Friday, November 27, 2015

Creating a separate (guest) network using different SSIDs and VLANs

This post is not about Java, but about networks. The hardware I'm using is from Cisco, but this should work on other brands just as well.

I had installed a WAP371 access point and an SG-200 managed switch for a customer. The router I used is a simple home gateway provided by the ISP and is not VLAN-aware. The customer asked me to put a guest network in place. The Cisco WAP access points can broadcast multiple SSIDs to create multiple networks. They are differentiated using VLAN IDs: when you connect to a network, all the frames are tagged with a VLAN id. The default VLAN id is 1, but you can assign different VLAN id's to other SSIDs. I created a second SSID (named guest) and gave it the VLAN ID 2. Now when someone connects to the guest network, all their frames are tagged with VLAN id 2. When they connect to the main network, their frames are tagged with id 1.

Setting up the access points is the easy part. I then needed to configure the switches. The router is not VLAN aware, so I needed to add a second router for the guest network. The second router is connected to the main router and to the switch, like this:


So I connected the access point to port 1 of the managed switch, the ISP router/gateway to port 2 and the guest router to port 3. The WAN side of the guest router is connected to the LAN side of the ISP router. This will cause double NAT, but that's not a problem for a guest network.

Now I still had to configure the ports of the switch correctly to separate the guest network from the main network. I configured the ports as follows:

  • All ports except port 1 and 3: set to ACCESS mode and VLAN 1
  • Port 1: set to TRUNK mode, untagged VLAN 1 and tagged VLAN 2
  • Port 3: set to ACCESS mode and VLAN 2
Now when a user connects to the guest network, his frames are tagged with VLAN ID 2. These frames will only be able to access port 3, to which the guest router is connected. The user will get an IP address from the guest router and will not be able to access devices connected to the other ports of the switch.
When a user connects to the main network, the frames will be tagged with VLAN ID 1. The user will be able to access all ports, except for the port to which the guest router is connected.