This article provides information on how to configure a Guest and Corporate Wireless client segment, which are connecting to the same AP.
To configure multiple wireless access levels to the same AP, It is good to connect to a separate SSID; which is distinguished by VLAN ID's. Here, You would have to make use of a Routed VLAN Interface (RVI), which would distinguish one wireless segment from the other.
The following VLANs have to be created:
- Guest VLAN
- Corporate Wireless VLAN
- Management VLAN
First, you create the VLAN interfaces. You have to use
vlan.1000 for the Guest VLAN,
vlan.1001 for the Corporate Wireless VLAN, and
vlan.1002 for the Management VLAN.
root@SRX240H# show interfaces vlan
unit 1000 {
family inet {
address 10.252.1.10/24;
}
}
unit 1001 {
family inet {
address 10.252.2.1/24;
}
}
unit 1002 {
family inet {
address 10.252.3.1/24;
}
}
Next, the VLANs have to be configured. They will include the VLAN id, along with the L3 interface tied to the VLAN interface:
root@SRX240H# show vlans
Wireless-mgnt {
description Wireless-mgnt;
vlan-id 5;
l3-interface vlan.1002;
}
wifi-guest-1000 {
vlan-id 1000;
l3-interface vlan.1000;
}
wifi-corp-1001 {
vlan-id 1001;
l3-interface vlan.1001;
}
Now the physical interface has to be configured. Assume that AX411 is connected through the ge-0/0/4 interface on a SRX-240. You can configure this physical interface with family ethernet-switching and it will be a trunk port.
You can configure the
wifi-private-1000 and
wifi-public-1001 VLANs, as members of this trunk. The native VLAN ID 5 is also configured for this interface. This will tell the system to treat
VLAN tag 5 as a native untagged VLAN.
root@SRX240H# show interfaces
ge-0/0/4 {
description AX411_INT;
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ wifi-guest-1000 wifi-corp-1001 ];
}
native-vlan-id 5;
}
}
}
Note: If you place the AX-411 behind a switch, do not include the native VLAN as a VLAN member of the trunk. If you do, the return packet will return as a tagged packet; AX-411 will not recognize it and it will be dropped. For more information, refer to KB17419 - Native vlan-id and tagged behavior in EX Switches.
After configuring the VLAN interfaces, you can configure one VLAN per SSID. In this example, the Guest users are defined on the Guest SSID, which is on virtual-access-point 0, and Corporate users are defined on the Corp SSID, which is on virtual-access-point 1.
root@SRX240H# show wlan access-point ax411-ap
description Office-WIFI;
mac-address xx:xx:xx:xx:xx:xx;
access-point-options {
country {
US;
}
}
radio 2 {
virtual-access-point 0 {
description Guest-Users;
ssid Guest;
vlan 1000;
security {
none;
}
}
}
virtual-access-point 1 {
description TestGuest;
ssid Corp;
vlan 1001;
security {
wpa-personal {
wpa-version {
both;
}
cipher-suites {
tkip;
}
key "$ABC123"; ## SECRET-DATA
}
}
}
}