Controllerless Networks

Reply
Occasional Contributor II

Setting up Guest wifi in Enterprise

Hello all,

 

I am looking for suggestion on how to properly setup Guest wifi in enterprise environment. We use IAP & Airwave to manage Access points. From what I read I have 2 choices

 

1. Configure IAP to act as DHCP server & setup ACL to block access to internal Networks. "Magic Vlans". 

2. Create a new Vlan for Guest wifi in each switches in all locations and assign desired scope. 

 

Which of these 2 methods are preferable considering from security perspective aswell? Our daily guest users are around 300-400 users. 

 

 

Aruba Employee

Re: Setting up Guest wifi in Enterprise

Both options are viable, and depend on your security requirements and design. Will guest users have their own Internet connection, or will they be sharing the same Internet connection as your corporate users?


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor II

Re: Setting up Guest wifi in Enterprise

Same internet connection as Corp. Is there any security concern on this setup? 

Does most enterprise tunnels guest traffic to Controllers when they share same internet connection?

Occasional Contributor II

Re: Setting up Guest wifi in Enterprise

Another question i have is how can I change DNS IPs when setup as VC assigned IPs? It's handing me same DNS as when I am on Corp Network. 

Aruba Employee

Re: Setting up Guest wifi in Enterprise


@Toolbox015wrote:

Same internet connection as Corp. Is there any security concern on this setup? 

Does most enterprise tunnels guest traffic to Controllers when they share same internet connection?


Not so much a concern, as different requirements. Some enterprises want more airgap between network segments, to include dedicated Internet connections for cost/performance/reliability requirements. I wouldn't say there's a standard that's used consistently across most enterprises.

 

If you have specific requirements, we can advise on options/considerations.

 


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor II

Re: Setting up Guest wifi in Enterprise

Thanks. My Main requirement is to segment corp & guest wifi effectively so there won't be any concern of hacking etc. 

 

Also I noticed IAP handouts same DNS IP for guest & Corp. How can I change DNS just for Guest SSID when setup as VC assigned IP addresses with default vlan (Vlan ID 3333)? 

 

 

Aruba Employee

Re: Setting up Guest wifi in Enterprise

Is the IAP doing NAT for both corporate and guest user VLANs?

 

Normally, I would have the corporate users connected to wired VLANs that have DHCP provided by the same enterprise infrastructure that is providing wired DHCP.

 

Guests then would be handled with either an internal VLAN and the Instant cluster providing DHCP, or a separate wired VLAN.


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor II

Re: Setting up Guest wifi in Enterprise

our security team is ok except they are concerned about Command in Control attack. We have several remote locations so they are concerned how we will track down the user & AP if this is the case. 

 

From their end they will provide user IP address & we will have to hunt it down which makes it difficult since it's will be hard to tell where this user is connected to. 

 

Any solution to this? 

Aruba Employee

Re: Setting up Guest wifi in Enterprise

Which configuration scenario are you considering?


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor II

Re: Setting up Guest wifi in Enterprise

Using Magic Vlan for Guest Network where AP will handle IP address and NAT. Since we have multiple remote locations concern is it will be difficult to trace a user if needed. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: