I have a lot of remote sites.
I would like to offer guest wifi that is tunneled back to a central location where the gateway to the Internet exists.
I think one solution for this is creating VPN session using CVG as VPN terminater and AP as VPN client.
I am in Japan and my reseller in Japan said that they don't sell CVG.
Here is my question.
1) using CVG is the typical and recommedned way for my scinario?
2) If not, what is other options?
Thanks in advance.
Wherever possible, I would strongly recommend using alternatives to GRE tunnels, especially in large deployments, so that you are not spanning a broadcast domain across the WAN.
By far the best solution, if your network can accommodate it, is to use VRFs or some other layer-3 virtualisation mechanism to provide a separate routing domain across the WAN for guest users. This provides you with traffic isolation and ensures broadcast domains do not span the wide area network.
If you cannot do this, and your security policy allows it, an alternative is to allow guest traffic to traverse the corporate network and to use Aerohive firewall rules and ACLs if necessary on the LAN to firewall off the guest traffic from your corporate network.
In conjunction with User Profiles / ACLs at the edge in the AP and any that are felt are necessary on the LAN, you get sufficient isolation in my opinion.
Tunneling isn't strictly necessary when that's available, it's just a belt and braces means to isolate guest traffic. It is most useful when isolated broadcast domains via VLANs aren't available or an overlay approach is more pragmatic for political or operational reasons.
Then, yes, you'll want to ensure a separate routing domain too as Roberto mentions.
Thank you for many replies.
Originally i was going to isolate the guest traffic using Aerohive Firewall, DHCP and NAT.
IP address of AP at remote branch is 10.10.10.11/24
The AP acts as DHCP server and hands out IP address 192.168.11.x/24 to guest devices.
Traffic from guest devices is NATed to 10.10.10.11 and goes to the Edge Firewall at the central location.
On Edge Firewall, 10.10.10.11 is NATed to a public IP address and goes out to the Internet.
Deny guest device traffic to reach any private IP address but the Internet by Aerohive firewall.
Is this what you guys saying as a alternate of tunneling?
Thanks in advance.