Knowledge Search


×
 

How To define a Guest and Corporate Wireless Network on a SRX Branch Device by using a single AX-411 AP

  [KB23134] Show Article Properties


Summary:
This article provides information on how to configure a Guest and Corporate Wireless client segment, which are connecting to the same AP.
Symptoms:
  • Single AX411 Access Point.

  • Configuring a Guest and Corporate Wireless segment, which are connecting to a single AX411 Access Point.

  • The SRX Branch device is used to manage the AX411.
Cause:
 
Solution:
 To configure multiple wireless access levels to the same AP, It is good to connect to a separate SSID; which is distinguished by VLAN ID's.  Here, You would have to make use of a Routed VLAN Interface (RVI), which would distinguish one wireless segment from the other.

The following VLANs have to be created:

  • Guest VLAN

  • Corporate Wireless VLAN

  • Management VLAN


First, you create the VLAN interfaces. You have to use vlan.1000 for the Guest VLAN, vlan.1001 for the Corporate Wireless VLAN, and vlan.1002 for the Management VLAN.
root@DELL_J-SRX240H-D10_38# show interfaces vlan 
unit 1000 {
    family inet {
        address 10.252.1.10/24;
    }
}
unit 1001 {
    family inet {
        address 10.252.2.1/24;
    }
}
unit 1002 {
    family inet {
        address 10.252.3.1/24;
    }
}
Next, the VLANs have to be configured. They will include the VLAN id, along with the L3 interface tied to the VLAN interface:

root@DELL_J-SRX240H-D10_38# show vlans 
Wireless-mgnt {
    description Wireless-mgnt;
    vlan-id 5;
    l3-interface vlan.1002;
}
wifi-guest-1000 {
    vlan-id 1000;
    l3-interface vlan.1000;
}
wifi-corp-1001 {
    vlan-id 1001;
    l3-interface vlan.1001;
}
Now the physical interface has to be configured.  Assume that AX411 is connected through the ge-0/0/4 interface on a SRX-240. You can configure this physical interface with family ethernet-switching and it will be a trunk port.  

You can configure the wifi-private-1000 and wifi-public-1001 VLANs, as members of this trunk. The native VLAN ID 5 is also configured for this interface. This will tell the system to treat VLAN tag 5 as a native untagged VLAN.  

root@DELL_J-SRX240H-D10_38# show interfaces 

ge-0/0/4 {
    description AX411_INT;
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members [ wifi-guest-1000 wifi-corp-1001 ];
            }
            native-vlan-id 5;
        }
    }
}

Note: If you place the AX-411 behind a switch, do not include the native VLAN as a VLAN member of the trunk. If you do, the return packet will return as a tagged packet; AX-411 will not recognize it and it will be dropped. For more information, refer to KB17419 - Native vlan-id and tagged behavior in EX Switches.

After configuring the VLAN interfaces, you can configure one VLAN per SSID. In this example, the Guest users are defined on the Guest SSID, which is on virtual-access-point 0, and Corporate users are defined on the Corp SSID, which is on virtual-access-point 1.

root@DELL_J-SRX240H-D10_38# show wlan access-point ax411-ap 
description Office-WIFI;
mac-address xx:xx:xx:xx:xx:xx;                                  
access-point-options {
    country {
        US;
    }
}
radio 2 {
    virtual-access-point 0 {
        description Guest-Users;
        ssid Guest;
        vlan 1000;
        security {                      
            none;
        }
    }
}
    virtual-access-point 1 {
        description VenyuGuest;
        ssid Corp;
        vlan 1001;
        security {
            wpa-personal {
                wpa-version {
                    both;
                }
                cipher-suites {
                    tkip;
                }
                key "$9$FXaR6CpIEyWLN0BLNdboaFn/C0B"; ## SECRET-DATA
                }
            }
        }
  }



Related Links: