Branch router or DHCP server and relay on APs?

  • 1
  • Question
  • Updated 2 years ago
What's requested is securing a network—which only has one VLAN—so that the guest traffic is segmented from the internal. Not wanting to make changes to the switch and creating a new VLAN, I'm looking for alternatives (would you say that's the best option?). Should I just assign guests their own user profile in which I create a firewall policy which prevents them from accessing 10.X/172.X/192.X addresses?

Can I use a BRs capabilities somehow? Or configuring an AP to act as a DHCP server and assign clients an IP address from a pool that I define? And if I do that and create a VLAN in "DHCP Server & Relay" (see picture below), do I need to tag the switch port the APs are connected to with that VLAN ID?

Photo of oc

oc

  • 8 Posts
  • 1 Reply Like

Posted 2 years ago

  • 1
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
OC,

I would say the easiest but still secure option would be to use a different User profile for Guest access and apply an user based firewall. There should be a firewall named Guest-Internet-Access-Only that you can use or clone and modify to customize to your network. The other options (DHCP Server or DHCP relay) will all require Layer 2 segmentation or VLAN.

The only negative to this approach is that guest users are being pulled from the same DHCP scope which could lead to DHCP starvation if your DHCP scope size and lease times are not optimized. 

Good Luck
Photo of oc

oc

  • 8 Posts
  • 1 Reply Like
Thank you for your reply, Jonathan.

So a firewall policy if layer 2 segmentation is not an option, and else, creating a new VLAN for guest users? Is there a particular reason why you'd want to have your APs acting as DHCP servers if you have a Windows Server in your network that you can configure with multiple scopes?

I'm curious about what's considered best practice given the premises above.
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
Golden rule: Use each element in your infrastructure for what it was designed for. If such an element is not available, then see which other can take over that functionality. And that could be a reason for configuring an AP as DHCP server.

As Jonathan already wrote, you'd still have to segment your network, in your example it's VLAN 42. And something must be configured as gw, 10.0.0.1.

Be aware that if that AP goes down, you lose DHCP for the whole network segment. If you want redundancy, you have to configure 2 APs with 2 different ranges, each of them big enough to handle all client devices.

I remember we once used an BR100, in AP mode, just as DHCP server. This way we could lock it inside a rack, and it was a cheap solution.

If you have a Windows server - use this as DHCP server.

Otherwise, the solution described by Jonathan is absolutely legit.
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
I agree with Carsten's statement, best practice given the inability to define a secondary VLAN, would be to use Firewall Policy to restrict access for Guest User to Internal Network. To be 100% honest I the firewall policy would be used even if you did VLAN segment.
Photo of oc

oc

  • 8 Posts
  • 1 Reply Like
Thank you, Carsten and Jonathan.

How would you go about if you have a scenario where there’s only one VLAN and you wish to place your guests on another network but have a small DHCP scope size? My initial guess was to set up all access points as DHCP servers—i.e. the same config as the on the screenshot above on all access points. The only issue would possibly be related to roaming, since each access point would hand out another IP from the IP pool when a client moves. Am I correct assuming that?

Also, I thought the VLAN ID that you define in the DHCP Server & Relay settings only resides on the access points and is not something that you’d actually need to tag the switch ports—simply that it’s a non-existing VLAN so to speak that the switch does not need to know of?

Finally: Only configuring ONE access point’s service settings with the DHCP Server & Relay configuration means that’s the ONLY access point able to hand out addresses from the IP pool configured, so in the scenario above, ALL access points would need to be configured like so?
Photo of Jonathan Hurtt

Jonathan Hurtt

  • 98 Posts
  • 48 Reply Likes
OC,

The only way to achieve what you describe is to use NAT in addition to DHCP Service on the AP. The reason is the Network/Subnet that you are applying to the devices are not routable on your network (since your switches and routers are not aware of it), And yes you would have to apply DHCP to every AP since the VLAN that the clients would be connecting to (non-existing VLAN) would not be bridged between all the Devices. 

Now you could also Tunnel the user traffic back to a location where you an configure another VLAN, which is a another options, but again i personally feel using same VLAN along with Firewall would be easiest approach. 

Hope that helps.