Ruckus Network Design for Guest Network between two Sites

  • 1
  • Question
  • Updated 3 years ago
Hi,

i need some help for a Ruckus Network Design please.

Following Environment:
- 1 Company
- 1 Active Directory Domain
- 2 Company Sites (Munich and Berlin) connected together over a Layer 3 VPN Tunnel.
- Each Site have a seperate Internet Router just for the Ruckus Guests/Employees.

Goal:
Employees (no matter if there are working in Munich or Berlin) should be able to get Internet Access for there private Smartphones through the Internet Router. They should be able to Login on both Sites with the same User (one User Database). It should be easy as possible. Additionally it should be possible still to connect to the Wireless LAN if the VPN Tunnel goes down.

My main Questions are:
- How can i achive this goal?
- Is there (in case of an existing AD Domain) a better Solution than create Guest Tickets for each Employee? Maybe Authentication with an existing Windows User Account?
- Where should i add a ZoneDirector? One on each Site? If yes, can i connect them together for redundancy if one fails or the VPN Tunnel goes down?

Are there other things i should look for?
Many Thanks for any help/idea.

Best Regards
Marco
Photo of Marco Eichstetter

Marco Eichstetter

  • 152 Posts
  • 8 Reply Likes

Posted 3 years ago

  • 1
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 776 Posts
  • 163 Reply Likes
Hello Marco Eichstetter,

this is doable and very often implemented in a Central office and branch office scenario. I am assuming that Berlin is central office where ZD and AD will reside. In this deployment once deployed same configuration at Berlin office will reflect in Munich office and same AD credential can be used at branch office.
Make sure that latency of VPN connection is less than 100ms.

Since both sites are connected via VPN. let the AP(s) join via layer 3 through the VPN. refer to following URL on how to do this - https://support.ruckuswireless.com/an...

You can add the 2nd ZD at Munich office for redundancy then both Zd's can be configured in a such way that AP's in case of failure of ZD or VPN are forced to contact alternate ZD which could be on same site or remote site depending on nature of fault.

Please remember that during redundancy AP's will work only with one ZD i.e active or primary.

Also make sure that LWAPP ports are opened on remote site router & firewall, latency is less than 100 ms and keep an eye on MTU of the VPN link.

Hope this helps.
Photo of Marco Eichstetter

Marco Eichstetter

  • 152 Posts
  • 8 Reply Likes
Hello,

first, thanks for your reply.

Yes, your right Berlin is the Central Office. Munich the branch office.
Latency of VPN is less than 100ms. That's no Problem.

If i understand right, i connect the 2nd ZD in Munich over the Feature "Smart Redundany" over VPN. Berlin Active. Munich Standby. Each ZD must be the same Model and have the same Number of licenced APs.

One additional Question please:
I plan to create a VLAN for my RUCKUS Hardware (ZD and APs) and a VLAN for my Guest Network and in the future a seperate VLAN for my Production Network. There will be a DHCP Server in each VLAN. I don't want to add my RUCKUS Components in the Production Network. The inter-VLAN Routing will be done by a HP Switch for each VLAN except the Guests. The Routing for my Guests will be done from a own Firewall. Is this planed Configuration Best Practice or recommended/common?

Thanks again!
Best Regards
Marco
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 776 Posts
  • 163 Reply Likes
Answers to your questions:

Yes, for Smart Redundany to work correctly - you shall have same ZD model, same firmware version on both and same AP licences.

Yes, it is common for lots of enterprise to segregate their guest traffic from production and also use separate DHCP server by using VLAN.

Let us know if you run into trouble and best of luck.
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 776 Posts
  • 163 Reply Likes
Yes, Berlin Active. Munich Standby.
I just re-thought and realised that if your Active Directory is ONLY at berlin then in the event of VPN down there will be outage for new AD WLAN users.

Back up of secondary AD server would also help in this situation.
Photo of Marco Eichstetter

Marco Eichstetter

  • 152 Posts
  • 8 Reply Likes
Hello,

Thanks again.
ok. I think its clear.

I asked for addind just the RUCKUS Hardware in its own VLAN because in one of my first RUCKUS Installations i had some Trouble with that Type of Config:
I added my ZD and my APs in VLAN 6 untagged. The wired Productive Network was VLAN 1. I tried to create a SSID for the wireless Productive Clients on my ZD and leave the VLAN Tagging on the default Value 1. The Problem was, my Wireless Clients received an IP from the DHCP Server in VLAN 6 where my APs was untagged in - not from VLAN 1.

Where was my mistake?

Thanks!
Marco

PS: Maybe you have a answer to this Topic i created with a different User, too:
https://forums.ruckuswireless.com/ruc...
Photo of yy

yy

  • 6 Posts
  • 0 Reply Likes
Hi Marco,

Did you have the port facing AP as untagged vlan6? If so, AP's vlan 1 would have been vlan1.

You might want to take a look at changing the AP's management vlan at:
configure -> Access Points -> Access Point Policies -> Management VLAN

or separating data traffic and management vlan for Wired and Wireless away from vlan1.
Photo of Marco Eichstetter

Marco Eichstetter

  • 152 Posts
  • 8 Reply Likes
Hi yy,

yes. I set VLAN 6 as untagged at the Switch Port where the AP was connected.

But one Basic Question:
Is it recommended or more secure to add all my Ruckus Hardware (ZD + APs) to its own VLAN as untagged/native? Or whould you add your Hardware in a existing VLAN e. g. VLAN 1 where all my Servers, Clients and Printers are?

Thanks!
Regards
Marco
Photo of Marco Eichstetter

Marco Eichstetter

  • 152 Posts
  • 8 Reply Likes
Photo of Marco Eichstetter

Marco Eichstetter

  • 152 Posts
  • 8 Reply Likes
Hello,

the AD is redundant. I have two Domain Controller at each Site. Thats no Problem.
I whould plan to Authenticate my Guests with their Active Director User instead the internal ZoneDirector Guest Ticket. This should be possible, or?

Regards
Marco
Photo of Marco Eichstetter

Marco Eichstetter

  • 152 Posts
  • 8 Reply Likes
Hello again,

what happens if the Layer 3 VPN Tunnel goes down but the two ZD are still online?
Because the Standby ZD won't see the Active ZD will it be become active? If yes, there whould be two active ZD, one in Berlin and one in Munich, right? Are I am still able to create Guest Tickets? If yes, am I able to create Guest in Munich AND Berlin because each think he's the active one? What will happen if the VPN Tunnel goes up again? Will be the Guest User Database merged together?

Maybe someone could clear this scenario a litte bit more.
Many Thanks!

Best Regards
Marco
Photo of yy

yy

  • 6 Posts
  • 0 Reply Likes
Hi Marco,

I believe both of the ZDs will become active when the VPN tunnel goes down.

Perhaps you can:
- Get redundant link between the offices
or
- Configure Primary and Secondary ZD option at each sites

It may be best to ask Ruckus support for what would happen to configurations and user database sync incl Guest passes when ZDs recover from 'split brain'.
Photo of Marco Eichstetter

Marco Eichstetter

  • 152 Posts
  • 8 Reply Likes
Hi yy,

Thanks! I opened a Case.
If a get any Feedback for this from Ruckus i will post it.

Regards
Marco
Photo of Marco Eichstetter

Marco Eichstetter

  • 152 Posts
  • 8 Reply Likes
Hello,

meanwhile i got an answer from Ruckus Support:
- Yes, both ZD's will be active
- Yes, because Active I will be able to add Settings and Users to the local DB on both ZD.
- If the VPN is back online again, the ZD will go back in Smart Redundancy Mode. Because there is a conflict between the Settings/Users i will have to choose, which Config should be used.

Regards
Marco
Photo of yy

yy

  • 6 Posts
  • 0 Reply Likes
Thanks for the input Marco.

Looks like this thread is not in "resolved" state.

Is there anything you need other inputs for your design?
Photo of Marco Eichstetter

Marco Eichstetter

  • 152 Posts
  • 8 Reply Likes
Stupid question:
Where/how could i "resolve" the thread?