Skip to main content

Mon, Nov 16, 2020 9:52 AM

ZD 1200 Guest network connection

Hi there,

We have a ZD 1200 with a number of AP's currently this is configured just for our internal corporate network, this is working well. in the past we have separate AP's for our guest network that connected to a separate port on our firewall so all traffic was just routed out to the internet with no contact with our network.

What I'm looking to do is to add the guest network onto the Ruckus system but also maintaining the distance from our internal network. my initial thought was to some how connect the guest SSID to the second ethernet port on the ZD which would in turn connect to the guest port on our firewall.

I'm not sure if the above is possible? if not what is the best way to setup the guest network? I've looked at the ZD settings to create a guest network but I'm not sure its going to work for us, but I'm open to ideas/help.

Thanks in advance,

Mick.

Responses

70 Messages

 • 

952 Points

2 months ago

you can configure the guest ssid to use a different vlan

then just setup your switches to do the same , finally route the vlan to your firewall separate port & configure the vlan on that port.

MAKE SURE you don't bridge your switches and break out the VLAN for guest internally

3 Messages

 • 

100 Points

2 months ago

Hi

Thanks for your reply.

I think initially we tried to do this ( prior to going the separate Guest AP route ) but I'm sure we ran into issues setting up DHCP / VLAN etc... ( sorry I'm not a network expert, i just know the basics ) so we couldn't get it to work like this, but I will look into this again.

Currently our firewall is using 192.168.1.0 for the IP range for the guest wifi, via dhcp created on the firewall…

So to get this to work….

 

Create a VLAN for the guest network ( VLAN 15 for example ) on each switch

 

Assign VLAN 15 to each port on each switch that both all the AP’s are connected to and also Port 2 on the ZD…

 

Is the above correct or do I need to do something else?

 

Thanks in advance.

Official Rep

 • 

733 Messages

 • 

11.4K Points

Hi Mick,

You have two options to isolate the Guest SSID/WLAN traffic and directly send them to the internet.

1. Guest SSID with default VLAN.

  • Setup a new SSID as GUEST in SSID type with your existing VLAN.
  • Since guest SSID has inbuilt L3 ACLs, it will automatically isolate guest client traffic and will not let anyone access corporate network, even though guests are on the same VLAN.
  • APs (WLAN interface on the AP) acts as a barrier here, if any guest client try to reach internal network using this SSID.

2. Regular standard SSID with dedicated guest VLAN.

  • Setup a new VLAN on your Firewall/router with a DHCP server.
  • Set all the switch ports in AP to firewall's path as trunk port with guest VLAN as tagged on it.
  • For example, if I have Internet >> Firewall >> Core_Switch >> Distribution/access_switch >> APs. In this setup, all the switch ports connected in route should be trunk with your guest VLAN as tagged. 
  • Now configure a new WLAN as standard WLAN and choose the new Guest VLAN under WLAN >> Advanced settings.

(edited)

Regards,

Syamantak Omer

70 Messages

 • 

952 Points

"

1. Guest SSID with default VLAN.

  • Setup a new SSID as GUEST in SSID type with your existing VLAN.
  • Since guest SSID has inbuilt L3 ACLs, it will automatically isolate guest client traffic and will not let anyone access corporate network, even though guests are on the same VLAN.
  • APs (WLAN interface on the AP) acts as a barrier here, if any guest client try to reach internal network using this SSID."

This is not totally correct.......

 AP's and   zonedirector have ZERO control over external switches & infrastructure

once it leaves the AP or ZD traffic can easily be mis-routed via a combined trunk statement on a switch, that accepts ALL vlans & strips the headers...

you have to be real careful..... on your configs for other equipment...

ESP.... if you have 0.0.0.0 routing rules......

Official Rep

 • 

733 Messages

 • 

11.4K Points

Hi Caveman,

Thanks for the suggestion!

Setting an ACL from controller to a WLAN adds it to APs WLAN interface. This means a wireless client connected to that SSID cannot reach restricted subnet.

Steps provided by me are for most of the standard wired network setup, however, using different routing rules one can always play with the traffic, so general config procedure may help specific use cases but not all.

Regards,

Syamantak Omer

70 Messages

 • 

952 Points

2 months ago

LOL...

you don't need to be an "expert" just have a clear head in what you want to  accomplish.

Obviously you will need

TWO zones for DNS & DHCP....

don't do like some people i've seen....

set   DNS resolvers to their internal  AD server on another subnet...

also  DON'T "break out"  the VLAN on the switch with an IP address, or you can have a very bad day where a mis-configured switch routes the traffic via 0.0.0.0 into your  existing infrastructure... 

also watch your "trunk" statements

for sanity...

re-arrange your switch so that all the AP's come into a section of the switch as far away from other ports as possible and then "group" those ports...

too many times have I seen mis-labelled infrastructure cross route traffic due to a badly placed cable.

(edited)