This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

ZD 1200 Guest network connection

mick_duffin
New Contributor

‎11-16-2020 01:52 AM

Hi there,

We have a ZD 1200 with a number of AP's currently this is configured just for our internal corporate network, this is working well. in the past we have separate AP's for our guest network that connected to a separate port on our firewall so all traffic was just routed out to the internet with no contact with our network.

What I'm looking to do is to add the guest network onto the Ruckus system but also maintaining the distance from our internal network. my initial thought was to some how connect the guest SSID to the second ethernet port on the ZD which would in turn connect to the guest port on our firewall.

I'm not sure if the above is possible? if not what is the best way to setup the guest network? I've looked at the ZD settings to create a guest network but I'm not sure its going to work for us, but I'm open to ideas/help.

Thanks in advance,

Mick.

0 Kudos
6 REPLIES 6

itdept_head_me
Contributor

‎11-16-2020 01:55 AM

you can configure the guest ssid to use a different vlan

then just setup your switches to do the same , finally route the vlan to your firewall separate port & configure the vlan on that port.

MAKE SURE you don't bridge your switches and break out the VLAN for guest internally

0 Kudos

mick_duffin
New Contributor

‎11-16-2020 02:11 AM

Hi

Thanks for your reply.

I think initially we tried to do this ( prior to going the separate Guest AP route ) but I'm sure we ran into issues setting up DHCP / VLAN etc... ( sorry I'm not a network expert, i just know the basics ) so we couldn't get it to work like this, but I will look into this again.

Currently our firewall is using 192.168.1.0 for the IP range for the guest wifi, via dhcp created on the firewall…

So to get this to work….

 

Create a VLAN for the guest network ( VLAN 15 for example ) on each switch

 

Assign VLAN 15 to each port on each switch that both all the AP’s are connected to and also Port 2 on the ZD…

 

Is the above correct or do I need to do something else?

 

Thanks in advance.

0 Kudos

syamantakomer
Community Admin
Community Admin
In response to mick_duffin

‎11-16-2020 04:07 AM

Hi Mick,

You have two options to isolate the Guest SSID/WLAN traffic and directly send them to the internet.

1. Guest SSID with default VLAN.

  • Setup a new SSID as GUEST in SSID type with your existing VLAN.
  • Since guest SSID has inbuilt L3 ACLs, it will automatically isolate guest client traffic and will not let anyone access corporate network, even though guests are on the same VLAN.
  • APs (WLAN interface on the AP) acts as a barrier here, if any guest client try to reach internal network using this SSID.

2. Regular standard SSID with dedicated guest VLAN.

  • Setup a new VLAN on your Firewall/router with a DHCP server.
  • Set all the switch ports in AP to firewall's path as trunk port with guest VLAN as tagged on it.
  • For example, if I have Internet >> Firewall >> Core_Switch >> Distribution/access_switch >> APs. In this setup, all the switch ports connected in route should be trunk with your guest VLAN as tagged. 
  • Now configure a new WLAN as standard WLAN and choose the new Guest VLAN under WLAN >> Advanced settings.

Syamantak Omer
Sr.Staff TSE | CWNA | CCNA | RCWA | RASZA | RICXI
RUCKUS Networks, CommScope!
Follow me on LinkedIn
0 Kudos

itdept_head_me
Contributor
In response to mick_duffin

‎11-16-2020 05:04 PM

"

1. Guest SSID with default VLAN.

  • Setup a new SSID as GUEST in SSID type with your existing VLAN.
  • Since guest SSID has inbuilt L3 ACLs, it will automatically isolate guest client traffic and will not let anyone access corporate network, even though guests are on the same VLAN.
  • APs (WLAN interface on the AP) acts as a barrier here, if any guest client try to reach internal network using this SSID."

This is not totally correct.......

 AP's and   zonedirector have ZERO control over external switches & infrastructure

once it leaves the AP or ZD traffic can easily be mis-routed via a combined trunk statement on a switch, that accepts ALL vlans & strips the headers...

you have to be real careful..... on your configs for other equipment...

ESP.... if you have 0.0.0.0 routing rules......

0 Kudos
Copyright © 2025 Khoros, LLC
Top

Type a product name