Controllerless Networks

Hello all,

I am looking for suggestion on how to properly setup Guest wifi in enterprise environment. We use IAP & Airwave to manage Access points. From what I read I have 2 choices

1. Configure IAP to act as DHCP server & setup ACL to block access to internal Networks. "Magic Vlans". 

2. Create a new Vlan for Guest wifi in each switches in all locations and assign desired scope. 

Which of these 2 methods are preferable considering from security perspective aswell? Our daily guest users are around 300-400 users. 

Both options are viable, and depend on your security requirements and design. Will guest users have their own Internet connection, or will they be sharing the same Internet connection as your corporate users?

Same internet connection as Corp. Is there any security concern on this setup? 

Does most enterprise tunnels guest traffic to Controllers when they share same internet connection?

Another question i have is how can I change DNS IPs when setup as VC assigned IPs? It's handing me same DNS as when I am on Corp Network. 

---

@Toolbox015wrote:

Same internet connection as Corp. Is there any security concern on this setup? 

Does most enterprise tunnels guest traffic to Controllers when they share same internet connection?

---

Not so much a concern, as different requirements. Some enterprises want more airgap between network segments, to include dedicated Internet connections for cost/performance/reliability requirements. I wouldn't say there's a standard that's used consistently across most enterprises.

If you have specific requirements, we can advise on options/considerations.

Thanks. My Main requirement is to segment corp & guest wifi effectively so there won't be any concern of hacking etc. 

Also I noticed IAP handouts same DNS IP for guest & Corp. How can I change DNS just for Guest SSID when setup as VC assigned IP addresses with default vlan (Vlan ID 3333)? 

Is the IAP doing NAT for both corporate and guest user VLANs?

Normally, I would have the corporate users connected to wired VLANs that have DHCP provided by the same enterprise infrastructure that is providing wired DHCP.

Guests then would be handled with either an internal VLAN and the Instant cluster providing DHCP, or a separate wired VLAN.

our security team is ok except they are concerned about Command in Control attack. We have several remote locations so they are concerned how we will track down the user & AP if this is the case. 

From their end they will provide user IP address & we will have to hunt it down which makes it difficult since it's will be hard to tell where this user is connected to. 

Any solution to this? 

Which configuration scenario are you considering?

Using Magic Vlan for Guest Network where AP will handle IP address and NAT. Since we have multiple remote locations concern is it will be difficult to trace a user if needed. 

Each remote site would be it's own cluster, so the NAT'ed IP address can still be traced back to the site it originated from.

How would I do that? 

For example someone asks lets block this user and provides me MAC or IP address how would I trace where this client is connected to? We have remote locations in different states.

How will be able to exactly trace the user when using magic vlan for guest & AP is acting as DHCP server? 

---

@Toolbox015wrote:

How would I do that? 

 

For example someone asks lets block this user and provides me MAC or IP address how would I trace where this client is connected to? We have remote locations in different states.

 

How will be able to exactly trace the user when using magic vlan for guest & AP is acting as DHCP server? 

---

How are you managing remote IAP clusters today?

Each remote location will be it's own IAP cluster. So the virtual controller IP for each cluster will use an IP from the range allocated to that remote site. The virtual controller handles DHCP for the magic vlan, as well as the NAT functionality for translating guest users from the magic vlan to the internal network. So if HQ trips a security event for a user, the IP address seen at HQ will be the specific virtual controller IP for the branch where the user is connected.

We use Airwave to monitor/manage IAP clusters. 

I don't think security will be able to see IP address  of the VC rather just private or public address of the client device. 

I believe I can enter that info on Airwave and exactly find which location this user is connected to. 

Also is it possible to track the client if security provides me NAT'd IP? Acc. to them, this is the only visibility they have. 

---

@Toolbox015wrote:

Also is it possible to track the client if security provides me NAT'd IP? Acc. to them, this is the only visibility they have. 

---

I think we are saying the same thing. The NAT'd IP is the VC IP for the cluster. It might help draw out a diagram using actual IP ranges to ensure we're agreeing on the same terminology.

if I have 10 IAP in a cluster. Do I need to add Vlan 3333 in my switch and assign to AP ports?

I am having a issue that clients can go online if directly connected to VC but if they connect to any other "slave" IAP, they don't have internet access? 

Packet capture shows the "Slave" IAP doesn't forward packet to "master" IAP

---

@Toolbox015wrote:

if I have 10 IAP in a cluster. Do I need to add Vlan 3333 in my switch and assign to AP ports?

---

Where did vlan 3333 come from? Is that the VLAN you configured for the guest SSID?

We're currently using the Magic Vlan guest wifi at one of my customers.  All the traffic NATs out from the VC IP address or the IP address of the AP itself (usually same subnet as the VC).  The ACL that currently governs my AP traffic is also filtering my Guest traffic.  It's not the easiest thing in the world to find specific guest traffic as you need to go look at the AP itself (not the VC).  Currently even if I show datapath session on the AP itself, I cannot see the magic vlan traffic.

It works for what we need it for, but it sounds like you may need a more granular solution.