Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 15437 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need some guidance on wireless setup

Bill Roland

Hi all,

I am going to be deploying some AC55C's and need some guidance on what is the best method to achieve what I am after.  

I have a hub and spoke network connected with 5 different sites connected via Metro-Ethernet links, and an XG210 at the main site that serves internet for all.  Each site has its own subnet.  Data VLAN is 1.  

What I would like to achieve is have a "corporate" SSID where the company assets connect (like company laptops, tables, executive's cell phones, etc) that can "see" all the resources on the LAN and is also prioritized appropriately, and a "guest" SSID for visitors to the premises and employees personal phones that is isolated from seeing the company LAN resources and also traffic is prioritized lower; I don't want guests and low priority wireless traffic clogging my WAN and internet links.  

I had ASSumed that the way to go about this was to create a corporate SSID and bridge that to the AP LAN, and create a "guest" SSID and bridge that to a VLAN I would create especially for guest WiFi traffic so I could limit it via ACL's and de-prioritize the traffic in my routers, but I realized in the course of this that I don't really know how these AP's work with the XG and perhaps I should look at creating a separate "Zone" instead of bridging it to a VLAN.  

The help guide doesn't really provide any deep conceptual explanations and the KnowledgeBase didn't reveal what I was looking for either.  

If anyone could chime in I'd appreciate it.  Thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Hi there!  So yeah, for you I'd say for your WiFi networks:

    Company_WiFi: Bridge to AP LAN

    Guest_WiFi: Separate Zone

    You'll have to create the Zone first in Network\Zones.  You could use the existing WiFi zone for guests, since your Company_WiFi will be in the LAN zone (with the bridge to AP LAN).  You can also assign ports or VLANs on the XG to those zones (in Network\Interfaces).  So you could make the Guest_WiFi it's own VLAN AND Zone.  And connect up some ports on a switch with that specific VLAN and give it its own DHCP service(s) and make the ports in your conference room go to the Guest VLAN + Zone.  Zones let you build better Firewall rules, IMO.  VLANs are still good for extra protection to make it more difficult for systems to hop zones by their IP definition.

    Does this help?

  • 0 in reply to Chris Shipley

    This was very helpful and I really appreciate it, thanks.

    If I may ask a follow up question in regards to using a Zone for the guest APs; the AP's will be broadcasting the same SSID (Guest_WiFi for example) in multiple different physical locations on different subnets.  In the Wireless Network setup I see that I have to assign it an IP address and this creates a network interface.  How does this traffic get back to the XG across a routed network; is it tunneled across the network?  If its not, I'm going to need some way to assign different subnets to the different AP's so the traffic gets routed correctly across my network.  

  • 0 in reply to Bill Roland

    Bill,

    please provide a network diagram so we can better understand your needs.

    Thanks

  • 0 in reply to lferrara

    Bill,

    please provide a network diagram so we can better understand your needs.

    Thanks

     

    Hi Luk, yeah, I should have included a diagram.  Here is a crude diagram showing what I've got.  The idea is for each of the sites to have Sophos AP's, and within each site, I'd like an SSID that bridges to the AP LAN for "company" traffic and a guest SSID that is on VLAN 2 for guest low priority traffic and to keep the guest traffic segmented from my company LAN.

  • 0 in reply to Bill Roland

    How are the connections made between branch offices to the HQ?  You may want to investigate using Sophos Cloud control for the WiFi Access Points.  I'd be hard pressed to make this work if the private WAN links shown here aren't managed by Sophos XG firewalls.  It's not designed to be able to manage WiFi access points that aren't local.  It -CAN- but the private WAN links need to pass all the appropriate traffic.  Sophos RED devices make that rather simple, but I'm not sure it would be simple here.

    Also, you don't need separate WiFi Access Points for Guests vs Corporate, you just need to define multiple SSIDs per access point.

Reply
  • 0 in reply to Bill Roland

    How are the connections made between branch offices to the HQ?  You may want to investigate using Sophos Cloud control for the WiFi Access Points.  I'd be hard pressed to make this work if the private WAN links shown here aren't managed by Sophos XG firewalls.  It's not designed to be able to manage WiFi access points that aren't local.  It -CAN- but the private WAN links need to pass all the appropriate traffic.  Sophos RED devices make that rather simple, but I'm not sure it would be simple here.

    Also, you don't need separate WiFi Access Points for Guests vs Corporate, you just need to define multiple SSIDs per access point.

Children