CommScope RUCKUS Community Forums

mick_duffin · ‎11-16-2020

Hi there,

We have a ZD 1200 with a number of AP's currently this is configured just for our internal corporate network, this is working well. in the past we have separate AP's for our guest network that connected to a separate port on our firewall so all traffic was just routed out to the internet with no contact with our network.

What I'm looking to do is to add the guest network onto the Ruckus system but also maintaining the distance from our internal network. my initial thought was to some how connect the guest SSID to the second ethernet port on the ZD which would in turn connect to the guest port on our firewall.

I'm not sure if the above is possible? if not what is the best way to setup the guest network? I've looked at the ZD settings to create a guest network but I'm not sure its going to work for us, but I'm open to ideas/help.

Thanks in advance,

Mick.

itdept_head_me · ‎11-16-2020

you can configure the guest ssid to use a different vlan

then just setup your switches to do the same , finally route the vlan to your firewall separate port & configure the vlan on that port.

MAKE SURE you don't bridge your switches and break out the VLAN for guest internally

mick_duffin · ‎11-16-2020

Hi

Thanks for your reply.

I think initially we tried to do this ( prior to going the separate Guest AP route ) but I'm sure we ran into issues setting up DHCP / VLAN etc... ( sorry I'm not a network expert, i just know the basics ) so we couldn't get it to work like this, but I will look into this again.

Currently our firewall is using 192.168.1.0 for the IP range for the guest wifi, via dhcp created on the firewall…

So to get this to work….

Create a VLAN for the guest network ( VLAN 15 for example ) on each switch

Assign VLAN 15 to each port on each switch that both all the AP’s are connected to and also Port 2 on the ZD…

Is the above correct or do I need to do something else?

Thanks in advance.

syamantakomer · ‎11-16-2020

Hi Mick,

You have two options to isolate the Guest SSID/WLAN traffic and directly send them to the internet.

1. Guest SSID with default VLAN.

Setup a new SSID as GUEST in SSID type with your existing VLAN.
Since guest SSID has inbuilt L3 ACLs, it will automatically isolate guest client traffic and will not let anyone access corporate network, even though guests are on the same VLAN.
APs (WLAN interface on the AP) acts as a barrier here, if any guest client try to reach internal network using this SSID.

2. Regular standard SSID with dedicated guest VLAN.

Setup a new VLAN on your Firewall/router with a DHCP server.
Set all the switch ports in AP to firewall's path as trunk port with guest VLAN as tagged on it.
For example, if I have Internet >> Firewall >> Core_Switch >> Distribution/access_switch >> APs. In this setup, all the switch ports connected in route should be trunk with your guest VLAN as tagged.
Now configure a new WLAN as standard WLAN and choose the new Guest VLAN under WLAN >> Advanced settings.

itdept_head_me · ‎11-16-2020

"

1. Guest SSID with default VLAN.

Setup a new SSID as GUEST in SSID type with your existing VLAN.
Since guest SSID has inbuilt L3 ACLs, it will automatically isolate guest client traffic and will not let anyone access corporate network, even though guests are on the same VLAN.
APs (WLAN interface on the AP) acts as a barrier here, if any guest client try to reach internal network using this SSID."

This is not totally correct.......

AP's and zonedirector have ZERO control over external switches & infrastructure

once it leaves the AP or ZD traffic can easily be mis-routed via a combined trunk statement on a switch, that accepts ALL vlans & strips the headers...

you have to be real careful..... on your configs for other equipment...

ESP.... if you have 0.0.0.0 routing rules......

CommScope RUCKUS Community Forums

ZD 1200 Guest network connection