Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

One VLAN, One SSID, One IP Space but Different Roles

This thread has been viewed 4 times

  • 1.  One VLAN, One SSID, One IP Space but Different Roles

    Posted Feb 18, 2016 04:42 PM

    Thank you in advance.  I'm a little slow.  I currently have clearpass returning a role back to the Aruba controllers and it is working ok.  Each of those roles (employee, guest, etc) is associated with a different vlan and ip space.  But I was curious: Can I just have one ssid, with one vlan and one ip space but have clearpass return a different role which would restrict access?  So for example, user1 signs on to the ssid and they get the "guest" role with ip address 192.168.1.5/24.  Their role dictates they can only have internet access.  Let's say user2 signs on to the same SSID but they get the "employee" role with ip address 192.168.1.6/24.  And the employee role dictates they can have internet access plus access to the internal server.  Are 192.168.1.5 and 192.168.1.6 isolated from eachother?  I'm assuming no and I don't want a potentially virus-infected laptop in the guest role talking to computers in the employee role.  But I would like employee computers to be able to talk to eachother.  It seems I can enable client isolation but I still want employee devices to be able to talk to eachother.  I'm just curious if it is best practice to associate a unique vlan to each role?  Thanks!



  • 2.  RE: One VLAN, One SSID, One IP Space but Different Roles
    Best Answer

    EMPLOYEE
    Posted Feb 18, 2016 04:45 PM

    Generally it's best to keep guests and employees separated by VLAN, but then you can put all employees in the same VLAN and use different roles to differentiate access. You can also deny inter user traffic on the SSID so the users are isolated from each other.



  • 3.  RE: One VLAN, One SSID, One IP Space but Different Roles

    Posted Feb 18, 2016 11:15 PM

    If you're in the enterprise space or just paranoid, error on the side of caution and use VLAN separation at the very least.  You could take it a step further and dump guest into an external firewall (cisco,checkpoint,palo alto) zone.



  • 4.  RE: One VLAN, One SSID, One IP Space but Different Roles

    Posted Feb 15, 2017 01:47 PM

    I would like to add a question to this thread.

     

    I have 3 VLANs, VLAN X and Y are separated but VLAN Z will allow different "partners" to get access through CPPM Guest and CPPM will return the proper user role to the controller depending on the crendentials.

     

    I am at a loss on how to separate the users from Role A on VLAN Z from Role B on VLAN Z. They share the same IP space...

     

     



  • 5.  RE: One VLAN, One SSID, One IP Space but Different Roles

    EMPLOYEE
    Posted Feb 15, 2017 04:20 PM

    If your role is blocking destination traffic to the ip address range that clients are receiving, they cannot send traffic to those devices.  If my client range is 192.168.1.x part of my role will be to block traffic to the 192.168.1.x range, and those clients will not be able to talk.



  • 6.  RE: One VLAN, One SSID, One IP Space but Different Roles

    Posted Feb 15, 2017 04:41 PM

    Ya agreed problem is I dont know what IP ranges I will need to block since users will receive a DHCP address from that VLAN.

     

     



  • 7.  RE: One VLAN, One SSID, One IP Space but Different Roles

    EMPLOYEE
    Posted Feb 15, 2017 09:18 PM

    What you do will depend on your actual requirements.