Aerohive AP on a access port

  • 1
  • Question
  • Updated 2 years ago
For a special customer, they have a single VLAN at a location.  The switchports are all currently access ports.  I'm going to have an Internal SSID and a Guest SSID that will be on the same VLAN with the AP acting as a FW to keep the guests away from everything but the Internet.  Do I need to tag these as VLAN48 like I would typically do with the AP connected to a trunk?  Should I just have them configure the switchports as trunks?
Photo of Todd Snyder

Todd Snyder

  • 1 Post
  • 0 Reply Likes
  • excited

Posted 2 years ago

  • 1
Photo of Rob Burgoyne

Rob Burgoyne

  • 19 Posts
  • 0 Reply Likes
Yes, ideally you would want your internal and guest users on different VLANs, however having them on the same VLAN and using different user group profiles should work as expected. Typically I would have mgmt on a native VLAN with the internal and external users on their own VLAN being tagged by their groups. I don't know the environment or how you're mapping users though.  
(Edited)
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
To add to Rob's point. I suggest the correct implementation of VLANs - best practice would suggest assigning one VLAN for AP mgmt traffic. One VLAN for internal users and a final VLAN for guest usage. This ensures that broadcast domains are kept to a minimum and firewall rules can be used to deny communication between guest and internal subnets.