Vlaning across different sites

  • 1
  • Question
  • Updated 4 years ago
Not quite sure on how to configure the following:
Have one ZD3000 and 2 sites, more in the future.
Want to Vlan guest and BYOD traffic at both sites.
Each site has it's own DHCP server with different IP schemes.
Any in-site on how to make this work would be appreciated.
Photo of Scott Frasier

Scott Frasier

  • 4 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Bill Burns

Bill Burns, AlphaDog

  • 203 Posts
  • 38 Reply Likes
I assume you've got routers or VPN connections in-between your various sites, and no common subnets between them.

In that case, you need to decide if you need/want to create a common set of wifi SSIDs and subnets between locations.

For the moment, I'll assume not.
(I'm assuming your locations are far enough apart where a client would never "roam" between APs in different locations without dropping connectivity first)

In that case, you can have different SSIDs in each location and a different subnet backing up each SSID.
(technically you could have the same VLAN number used for different subnets in different locations but that's conceptually less "clear")

You have the option of using per-user authentication for the BYOD gear or (if you can accept less security) you could issue a single password for all employees.
Guest access is typically unauthenticated and on a subnet/VLAN that only provides internet access.

I assume your remote site(s) have onsite network resources (like file servers, etc.) since you have DHCP servers in each location.
So you probably don't want to use tunneling but:
If you need/want to have wireless users in the same subnet(s) between locations for some reason, you could use tunneling for APs in the remote locations.
Caveat: You do *not* want to use AP tunneling if that would force a significant amount of traffic back to your central location just to get routed out again to to reach a (wired?) resource in that remote location.

Also... There is overhead on your ZD3000 for each tunnel.
So.. you probably don't want a remote location with a large number of APs to tunnel all it's traffic back.
Photo of Scott Frasier

Scott Frasier

  • 4 Posts
  • 0 Reply Likes
Thanks for the answer, what I am trying to achieve is that all guest and BYOD access not be on the corporate network. I worked with support to get the BYOD authentication working using Zero-IT, but the IP the device gets is of the corporate network and I have run in to issues with running out of IP addresses.
I have tried testing with vlan tagging by putting the AP on a trunked port and setting the vlan for the SSID but as soon as I do that it loses communication with the ZD at the other site. Not sure what I am missing.
Photo of Bill Burns

Bill Burns, AlphaDog

  • 203 Posts
  • 38 Reply Likes
See if this thread addresses your issue:
https://forums.ruckuswireless.com/ruc...

The AP has a management IP address.
Setting the vlan for an SSID is good, but it does not set the vlan for the APs management IP.

If you're trunking traffic to your APs, you'll probably want to have a separate VLAN for management traffic to the AP.

A separate wifi management VLAN is not mandatory but:
Whatever the APs management IP is, it should be in the native VLAN of your trunk.

Once you've got your APs trunked (and working) you should be able to assign a different VLAN for your Corporate, Guest and BYOD SSIDs