Wireless Access

Reply
Occasional Contributor II
Posts: 22
Registered: ‎05-27-2012

Guest and Authenticated sharing the same VLAN

Dear alll:

 

We installed a 3200 controller where we defined several SSID.

One of them for employees and other for Guest. We were asked to share the same vlan for all of them. The matter is that the only defined vlan blocks port 80, and we need Guest to pass thru and that's enabled just for a range.

 

Is there any way to assign a fixed IP to each guest, or define a DHCP pool not "heard" by the rest of the network but just for those reaching the captive portal ?

 

and about security: Is there any way for any guest to analyze the traffic using wireshark or anything like that ?

 

We also have port 0 connected to a S3500, port 1 as uplink to the core router (we don't have access to it). Can we hardwire port 2 to the core router using another vlan avoiding loops ? I guess RTP should be enabled on that router too.

Thanks for any clue

Regards,

Nelson

Nelson La Rocca
B4B Corp.
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Guest and Authenticated sharing the same VLAN

Would splitting the segment be an option ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Guest and Authenticated sharing the same VLAN

why not NAT the guest traffic and have the guests get a DHCP address from the controller?  All guest 80 traffic will appear as the controller's IP address and you can use the firewall to restrict anything in the guest role

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 22
Registered: ‎05-27-2012

Re: Guest and Authenticated sharing the same VLAN

sure, in fact we could use another /24 that shares the same physical media and the same vlan, so it would be possible to assign just to guest. The matter  is if there's any way to assign a fixed pool then just to Guest, specially considering there's already a dhcp server on the same network assigning to another subnet ?

 

192.168.1.x -> goes thru proxy, some addresses asigned by dhcp

192.168.2.x -> same vlan as previous, all addresses manually assigned

 

thanks 

 

Nelson La Rocca
B4B Corp.
Occasional Contributor II
Posts: 22
Registered: ‎05-27-2012

Re: Guest and Authenticated sharing the same VLAN

Thanks Seth:

 

The matter is that the Guest SSID is also used by Auditors and so on and some features may not work like vpn traffic, or you think there will be no issue on VNP Passthrough ?

 

Thanks

Nelson La Rocca
B4B Corp.
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Guest and Authenticated sharing the same VLAN

No...that isn't possible.  I would create another VLAN on the 3200 and assign it to the Guest VAP.  Enable source NAT on the IP interface for that VLAN.  That way...ALL traffic is NOT seen on the LAN as that souce subnet.  All guest traffic is NAT'ed.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Guest and Authenticated sharing the same VLAN

So long as that VPN port is permitted (udp 4500 or 443) then I see no issue.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Occasional Contributor II
Posts: 22
Registered: ‎05-27-2012

Re: Guest and Authenticated sharing the same VLAN

Seth:

 

We are going to try that way then and let you know .

Thanks !

Nelson La Rocca
B4B Corp.
Search Airheads
Showing results for 
Search instead for 
Did you mean: