This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring a VLAN for Guest Access on EXOS Switch (5320)

Configuring a VLAN for Guest Access on EXOS Switch (5320)

dona168lee
New Contributor

a week ago

Hi everyone,

I'm currently working with an EXOS switch (5320), and I need to set up a VLAN specifically for guest access. The goal is to provide internet access to guest users while ensuring they are isolated from the internal network. Could anyone help guide me through the steps to configure the VLAN for guest access while following best practices for security and performance?

The VLAN should be isolated from the internal network but provide internet access. I need to configure specific ports where guest devices will be connected to this VLAN. The guest devices should receive dynamic IP addresses from the DHCP server. I’d like to prevent communication between devices within the guest VLAN but still allow internet access.

Thanks in advance for your help! I appreciate any guidance or example configurations.

Best Regard,

Dona

readworks.oge
0 Kudos
1 REPLY 1

Ryan_Yacobucci
Extreme Employee

a week ago

Hello,

Considering this has been posted in the ExtremControl board I'm assuming you're looking for some assistance using Extreme Control to assign this policy to a port dynamically, or possibly using static policy on a port to provide guest access.

Using Extreme Policy you can create a policy that would assign a VLAN, deny internal networks and allow internet connectivity. 

There is a canned policy with the Policy Manager domain called "Guest Access":

Ryan_Yacobucci_0-1737220191217.png
This default example of a policy is a deny all policy, that performs opens up ARP, DNS, DHCP for basic access, permits access to mail protocols, and allows HTTP/HTTPS. 

You can use this as a base for your policy and add into it rules to deny internal ranges. 

In XIQ-SE go to Control --> policy --> Open the appropriate policy domain --> Under Roles/Services scroll down to Service Repository --> Right click "Services" under the "Local Services" tree --> Create Service --> Name is "Deny Internal Networks" --> Right Click the new Service --> Add Rule --> Name the rule "Deny 10.x.x.x" or however appropriately --> Click the new rule --> Edit the traffic description --> Set Traffic Classification Type to IP address Destination --> For the value put in 10.0.0.0/8 or whatever is appropriate for you internal network range --> Click "OK" --> Set the Access Control to "Deny"

Repeat for all internal networks. 

Once you have complete the rules in the service make sure to add the new service to the Role to start denying all internal networks. 

The rule should look something like this: 

Ryan_Yacobucci_1-1737220730330.png




Another way you can manage this type of configuration is through the automated services. 

In Policy click on the "Network Resources" tab and create a Network Resource object. Once created, assign your IP ranges on the very bottom field: 

Ryan_Yacobucci_2-1737220847227.png




Once you have created your network resource, go back to the Roles/Services section and create a new service, this time create an "Automated" service. 

Assign your Traffic Description type to "IP Address Destination" and set it for your Internal Networks Resource object.
Set the Access Control to "Deny"

Ryan_Yacobucci_3-1737220914025.png

Add the automated service to your Role: 

Ryan_Yacobucci_4-1737220983220.png


Add your switches into the Devices/Port groups tab and enforce policy. 

Once enforced you can assign this policy dynamically or statically to a switch port. 

To assign statically under the devices/port groups click on your switch --> Ports --> Right click the port/ports --> Policy --> Set Default role.


If you want to assign a VLAN, set the the Access Control to "Contain To VLAN" and assign a VLAN. If you go this route you could optionally create a new rule to deny ethertype for ipv4 and ipv6 to rebuild your implicit deny rule. Policy precedence should have this new rule be the least precedent so that it acts as your implicit deny. 

Policy is a very powerful construct. When working with policy it's highly recommended that you test extensively before rolling it out to your network as it could result in service impact if improperly configured. Use a test switch on a test port and when you're confident that it's operating as you'd like move it to a switch/area that will be least impactful if issues arise.

It's highly recommended that you engage professional services if you are new to policy. They can help build this out exactly as you'd like.

 

Thanks
-Ryan

 









 

GTM-P2G8KFN