Security

Hi

Could anyone advise on what is best practice for Guest DHCP scopes?

Our current scopes are getting used up really quickly so we'd like to redesign our scopes.

Any ideas or suggestions would be really appreciated.

Thanks!

Approximately how many users are you expecting to have on your guest network ?

At the moment we have /23 scopes per site and these are being used up very quickly. The lease is also set to around an hour. 

At an estimate anything around 1000 guest per site.

Im not a fan of open guest networks, as I find about 80% of leases are used by devices quto connecting and not even being used on the network.  We were having to purge the lease pool on a very regular basis, which got a bit tedious...

Sort of defeats the point I know, but we secured it making the password easily accessible, so only those that actually want to use the netwrok will join it, and its worked very well...  and cut down dramatically on address waste. 

As cjoseph pointed out you should lower the lease time and I suggest that you create /21 or maybe lower and enabled drop multicast/broadcast on the VAP and enable bcmc-optimization under the SVI

In our experience, shortening the expiration time just meant they filled up quicker... given that the majority of devices werent even being used on the guest network, to us, it just didnt make sense the increase the size of the network.  We have thousands of people passing through the site each day oblivious to the guest network, so why should their devices be consuming resources?

If people want to use the guest network, they can join the ssid, they only have to do this once, and it cut down lease wastage by about 80%.  It would make more sense, well to me anyway, to have  a relatively small network for captive portal, which had a very short lease expiration time, then authenticated users could be moved onto the guest network. 

$k3l3t0r,

Question:  How did it fill up quicker if you shorten the DHCP scope time?  Mathematically the ip addresses would be released sooner.  Did you get the opposite experience?  Please let us know so that we can alter or reconsider our recommendation.

Yes, it would be released sooner, but then snapped up by another device that probably doesn't want to use the CP!

I think as we have so much foot traffic through site, and probably thousands of devices trying to connect (although not actually use CP), the supporting network was never big enough to accommodate them...  So its probably down to poor design that resulted in the scopes being exhausted fairly quickly. 

My personal feeling is why have lots of /24 networks available just so devices can connect, but never actually use the network?  I had thought of having a larger subnet, but am sure I have read, and been advised that you don't really want more than say 200 clients per vlan.  I was even told this at the bootcamp, although was actually told that you wont see this written anywhere! 

Also, surely all of these devices that are connected to the open wifi, although not authenticated, are all trying to update and download apps etc, all of which is consuming resources unnecessarily. 

This of course is just my way of thinking about it!

$k3l3t0r,

All valid points.

There are a few ways to deal with this:

- You can make your SSID a WPA2-PSK network and name it "the guest key is ---<whatever your key is>".  That would make it so that a user would have to key in the physical key just to join, but know what the key is.

- You can use the local-probe request threshold parameter  in the SSID profile so that only users close by will be able to easily join to eliminate "drive by-s"

- If this is an open network, you can use DHCP fingerprinting and a user derivation rule to move mobile devices (i-devices, androids) into their own VLAN so that they do not consume ip address space reserved for typical clients

---

@dnulty76 wrote:

Hi

 

Could anyone advise on what is best practice for Guest DHCP scopes?

 

Our current scopes are getting used up really quickly so we'd like to redesign our scopes.

 

Any ideas or suggestions would be really appreciated.

 

Thanks!

 

---

Lower the lease times on your scopes to 15 minutes.

We had the same issue at our end.  Our Guest wlan is open initially for captive portal.    Being a school district, our Guest scopes were full by 8:30am from auto-connecting devices.  We ended up growing the networks.  We used a /14 for the big secondary schools and /22 for the elementary.