VLans?

[bigredshark]

I have never come across a corporate network that has their guest wireless on their internal network segmented with vlan. Most corporate networks that i have been on, the network engineers refuse to put wireless on to the physical network under any circumstances. This is why they always have it on a separate line, from what i am aware it is pretty common.

It's not. I suspect we're talking about different things here, that is half baked setups where their using semi managed netgear rubbish and don't understand VLANs (and therefore should keep wireless well away from it, least they open horrific security holes through incompetence). And actual corporate systems with managed switching from serious vendors, intelligently designed networks and wireless and network managers with a clue.

The only reason not to put wireless on a physically separate device and connection is lack of competence on the part of people administering it. Or at least that's my opinion, Cisco's opinion (including the CCDE assessors), Juniper's opinion and standard practice at the multiple FTSE100 companies who's networks I've designed. I can only ask you think about getting some more experience of design best practices.

 

[ruffneck]

I have business and guest SSIDs on the same access points, on the same 'physical' network and on same internet connection. our network is pen tested regularly.

There is nothing wrong with using VLANS and firewall zones to segment public and business networks.

 

[Yamahahahahaha]

I have never come across a corporate network that has their guest wireless on their internal network segmented with vlan. Most corporate networks that i have been on, the network engineers refuse to put wireless on to the physical network under any circumstances. This is why they always have it on a separate line, from what i am aware it is pretty common.

Maybe the access layer of the network (The switches the APs plug into etc.) but eventually the trunk will go back to a device where the production network is only logically separated from the guest wireless network.
This is actually a desirable situation to be in because you can filter the guest network traffic with your standard firewalling while also potentially preventing anybody on site connecting to competitor networks.

Otherwise you'll have to buy a separate connection, separate firewalling, separate logging, separate management etc... As I said, unless the wireless is generating revenue, it's generally too expensive to do that.

 

[101001101]

I have never come across a corporate network that has their guest wireless on their internal network segmented with vlan. Most corporate networks that i have been on, the network engineers refuse to put wireless on to the physical network under any circumstances. This is why they always have it on a separate line, from what i am aware it is pretty common.

Un-fortunately you are misinformed, this is common, using a seperate VLAN and firewall policy / zone - there is nothing wrong with this at all.

BTW: Interesting choice of wireless controllers! Cisco would have been my choice, that is hardly cheap!

 

[J.B]

http://www.google.com/search?num=30...1.1.0.0.0.0.128.128.0j1.1.0...0.0.CArynMNvyT0

I still would not recommend plugging a wireless access points in to your internal network on another vlan. if the network has its own switches and goes directly in to the firewall then sure. But to plug wap in to the same physical network but on a different vlan is a security risk.

But yea i don't know what i am talking about...

I'm not sure what you expect to see by that link. All I see if people """hacking""" VLANs that somebody has not set up correctly - again my original statement stands, you don't know what you're talking about

- GP

As someone who has spent a fair bit of time "hacking" VLANs I'm inclined to agree with GP and BRS here.

The main risk from VLANs is misconfiguration and lack of proper rules that allows an attacker to break out and actually do some damage.

 

[Deleted User 298457]

You can go right a head with plugging wireless access points in to your internal network. I don't mind. But I will continue recommending against it.

ROFL

Tell that to my CIO whom serve 250,000 employees worldwide with this method.

 

[DRZ]

I almost posted in this thread, but I backed out because I didn't want the fight.

Glad to see BRS has come in with some common sense as usual

FWIW, we run our WLAN on the same physical kit as the rest of our LAN, just on a different VLAN - as you're supposed to do.

 

[PistolPete]

I have never come across a corporate network that has their guest wireless on their internal network segmented with vlan. Most corporate networks that i have been on, the network engineers refuse to put wireless on to the physical network under any circumstances. This is why they always have it on a separate line, from what i am aware it is pretty common.

I'm sorry to add my 2p worth but every corporate I've worked on simply VLANs traffic. My current customer I'm working with (a very large worldwide company with 650 sites in the UK alone) has a data VLAN, a voice VLAN, a secure WIFI VLAN (for regular office wifi) and an insecure WIFI VLAN (for guest/visitor use)

This is pretty much how it's been with most customers I've worked with (except this is the first I've worked on where they dont VLAN the Data section further - ie Servers, Printers, HR, Finance etc etc)

 

[aln]

I have never come across a corporate network that has their guest wireless on their internal network segmented with vlan. Most corporate networks that i have been on, the network engineers refuse to put wireless on to the physical network under any circumstances. This is why they always have it on a separate line, from what i am aware it is pretty common.

Then you lack experience. There is nothing wrong with being wrong, groen; we all are from time to time. You are wrong. Deal with it, learn from it.

 

[McMuffin]

I'm not advocating the poor advice but I do believe some of his comments have a certain merit in some circumstances.

I must have to say that VLANs are not always suitable for for all applications, especially when separating data classifications, but this is only really a public sector concern.

 

[blastman]

I have never come across a corporate network that has their guest wireless on their internal network segmented with vlan. Most corporate networks that i have been on, the network engineers refuse to put wireless on to the physical network under any circumstances. This is why they always have it on a separate line, from what i am aware it is pretty common.

I've done just this in 2 offices covering 500 staff.

I used to use vlans to partition off the 'visitor' traffic from the main network, but with only one adsl line for all I found that visitors where killing it with vpn's, iphones, ipads and what not. its not so much the download, but the upload that was being battered and causing websites/web services to fail to respond

In the end I got a netgear wc7520 with 12 aps on the main network.

The wc7520 pumps out 2 ssid's. one for internal and one for visitors, I then configured the visitor ssid to output on a certain port on the controller and plugged that into it's own adsl line.

The visitor adsl router handles dhcp and my dc's handle it for everyone else.

I have one management system, one logging tool for both networks. Internal users have the full internet speed again and visitors have a whole 8mb line just for them.

works perfectly.

#just my 2 cents

 

[DRZ]

You're forking out for a 2nd circuit instead of a decent QoS policy on your LAN. Makes total sense.

 

[blastman]

You're forking out for a 2nd circuit instead of a decent QoS policy on your LAN. Makes total sense.

the best QoS policy in the world can't help with less then 500kbs upload and over 250 clients and devices connecting to the internet.

I'm not suggesting that my means are better than others. I'm only stating that this is what I've done and everyone is happy.

 

[DRZ]

Aside from the whole WLAN on a 2nd internet connection thing, why not upgrade your existing line to something more suitable?

IMO ADSL lines aren't going to cut it for a business really, let alone one with 250+ users!

 

[blastman]

well I've had to do just that, for those exact reasons.

I now have 3 adsl lines for internal and 1 for visitors. This is still cheaper than a 10mb fixed line.

 

[aln]

the best QoS policy in the world can't help with less then 500kbs upload and over 250 clients and devices connecting to the internet.

I'm not suggesting that my means are better than others. I'm only stating that this is what I've done and everyone is happy.

Sorta the entire point of QOS, isn't it?

As an alternative, you could have bonded both your lines and offered a better experience to all, but then you'd have to tackle the QOS again. Either way though, if you're managing to keep 250 users happy with ADSL lines, you're doing something right.

 

[GhostlyPea]

Sorta the entire point of QOS, isn't it?

No. QoS is bandwidth management through traffic prioritisation, shaping and policing (among other things including queues and dropping mechanism) - it isn't a magic wand when your line is pegged. Consider it there for making sure your VOIP and control/management traffic is looked after as best it can

As an alternative, you could have bonded both your lines and offered a better experience to all, but then you'd have to tackle the QOS again. Either way though, if you're managing to keep 250 users happy with ADSL lines, you're doing something right.

Or they are doing it on the cheap. ADSL is a (at least in business) cheap service for a reason. If it gets to the point you're bonding 3 lines to get sufficient bandwidth (and I bet his upstream is still shocking) then you REALLY need to look at getting a dedicated circuit. It isn't just about bandwidth, it's about contention, SLA, complexity and ability to troubleshoot.

Comparing BAU operations on a 10/10 LES to a 3-way bonded DSL line is going to be SO much better and TCO will overall be so much better for the service received

- GP

 

[blastman]

funny you mention it, but we're costing up the difference to see if we can justify a fixed line for the internal stuff.

either way, if we do install a fixed line, i wont be changing the visitor wireless internet access. no point trying to reinvent the wheel now is there.

 

[derfderfley]

funny you mention it, but we're costing up the difference to see if we can justify a fixed line for the internal stuff.

either way, if we do install a fixed line, i wont be changing the visitor wireless internet access. no point trying to reinvent the wheel now is there.

The biggest reason for taking any form of Leased Line (businesses class) service is the SLA, you should be looking for an SLA offering a 4 clock hour fix 24x7x365 (If a provider can't or won't offer a written SLA, move on). This gives you something starting to approach a business critical solution for reasonable costs.

I know that cost will always be an issue, but have no illusions that any form of xDSL (no matter how many connections you have) is suitable for business critical internet access.

In reality business critical starts with peering via two separate providers, on diversely routed fibre (or one fibre, one microwave link) with a pair of routers running BGP on the end of it, but that will cost big money.

 

[Swarfega]

I have never come across a corporate network that has their guest wireless on their internal network segmented with vlan. Most corporate networks that i have been on, the network engineers refuse to put wireless on to the physical network under any circumstances. This is why they always have it on a separate line, from what i am aware it is pretty common.

@ OP

Ignore this guy please.