How do I segregate traffic between two SSIDs using VLANs
Summary
VLAN configuration for Guest NetworkQuestion
How do I segregate traffic between two SSIDs using VLANs?Customer Environment
Corporate SSID - VLAN 1 (Native untagged VLAN) Guest SSID - VLAN 20Troubleshooting Steps
User configured two SSIDs, one is for corporate network and the second is for guest network. They would like to know how to segregate the traffic between them using VLANs.Resolution
Customers Scenario :
Corporate SSID - VLAN 1 (Native untagged VLAN)
Guest SSID - VLAN 20
Guest Access configuration can be done only on ZD managed AP. Network segmentation can be achieved by configuring the guest network in a separate VLAN along with a DHCP server configured for this IP address subnet pool.
This configuration can be implemented in the following way:
1. First create a separate VLAN for this guest network(eg. VLAN id 20). Make sure that an external DHCP server has been configured for this IP address pool in this VLAN subnet.
2. The corporate network can be available on native VLAN
3. Zonedirector switch port should be configured in the native VLAN, and Access Point switch ports should be configured as trunk port (with both native and VLAN 20) in the Managed switch.
4. Assign VLAN tag to the guest SSID at Configure-> WLANs> Create New/Edit> Advanced Options and enter the Vlan ID.
Now the guest users who connect to the guest network will receive IP addresses in VLAN 20. By default, guest users will be restricted from accessing the internal network (only DHCP/ARP/DNS) until passing the WLAN specified authentication/authorization method (guest pass, terms and conditions only, no authentication) before accessing the network (and Internet if routed).
Corporate SSID - VLAN 1 (Native untagged VLAN)
Guest SSID - VLAN 20
Guest Access configuration can be done only on ZD managed AP. Network segmentation can be achieved by configuring the guest network in a separate VLAN along with a DHCP server configured for this IP address subnet pool.
This configuration can be implemented in the following way:
1. First create a separate VLAN for this guest network(eg. VLAN id 20). Make sure that an external DHCP server has been configured for this IP address pool in this VLAN subnet.
2. The corporate network can be available on native VLAN
3. Zonedirector switch port should be configured in the native VLAN, and Access Point switch ports should be configured as trunk port (with both native and VLAN 20) in the Managed switch.
4. Assign VLAN tag to the guest SSID at Configure-> WLANs> Create New/Edit> Advanced Options and enter the Vlan ID.
Now the guest users who connect to the guest network will receive IP addresses in VLAN 20. By default, guest users will be restricted from accessing the internal network (only DHCP/ARP/DNS) until passing the WLAN specified authentication/authorization method (guest pass, terms and conditions only, no authentication) before accessing the network (and Internet if routed).
Attachment 1
scenario.JPGimage/jpeg
Download
(90.4 KB)
Article Number:
000001547
Updated:
August 09, 2020 10:27 AM (over 3 years ago)
Answer Attachment 1
scenario.JPG
image/jpeg
Download
(90.4 KB)
Tags:
Configuration, ZoneDirector, ZoneFlex Indoor, ZoneFlex Outdoor, ZoneSwitch
Votes:
43
This article is:
helpful
not helpful