Wireless Access

last person joined: 14 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

8.3 Setup help for vlans and dhcp pools

This thread has been viewed 5 times

  • 1.  8.3 Setup help for vlans and dhcp pools

    Posted Jun 12, 2018 10:23 AM

    Many thanks in advance for your advice!
    I am replacing a 7-year-old Ruckus Wireless system with an Aruba system at my small family-owned business and would like to separate tenant traffic from Employee traffic.
    Plannig on using WPA-2 Personal authentication with 2 MAC whitelists (employee and tenant) I can use these lists to direct to vlans or set up 2 SSIDs to direct to different vlans.
    I do not have any servers in my environment, any dhcp or firewall roles are filled by a sonicwall appliance.

     

    1. Is the 7010 controller capable of serving as the DHCP server and firewall for the entire network? Should I remove the SonicWall
    2. When setting up the vlans, the controller asks for the gateway, is this 192.168.149.1 for all vlans?
    3. When setting up DHCP pools, the controller has a mandatory field for "hosts:", Is this just the number of client devices allowed?
    4. I do not anticipate ever adding a 2nd controller. Should the configurations be made at the Master "Mobility Controller" level or the Aruba 7010 child device?
    5. I can plug in the office computers and printer to the switch and assign the ports to the vlan100 if not on wi-fi, correct?

     

    Again, thank you for your help!
    Jeremy

     

    Diagram.PNG



  • 2.  RE: 8.3 Setup help for vlans and dhcp pools
    Best Answer

    EMPLOYEE
    Posted Jun 12, 2018 10:51 AM
    @SuperSumo wrote:

    Many thanks in advance for your advice!
    I am replacing a 7-year-old Ruckus Wireless system with an Aruba system at my small family-owned business and would like to separate tenant traffic from Employee traffic.
    Plannig on using WPA-2 Personal authentication with 2 MAC whitelists (employee and tenant) I can use these lists to direct to vlans or set up 2 SSIDs to direct to different vlans.
    I do not have any servers in my environment, any dhcp or firewall roles are filled by a sonicwall appliance.

     

    1. Is the 7010 controller capable of serving as the DHCP server and firewall for the entire network? Should I remove the SonicWall
    2. When setting up the vlans, the controller asks for the gateway, is this 192.168.149.1 for all vlans?
    3. When setting up DHCP pools, the controller has a mandatory field for "hosts:", Is this just the number of client devices allowed?
    4. I do not anticipate ever adding a 2nd controller. Should the configurations be made at the Master "Mobility Controller" level or the Aruba 7010 child device?
    5. I can plug in the office computers and printer to the switch and assign the ports to the vlan100 if not on wi-fi, correct?

     

    Again, thank you for your help!
    Jeremy

     

    Diagram.PNG

    1) The 7010 could replace your SonicWall. How many client devices do you expect to have at peak? The 7010 should be fine, with the two subnets you've listed.

    2) The gateway should be configured for VLAN 149, as 192.168.149.1. Gateway entries should not be required for VLANs 100/200.

    3) Yes

    4) As a standalone controller, the root Mobility Controller is probably fine. If you were to add controllers later, you might want to consider adding a Mobility Master, in which case you'll migrate the configuration anyway.

    5) Yes



  • 3.  RE: 8.3 Setup help for vlans and dhcp pools

    Posted Jun 12, 2018 11:04 AM

    Thanks Charlie!

    Peak number of client devices may reach 100 but not likely.

    I would like to maintain control of wireless access by registering MAC addresses in a whitelist as I have with the Ruckus System. Any advice on the preferred method to segregate traffic in regards to one SSID vs. 2 SSIDs?

    Can I just have 1 SSID and direct traffic to different vlans based on MAC?



  • 4.  RE: 8.3 Setup help for vlans and dhcp pools

    EMPLOYEE
    Posted Jun 12, 2018 11:12 AM

    Is the encryption the same for both SSIDs, aka WPA2-Personal on both? If one is PSK and the other is open, or if they need to use two different passphrases, then you'll need two SSIDs.

     

    I'm not a fan of using MAC whitelists for authentication, since they can be easily spoofed and require administrative effort to keep them updated. There's the use-case of a new device / unknown mac. Which VLAN should they end up on?



  • 5.  RE: 8.3 Setup help for vlans and dhcp pools
    Best Answer

    Posted Jun 12, 2018 11:38 AM

    Encryption would be the same.

    That makes a lot of sense. Mostly, I am worried about knowing who a device belongs to for bandwidth hogging. Unknown devices should end up on 200.

    Perfectly OK with giving it a shot on the 200 vlan and registering employee MACs for 100 vlan in case the pasword wwer to be shared with a tenant.

     

    Think I am leaning towards two SSIDs and only requiring MAC registration for company-owned equipment. If that's the case, these could just share the 149 vlan and do away woth the 100 altogether.