Reply

Re: WAC510 - Guest access VLAN across multiple WAC510s connected to different switches

AndiT
Follower

WAC510 - Guest access VLAN across multiple WAC510s connected to different switches

I have installed multiple WAC510 access points in my organisation connected to multiple switches in multiple locations.

We have one SSID which replicates to all APs. This SSID has access to all parts of the company network.

I want to set up a second SSID which is purely for guest access i.e. Internet access only.

I understand that I need to set up a separate VLAN to achieve this but don't know how to do this if the APs are all connected to different switches, some of which are unmanaged.

Model: WAC510 Insight Managed Access Point
Message 1 of 3
schumaku
Guru

Re: WAC510 - Guest access VLAN across multiple WAC510s connected to different switches

There is no magic possible - all switches must be VLAN capable and configured accordingly...

Message 2 of 3
DougHog
Aspirant

Re: WAC510 - Guest access VLAN across multiple WAC510s connected to different switches

Contrary to the other reply, to me there is indeed "magic" possible.  My experience is with the local web managed mode, I can't say whether it works similar in Insight mode.  For me, after your first regular SSID you add your -Guest second SSID and look in the settings for "enable client isolation."  For me that seems to allow what I want, where -Guest users can access the internet but nothing else - none of your LAN devices nor each other.  No special VLAN stuff required, and it works on multiple access points.  Not sure how it works, sort of like it is only allowing access to the gateway and includes DHCP and DNS forwarding.

 

One little glitch is affecting me on different model (WAC564) only in the most recent firmware (mid-March) and only after power-cycle.  That glitch gives me slight hesitation to say that I understand this "client isolation" properly but I tend to think that I do (please don't trust me - verify for your own purposes).  After that firmware glitch is corrected, my plan is to combine this Client Isolation with VLAN (which does require configuring in various places).  In my case the VLAN would be setup to assign guests an IP address from different range.  I'd allow that guest VLAN access to internet (and DNS forwarding) but not to my LAN.  In that situation, enabling "client isolation" would not be necessary to keep guests from seeing my LAN, but would be useful to keep guests from seeing each other (saving me a minor additional firewall rule in the VLAN to achieve same result).

Message 3 of 3
Top Contributors
Discussion stats
  • 2 replies
  • 401 views
  • 0 kudos
  • 3 in conversation
Announcements