Unified Wired & Wireless Access

Reply
Occasional Contributor I
ismail
Posts: 9
Registered: ‎01-08-2012
Accepted Solution

RAP 5WN

Dears,

Here is my situation:

1- I have multiple brand new RAP 5wn in a branch office

2- This branch office is connected to our main site through a WAN connection (MPLS)

3- guest users in This Branch office uses a separate DSL line to surf The internet. This DSL line is physically separated from branch's local LAN

 

what I want to accomplish is to create two SSIDs. One of them used for reach corporate resources in our main office through The MPLS cloud and The other for guest internet access through The separate DSL line.

The problem I facing now is that The RAP 5WN has only One routed port (port0) and The other 4 ports are switched ports. So I could only connect port 0 to our MPLS router and get The corporate SSID working fine. But I can't connect The ADSL router to One of The other 4ports as they are layer two ports.

 

Any ideas to get this works and maintain the separation between the DSL and Corporate network.  

Super Contributor II
mike.j.gallagher
Posts: 508
Registered: ‎07-03-2008

Re: RAP 5WN

[ Edited ]

You can try this if you like.

 

1.  Create an L2 VLAN on your controller, say vlan 888.  No VLAN interface needed

2.  Create a wired AP profile and assign it to vlan 888, bridge mode, access

3.  Create a AAA profile and make the inital role to be "authenticated"

4.  Create a wired port profile and assign your new wired AP profile and AAA profile to it

5.  Assign one of the ports in the RAP-5's AP group to your new wired port profile, connect the LAN port of your DSL modem to that port

6.  Create a guest SSID and a AAA profile with initial role "authenticated" (this assumes a PSK SSID)

7.  Create a VAP, bridge mode, VLAN 888, assign your new guest SSID and wireless AAA profile

8.  Assign the VAP to your RAP's AP group

9.  Make sure your DSL modem is acting as a DHCP server

 

Save the config, give it a whirl.  You can try to tweak the initial role if you like to lock things down a bit, but I just used "authenticated" in my lab for test purposes.

MVP
The.racking.monkey
Posts: 519
Registered: ‎11-28-2011

Re: RAP 5WN

[ Edited ]

You're asking quite a bit of a RAP. Really, this needs a small controller in those offices.

 

You can do some of what you want I suspect, but not all.

 

A RAP can't route (although it can src-nat/route which is different).

 

With that in mind, you could define the VAPs as bridged, and connect the RAP to your branch switch on a 802.1q trunk/tagged port (or setup another port on the RAP for the different VLAN access mode). Then setup a VLAN for guest ingress (and put the DSL router in that VLAN via the access port you picked or off the network on that VLAN). Create another for trusted or just make it "native"/untagged. Then setup the bridged VAPs to ingress the appropriate VLANs. This should work, but...

 

Captive portal for guests for instance is most likely out of the question as you'd have to be tunnelling, or split-tunneling (which would mean the RAP would src-nat-route out of the primary IP network it was attached to).

 

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Occasional Contributor I
ismail
Posts: 9
Registered: ‎01-08-2012

Re: RAP 5WN

But will this grantee that the guest users traffic will be routed directly to the DSL router not to the main office controller then to the DSL router?

MVP
The.racking.monkey
Posts: 519
Registered: ‎11-28-2011

Re: RAP 5WN

As long as the DSL router is the only layer 3 device in the VLAN you define for guests, yes.

Kudos appreciated, but I'm not hunting! (ACMX 104)
Super Contributor II
mike.j.gallagher
Posts: 508
Registered: ‎07-03-2008

Re: RAP 5WN

Yes, using the steps I outlined, anyone connected to VLAN 888 will have the default gateway of the DSL modem and will use it for all Internet access.

Occasional Contributor I
ismail
Posts: 9
Registered: ‎01-08-2012

Re: RAP 5WN

Thanks All, I did what Mike said exactly and it worked just fine, but I have one more question regarding the wireless operational mode. I want my guest SSID to be functional even if the RAP lost communication with the main office controller. I tried to change the wireless operational mode of my AP to always or persist with no success. I also tried to configure the guest SSID with a PSK and as an open system but Also without Any success. Any help?

 

Also I want to ask about one thing for my info, is it possible to use a captive portal for guest SSID in my situation or not?

Super Contributor II
mike.j.gallagher
Posts: 508
Registered: ‎07-03-2008

Re: RAP 5WN

[ Edited ]

Ismail - When you say you had no luck when you changed the VAP operational mode to persistant or always, do you mean AOS wouldn't let you change it to that or it just didn't function as you expected?

 

Captive portal in this kind of setup would be very complex if even possible.

Occasional Contributor I
ismail
Posts: 9
Registered: ‎01-08-2012

Re: RAP 5WN

What I mean is when I change the VAP operational mode to Always or persistent and my RAP lose communication to the mobility controller in the main office I don't be even able to ping my DSL router although I am already connected to the Guest SSID. However, the persistent mode works just fine for my corporate SSID.

Super Contributor II
mike.j.gallagher
Posts: 508
Registered: ‎07-03-2008

Re: RAP 5WN

That doesn't sound right.  What version of code are you on?

Search Airheads
Showing results for 
Search instead for 
Do you mean