I am not too savvy on the actual administration of networking devices, so I'm hoping for some advice on how to configure my network securely.
I have a gateway router which connects to a Ruckus ICX switch, which in turn has two Ruckus Unleashed APs connected to it.
Ideally, I'd like to leverage VLANs to segment the network (applying ACLs). My question is, what kind of configuration do I need to implement so that I can manage the APs from a management VLAN, but have the AP clients restricted from accessing the AP console or web UI?
Initially, I thought I'd just be able to assign the switch port to a tagged VLAN and set the AP to use that same VLAN (AP config calls this Access VLAN), but that didn't work. I tried untagged as well, but then I can't reach the AP from the management VLAN.
Edward Newman, thank you very much for the information. Just making sure I understand...
Does this sound right?
configure my ICX switch so that both ports that the APs are connected to have dual mode on VLAN 10, and tagged for VLAN 20. Then on the APs, configure the advanced SSID option (Access VLAN) to VLAN 20.
Then any devices in the ICX configured with untagged VLAN 10 will be able to reach the AP UI and SSH services? And the clients connecting to the SSID will have packets tagged for VLAN 20 (and not be able to reach the APs UI/SSH/etc)?
Do I need to do anything special to make sure the AP clients can reach the internet?
This is really a question for how you are controlling traffic between VLANs. I do this on my firewall not the switch but your mileage may vary. Trunk config sounds right. Whatever is controlling VLAN accessibility should have rules dictating what can be linked from VLAN to VLAN or Internet.