Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Guest and Authenticated sharing the same VLAN

This thread has been viewed 0 times

  • 1.  Guest and Authenticated sharing the same VLAN

    Posted Nov 27, 2013 08:13 AM

    Dear alll:

     

    We installed a 3200 controller where we defined several SSID.

    One of them for employees and other for Guest. We were asked to share the same vlan for all of them. The matter is that the only defined vlan blocks port 80, and we need Guest to pass thru and that's enabled just for a range.

     

    Is there any way to assign a fixed IP to each guest, or define a DHCP pool not "heard" by the rest of the network but just for those reaching the captive portal ?

     

    and about security: Is there any way for any guest to analyze the traffic using wireshark or anything like that ?

     

    We also have port 0 connected to a S3500, port 1 as uplink to the core router (we don't have access to it). Can we hardwire port 2 to the core router using another vlan avoiding loops ? I guess RTP should be enabled on that router too.

    Thanks for any clue

    Regards,

    Nelson


    #3200


  • 2.  RE: Guest and Authenticated sharing the same VLAN

    Posted Nov 27, 2013 08:25 AM
    Would splitting the segment be an option ?


  • 3.  RE: Guest and Authenticated sharing the same VLAN

    Posted Nov 27, 2013 09:47 AM

    sure, in fact we could use another /24 that shares the same physical media and the same vlan, so it would be possible to assign just to guest. The matter  is if there's any way to assign a fixed pool then just to Guest, specially considering there's already a dhcp server on the same network assigning to another subnet ?

     

    192.168.1.x -> goes thru proxy, some addresses asigned by dhcp

    192.168.2.x -> same vlan as previous, all addresses manually assigned

     

    thanks 

     



  • 4.  RE: Guest and Authenticated sharing the same VLAN

    EMPLOYEE
    Posted Nov 27, 2013 09:54 AM

    No...that isn't possible.  I would create another VLAN on the 3200 and assign it to the Guest VAP.  Enable source NAT on the IP interface for that VLAN.  That way...ALL traffic is NOT seen on the LAN as that souce subnet.  All guest traffic is NAT'ed.



  • 5.  RE: Guest and Authenticated sharing the same VLAN

    EMPLOYEE
    Posted Nov 27, 2013 09:59 AM

    So long as that VPN port is permitted (udp 4500 or 443) then I see no issue.



  • 6.  RE: Guest and Authenticated sharing the same VLAN

    Posted Nov 28, 2013 10:05 AM

    Seth:

     

    We are going to try that way then and let you know .

    Thanks !



  • 7.  RE: Guest and Authenticated sharing the same VLAN

    EMPLOYEE
    Posted Nov 27, 2013 09:21 AM

    why not NAT the guest traffic and have the guests get a DHCP address from the controller?  All guest 80 traffic will appear as the controller's IP address and you can use the firewall to restrict anything in the guest role



  • 8.  RE: Guest and Authenticated sharing the same VLAN

    Posted Nov 27, 2013 09:53 AM

    Thanks Seth:

     

    The matter is that the Guest SSID is also used by Auditors and so on and some features may not work like vpn traffic, or you think there will be no issue on VNP Passthrough ?

     

    Thanks