https://community.extremenetworks.com/t5/hero-discussions/heroes-xiq-design-topic/m-p/40451#M19 <P>Hi Heroes community.</P><P>&nbsp;</P><P>A topic that I have been discussing with a few&nbsp;colleagues is&nbsp;around XIQ Wireless network design (on&nbsp;the network part), when looking at:&nbsp;</P><UL><LI>Guest Networks</LI></UL><P>The typical requirement for guest traffic&nbsp;is to isolate it from the network and only give it some internet access. From a network design, with Wing and XCC guest is easy,&nbsp;bridge&nbsp;the SSID at the controller into some isolated vlan that is directly connected to a router of some sort. The guest vlan only lives in the core between the controller and router. When looking at a XIQ AP deployment in a small environment&nbsp;this is easy enough to handle by either just tagging a guest vlan to every AP port or using a policy that denies all traffic to internal recourses.</P><P>When we look at a bigger campus&nbsp;that involves various layer 3 boundaries the option for tagging a guest vlan to each AP is not available. We could still use the option of applying a policy that blocks traffic to internal resources. Or another option is to tunnel the traffic with a GRE tunnel to something.</P><P>The question is "what is best design, on the network side, for guest networks when deploying a XIQ wireless network.&nbsp;</P><P>&nbsp;</P><P>Could be a topic to discuss in one of the Hero Tech talks.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 04 Aug 2021 20:43:00 GMT Andre_Brits_Kan 2021-08-04T20:43:00Z https://community.extremenetworks.com/t5/hero-discussions/heroes-xiq-design-topic/m-p/40451#M19 <P>Hi Heroes community.</P><P>&nbsp;</P><P>A topic that I have been discussing with a few&nbsp;colleagues is&nbsp;around XIQ Wireless network design (on&nbsp;the network part), when looking at:&nbsp;</P><UL><LI>Guest Networks</LI></UL><P>The typical requirement for guest traffic&nbsp;is to isolate it from the network and only give it some internet access. From a network design, with Wing and XCC guest is easy,&nbsp;bridge&nbsp;the SSID at the controller into some isolated vlan that is directly connected to a router of some sort. The guest vlan only lives in the core between the controller and router. When looking at a XIQ AP deployment in a small environment&nbsp;this is easy enough to handle by either just tagging a guest vlan to every AP port or using a policy that denies all traffic to internal recourses.</P><P>When we look at a bigger campus&nbsp;that involves various layer 3 boundaries the option for tagging a guest vlan to each AP is not available. We could still use the option of applying a policy that blocks traffic to internal resources. Or another option is to tunnel the traffic with a GRE tunnel to something.</P><P>The question is "what is best design, on the network side, for guest networks when deploying a XIQ wireless network.&nbsp;</P><P>&nbsp;</P><P>Could be a topic to discuss in one of the Hero Tech talks.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 04 Aug 2021 20:43:00 GMT https://community.extremenetworks.com/t5/hero-discussions/heroes-xiq-design-topic/m-p/40451#M19 Andre_Brits_Kan 2021-08-04T20:43:00Z https://community.extremenetworks.com/t5/hero-discussions/heroes-xiq-design-topic/m-p/40452#M20 <P>Hi Andre</P><P>I remember that in some cases we used a VRF for separating the “trustet L3” routing part from the “untrusted” part and using policies on at the Guest User level.</P><P>But in general, i like the idea to get some best practice infomation&nbsp;in form of a topic in the Hero tech talks.</P><P>br</P><P>Tom</P> Wed, 04 Aug 2021 20:53:00 GMT https://community.extremenetworks.com/t5/hero-discussions/heroes-xiq-design-topic/m-p/40452#M20 Thomas_Gfeller 2021-08-04T20:53:00Z