Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor I
Posts: 7
Registered: ‎11-10-2012

Need help securing and seperating corporate and guest networks

[ Edited ]

First, I just do tech support for client machines, but I have been tasked with setting up a few IAP-105s for our new WLAN. I am having issues keeping the guests off of the corporate network. My network is setup as follows.

 

Corporate:

 

networks: 192.168.x.x and 10.x.x.x (no WLAN on 10.x.x.x network.)

 

Vlan: 1

 

Guest:

 

network: 172.16.20.x

 

gateway: 192.168.20.1

 

Vlan: 2000

 

With the way I have things setup, the 172.16.20.0 can ping the 192.168.x.x network, but the 192.168.x.x cannot ping the 172.16.20.0 network. I don't want them to be able to send any traffic each other. Is the virtual controller somehow bridging/routing the traffic, or do I have to setup ACLs? The below is the current configuration. Any other suggestions for tweeking the config would be helpful as I am new to all this.

 

Thanks.

 

version 6.1.3.0-3.1.0

virtual-controller-country US

virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

name IAP_1

virtual-controller-ip 192.168.x.x

terminal-access

clock timezone none 00 00

rf-band all

 

allow-new-aps

allowed-ap xx:xx:xx:xx:xx

 

 

 

arm

 wide-bands 5ghz

 min-tx-power 18

 max-tx-power 127

 band-steering-mode prefer-5ghz

 air-time-fairness-mode fair-access

 client-aware

 scanning

 

syslog-level warn ap-debug

syslog-level warn network

syslog-level warn security

syslog-level warn system

syslog-level warn user

syslog-level warn user-debug

syslog-level warn wireless

 

 

 

 

mgmt-user xxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

wlan access-rule default_wired_port_profile

 rule any any match any any any permit

 

wlan access-rule Guest

 rule any any match any any any permit

 

wlan access-rule Corporate

 rule any any match any any any permit

 

wlan ssid-profile Guest

 index 0

 type guest

 essid Guest

 wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 opmode wpa2-psk-aes

 max-authentication-failures 3

 vlan 2000

 set-role-pre-auth Guest

 rf-band all

 captive-portal disable

 dtim-period 1

 inactivity-timeout 1000

 broadcast-filter none

 air-time-limit 20

 blacklist

 dmo-channel-utilization-threshold 90

 

wlan ssid-profile Corporate

 index 1

 type employee

 essid Corporate

 wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 opmode wpa2-psk-aes

 max-authentication-failures 0

 vlan 1

 rf-band all

 captive-portal disable

 dtim-period 1

 inactivity-timeout 1000

 broadcast-filter none

 blacklist

 dmo-channel-utilization-threshold 90

 

enet-vlan guest

 

 

 

wlan external-captive-portal

 server localhost

 port 80

 url "/"

 auth-text "Authenticated"

 

blacklist-time 3600

auth-failure-blacklist-time 3600

 

ids classification

 

ids

 wireless-containment none

 

ip dhcp Guest

 server-type local

 server-vlan 2000

 subnet 172.16.20.0

 subnet-mask 255.255.255.0

 lease-time 14400

 dns-server 8.8.8.8,8.8.4.4

 

 

wired-port-profile default_wired_port_profile

 switchport-mode trunk

 allowed-vlan 1

 native-vlan 1

 no shutdown

 access-rule-name default_wired_port_profile

 speed auto

 duplex auto

 poe

 type employee

 captive-portal disable

 

wired-port-profile Guest

 switchport-mode trunk

 allowed-vlan 2000

 native-vlan 2000

 no shutdown

 access-rule-name Guest

 speed auto

 duplex auto

 poe

 type guest

 captive-portal disable

 

 

enet0-port-profile default_wired_port_profile

enet1-port-profile default_wired_port_profile

enet2-port-profile default_wired_port_profile

 

uplink

 preemption

 enforce none

 

l3-mobility

 

Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: Need help securing and seperating corporate and guest networks

In the guest role you would simply block any traffic to the networks that you don't want users to get to.  The only exception would be for DNS if you are giving users an internal DNS server address.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 7
Registered: ‎11-10-2012

Re: Need help securing and seperating corporate and guest networks

I added new guest ACL and it does block the traffic. I was not sure if it was not supposed to bridge the traffic over different subnets automatically or if I had something not setup in my config correctly.

 

wlan access-rule Guest
 rule 192.168.0.0 255.255.0.0 match any any any deny
 rule 10.0.0.0 255.0.0.0 match any any any deny
 rule any any match any any any permit

 

Are there any other tweeks that I should make reguarding security?

Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: Need help securing and seperating corporate and guest networks

That looks correct based on the information you provided.

 

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 7
Registered: ‎11-10-2012

Re: Need help securing and seperating corporate and guest networks

Would it be advisable to setup a GRE tunnel to a CISCO router for the guest network? Would this further help keep the guests from accessing the corporate network?

Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: Need help securing and seperating corporate and guest networks

It will not provide more protection.  Every packet goes through the access points' firewall and anything that needs to be dropped as per your rule, will be dropped at the access point promptly.  That is the advantage of an integrated firewall.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 7
Registered: ‎11-10-2012

Re: Need help securing and seperating corporate and guest networks

Thanks. Is there anything else that I should do to seucre the AP?

Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Re: Need help securing and seperating corporate and guest networks

Strong admin password ;)

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: