ZoneDirector Networking Question

  • 1
  • Question
  • Updated 6 months ago
I have a new client that want's a new wireless system.  I had them purchase a ZoneDirector 1200 with a dozen R600 AP's.  

They have several existing VLANs; staff (and phones), infrastructure, Security and A/V.  Currently, all wireless guest access (through a couple netgear wireless routers) is via the 'staff' subnet with a /22 subnet mask.  Bad, bad, bad...

After I've reconfigured the network issues, I want to put all the Ruckus equipment on it's own subnet (10.1.1.0 /24).  Wireless access is only required for the 'staff' and 'guest' networks.

I want to configure it as follows:

Ethernet NIC #1 - This NIC will plug into the 'staff' network (via a switch) and use the default gateway for internet access on their 10 meg ISP circuit.  I want to configure AD integration so staff can authenticate with their AD credentials when accessing via wireless.  This should provide server, printers and internet access.

Ethernet NIC #2 - I want this interface to plug directly into a spare DSL circuit for use for the 'guests' SSID.  I want to use the ZoneDirector's internal DHCP server to handle all guest IP's and route them directly to the DSL circuit.  This should provide internet only access for visitors.

I can handle the all the networking but am unsure if the Ruckus system can do this.  Is it possible?

Hope this makes sense.

Thanks!

Tom
Photo of Tom Pope

Tom Pope

  • 2 Posts
  • 0 Reply Likes

Posted 6 months ago

  • 1
Photo of Shaun Van Tonder

Shaun Van Tonder

  • 24 Posts
  • 1 Reply Like

Sounds like you want to do a very complex setup.

We have a Management Vlan (vlan id 1) for all our Ruckus AP's and the controller.

All our dlink switches have vlan 1 by default on them and so their IP falls in this range.

We then have various other Vlans for servers and desktops.

We then created VLAN 100 for staff wifi laptops and Vlan 101 for public wifi guest and staff mobile phones.

You will then create vlan 100 and vlan 101 on every switch.

Tag vlan 1 101 and 100 on all switches on the ports joining to other switches.

On the switch ports where your AP are in untag vlan 1 and tag vlan 100 and 101.

I then blocked vlan 101 from accessing the company vlans on the core switch.

Setup 3 Wireless SSID's on the controller

Corporate Wireless vlan ID 100

Guests and staff/student mobile Wireless Vlan 101  and create dhcp schopes for them on the DHCP windows server.

I had to give Public DNS server IP on the Guest / staff mobile Vlan because they cant reach our internal DNS server. You also want to allow dns out on the the firewall to these dns servers then so they can resolve names,

We went a step further and and setup a radius server for the Corporate wireless SSID and in the radius server setting set only allow domain computers to connect.

So their is no wireless key to enter. If their pc is not a member of domain computers they cant connect.

The students / staff mobile Wifi uses Captive portal with AD authentication so they login with their user account and password.

Guest wifi tokens or passes are generated by myself once a week and forwarded to reception for guests.



Works flawless in my environment.


Shaun

(Edited)
Photo of Tom Pope

Tom Pope

  • 2 Posts
  • 0 Reply Likes
Thanks Shaun for the reply.

VLAN 1 exists on all L3 switches.  It's the default VLAN.  It's a best practice to avoid using VLAN 1 for anything really.   At least it has been for me.

My only real question is if the 2 NIC's on the ZoneDirector 1200 can be on separate subnets.  For example, I'd like one on the 10.1.1.0 /24 subnet and the other on 172.16.1.0 /24 subnet.

Thanks again.
(Edited)
Photo of Shaun Van Tonder

Shaun Van Tonder

  • 24 Posts
  • 1 Reply Like
Ok i see. So you basically want to load balance in a way....Normally this can be implemented by routing policy rules on your firewall device eg all traffic from this ip range go over wan 2 port  (spare DSL modem)

Would be interesting to see if it could do what you require but i dont see any routing features on the 1200 and guess it wasn't designed for that purpose.

Regards
Shaun