Two lans, ZF7330 and 7055 APs, 1 zone director

  • 1
  • Question
  • Updated 2 years ago
Hi there,
I'm new here.
I'm upgrading our access points to zf7330 and zf7055. Both have 3 and 5 Lan ports. We have a ZoneDirector 3050.
What I want to do:
  • I have two internet connections coming to site.
  • I want to use one for office LAN
  • I want to use the other for visitors, guests (on a subnet) and scheduled AP (up on Sundays and Mondays, down the rest of the week).
  • ZoneDirector to manage APs
  • I want to use two LAN ports on each AP. One for Office LAN (with POE) the other for Visitors, Guest and Schedule WLan.
I managed to setup the 7330 standalone and managed to achieve what I needed, except for the schedule AP. I did this using VLANs and connecting each AP LAN to a switch port on each VLAN (default 1, and 2).

I would like to get the same setup but using the ZoneDirector, so that I can use other features, like Radius, users, guest, schedule Wlan, etc.

Can anyone guide me in the right direction?

Thanks!
Photo of samhn

samhn

  • 7 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of RBGE

RBGE

  • 9 Posts
  • 0 Reply Likes
I have a very similar setup, although I use the same physical port on all APs.  The ZoneDirector then tags the guest WLAN which is sent across a completely separate network by the switches.  In theory your setup should be almost identical, although the exact config for sending guest traffic out a separate port on the APs is a question I'll leave for somebody who actually does this!

The schedule for the guest WLAN can be set in Configure -> WLANs and then by clicking 'Edit' next to the relevant WLAN.  Expand 'Advanced options' and the schedule will be at the bottom.  If you leave the office WLAN at default, it'll be on all the time.

RADIUS, guest passes, etc are all setup separately through the 'Guest Access' and 'AAA Servers' tabs.
Photo of Sid Sok

Sid Sok, Official Rep

  • 102 Posts
  • 48 Reply Likes
You should be able to achieve the same thing using the port setting for Specific AP model or the individual AP Port setting.

For the Group setting look in: Configure>Access Point> Access Point Group (edit or create a new one)>Model Specific Control> (select the) Override system Default, and you should be able to apply the same VLAN rule as on the Standalone AP.

Or for specific AP you can edit that one AP and enable (check) the "Override Group Config" in the "Port Setting" section of the AP's config page.

Sid
Photo of samhn

samhn

  • 7 Posts
  • 0 Reply Likes
Hi RBGE,

Thank you for your quick reply.

I would love to know what kind of setup you have, and the kind of equipment (switches) you are using.

Regards.
Photo of RBGE

RBGE

  • 9 Posts
  • 0 Reply Likes
Happy to share details.  Bear in mind that while my setup works for me, it may not be the best for anyone else reading this.  The main goal of this setup though is to keep guest traffic completely isolated from the rest of the network.  Not only for security, but we're an academic institution and aren't allowed to let Joe Public use our Janet connection (if you're not based in the UK and don't know what Janet is, details are here: https://en.wikipedia.org/wiki/JANET - this part isn't important though).  Point is we need to provide wi-fi to visitors, but not on our connection.

We have a second Internet connection dedicated solely to public access, as is fairly common nowadays, using a standard business ADSL connection.  This is connected to a separate firewall which handles DHCP, content filtering, etc...  and is isolated to the guest VLAN.  When a visitor connects to our guest network, the AP tags the traffic with the VLAN ID and the switches are configured to only allow this traffic across certain ports.  This allows it to reach the DHCP server on the firewall, which gives the client an IP address on the ADSL network and isolates it from everything else.  We use HP switches, although there's nothing HP specific here.  Anything that can handle VLAN tagging is fine.  It also makes things easier when setting up extra APs, as all that needs done is to connect a PoE cable and allow the guest VLAN on the switch port.

This has worked perfectly for quite some time, but the only issue I've had recently (see my other posts for info) is that when trying to use a separate authentication portal (PurplePortal in this case), the clients are bounced back to the ZoneDirector to complete authentication.  Unfortunately they can't see it, as they're now on an external network.  For standard guest access though, it works perfectly!

That may or may not make sense, as I probably glossed over a few details.  Happy to clarify anything if it helps though!
Photo of samhn

samhn

  • 7 Posts
  • 0 Reply Likes
Hi RBGE,

Thank you for that. What you have done is what I want to do. Except that I was thinking of using the LAN ports.

So to clarify, are you using an AP for Guest and another for JANET? Or, are you using the same AP with two WLANs, SSIDs, one for "JANET" the other for Guest?

Regards.
Photo of RBGE

RBGE

  • 9 Posts
  • 0 Reply Likes
Every single one of our APs has the same configuration.  They all carry each WLAN and tag them accordingly.  We have more than just the two, and our internal WLANs all go into different subnets on our internal network, but it's only the guest WLAN that is pushed over to an external network.

Basically, it's the latter of your two questions.  It's fairly easy to configure, so I wouldn't imagine too much changing if you want to use a separate port for the guest WLAN.