cancel
Showing results for 
Search instead for 
Did you mean: 

Ruckus Network Design for Guest Network between two Sites

marco_eichstet1
Contributor III
Hi,

i need some help for a Ruckus Network Design please.

Following Environment:
- 1 Company
- 1 Active Directory Domain
- 2 Company Sites (Munich and Berlin) connected together over a Layer 3 VPN Tunnel.
- Each Site have a seperate Internet Router just for the Ruckus Guests/Employees.

Goal:
Employees (no matter if there are working in Munich or Berlin) should be able to get Internet Access for there private Smartphones through the Internet Router. They should be able to Login on both Sites with the same User (one User Database). It should be easy as possible. Additionally it should be possible still to connect to the Wireless LAN if the VPN Tunnel goes down.

My main Questions are:
- How can i achive this goal?
- Is there (in case of an existing AD Domain) a better Solution than create Guest Tickets for each Employee? Maybe Authentication with an existing Windows User Account?
- Where should i add a ZoneDirector? One on each Site? If yes, can i connect them together for redundancy if one fails or the VPN Tunnel goes down?

Are there other things i should look for?
Many Thanks for any help/idea.

Best Regards
Marco
15 REPLIES 15

monnat_systems
Valued Contributor II
Hello Marco Eichstetter,

this is doable and very often implemented in a Central office and branch office scenario. I am assuming that Berlin is central office where ZD and AD will reside. In this deployment once deployed same configuration at Berlin office will reflect in Munich office and same AD credential can be used at branch office.
Make sure that latency of VPN connection is less than 100ms.

Since both sites are connected via VPN. let the AP(s) join via layer 3 through the VPN. refer to following URL on how to do this - https://support.ruckuswireless.com/an...

You can add the 2nd ZD at Munich office for redundancy then both Zd's can be configured in a such way that AP's in case of failure of ZD or VPN are forced to contact alternate ZD which could be on same site or remote site depending on nature of fault.

Please remember that during redundancy AP's will work only with one ZD i.e active or primary.

Also make sure that LWAPP ports are opened on remote site router & firewall, latency is less than 100 ms and keep an eye on MTU of the VPN link.

Hope this helps.

marco_eichstet1
Contributor III
Hello,

first, thanks for your reply.

Yes, your right Berlin is the Central Office. Munich the branch office.
Latency of VPN is less than 100ms. That's no Problem.

If i understand right, i connect the 2nd ZD in Munich over the Feature "Smart Redundany" over VPN. Berlin Active. Munich Standby. Each ZD must be the same Model and have the same Number of licenced APs.

One additional Question please:
I plan to create a VLAN for my RUCKUS Hardware (ZD and APs) and a VLAN for my Guest Network and in the future a seperate VLAN for my Production Network. There will be a DHCP Server in each VLAN. I don't want to add my RUCKUS Components in the Production Network. The inter-VLAN Routing will be done by a HP Switch for each VLAN except the Guests. The Routing for my Guests will be done from a own Firewall. Is this planed Configuration Best Practice or recommended/common?

Thanks again!
Best Regards
Marco

monnat_systems
Valued Contributor II
Answers to your questions:

Yes, for Smart Redundany to work correctly - you shall have same ZD model, same firmware version on both and same AP licences.

Yes, it is common for lots of enterprise to segregate their guest traffic from production and also use separate DHCP server by using VLAN.

Let us know if you run into trouble and best of luck.

monnat_systems
Valued Contributor II
Yes, Berlin Active. Munich Standby.
I just re-thought and realised that if your Active Directory is ONLY at berlin then in the event of VPN down there will be outage for new AD WLAN users.

Back up of secondary AD server would also help in this situation.