!!!
    d.  Since each wireless controller does not see the other guest vlans the failover works seamlessly, back and forth.


Any thoughts?
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Just make sure about your network security and if you are satisfied and it is working for you, then it should be fine.
PkafkasNetwork Engineer

Author

Commented:
I found my own solution.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial