Aero Hive VPN with CVG for Guest

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I am designing a network with AeroHive access point. My client has the branches all over the country. I am praposing to have Aero Hive manger in data centre and CVG in DMZ.
My design to give two SSID.

One for corporate and BYOD as per identity and second for the guest.

Guest should connect with PPSK given by reception and from the branch AP they should do L2 tunnel to DMZ out to internet.

BYOD will take place with non domain machine with domain cred to the tunnel to the BYOD DMZ.

I would like to know,
 Is this valid solution?
Is there any other way to terminate the Guest VPN to DMZ which is cheaper and efficient for all the clients?
Do Aero Hive AP can do the L2 tunnel back to third party firewall like Checkpoitn or fortigate or ASA?
what would be the best choice appliace or vm for cvg?

Intial idea to terminate on internet fireall and send the traffic out.

I have not design aero hive before so not too sure .. with cisco I can always bring the tunnel back to controller in DMZ.

Regards,
Nilay.
Photo of nilay vyas

nilay vyas

  • 6 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Howdy

I coming from a Cisco wireless world, I was brought up with the concept of tunneling guest traffic to a DMZ anchor or guest router.

However, after meeting Mr. David Coleman in the flesh, he made a strong case that using a well crafted firewall config at the AP edge point would be just as safe as tunneling to a dmz, and an easier option.

Now I don't want to speak for Mr Multipath, but having lived in a Cisco world and an Aerohive world, I can see  that there is value in having a well crafted edge guest firewall ruleset vs crafting a tunnel to a dmz for guest access. Aerohive does support both though and depending on the organization and their security policy you will have to find the best fit.

I have done both, and I find the Aerohive firewall option a better fit.

Also Aerohive firewall config is much easier and more flexible then Cisco wlc

Cheers
A
Photo of nilay vyas

nilay vyas

  • 6 Posts
  • 0 Reply Likes
Hi Andrew,

Thanks for your reply. Customer has a preference to have the traffic separate so my preference to provide a separate IP range which is totally different numbers then primary and tunnel the traffic to DMZ so it does not touch any routing point.

I prefer to have that on firewall as the end point of that but I guess that will not work so I have put Aero Hive VPN appliance in my design. That appliance will reside in DMZ with direct connection to Firewall.

as it support the routing, next hop for the VPN termination traffic will be firewall which will send the traffic out to the internet via totaly new public IP.

AP firewall will help to protect any leakage.

now my confusion is how effectively it works and does it achievable I am not entirely sure about VPN Gateway capabilities and AP.

Also not sure how easy for me to configure this guest tunnels from each ap to gateway and is there any limitation around it.

Do Gateway has two NIC one for internal network to terminate the VPN and second to send the traffic out to internet via static route.

thanks,
Nilay.
(Edited)