I'm trying to get an open guest network working alongside my secure company network. My company wifi is currently up and running with no issues, but I've tried adding the guest network several times with no luck.
HERE is a poor man's topology of what I'm trying to do. I want to have a secondary internet connection come into the closet of my core switch, then go to a router, then to my switch. From there I want to to ride the same ports to another switch/closet where my AP is.
Here's the hardware I have:
-
Core switch: HP ProCurve 3500
-
SWITCH A & B: HP ProCurve 2920
-
Access point: Ubiquiti AC Pro
-
Guest router: Either a spare ASA 5505 or Comcast router (depending on what I end up with)
I'm just getting Ubiquiti products in my environment, so I'm not 100% on the capabilities of them in Unifi yet. I am aware of pre/post rules for wifi clients (so they can't access devices either by IP range or name) but I'm really looking for as close to air gapping this network as possible, without actually airgapping. I want all traffic for the guest SSID to enter/exit out of the guest internet connection without ever touching my dhcp servers or connection.
My thoughts are to just add a new vlan to the core switch (lets use 172), untag the port that connects to my comcast router as vlan 172. then tag 172 on the uplink of the core switch that connects to switch A. on switch A, add vlan 172 then tag vlan 172 to the uplink connected to the core switch. But on the port that goes to the AP, do I tag or untag vlans 10 and 40 so that both SSID's can use their own VLAN?
FYI: I do have firewalls and other devices in line of this topology map, but I didn't list them in order to clean up the diagram.
No comments:
Post a Comment