2019-09-02 - AP and Server under same VLAN

Header Data

From: Michael Raynor <mx***1@gmail.com>
Message Hash: f5ceec53d18523bebb486346070d968e2c654e30ee2bb83abc79e28e61f98af4
Message ID: <70782cd0-2ea6-4908-8ef8-cb5859dc8b6e@grasehotspot.org>
Reply To: <117f7e2c-0834-479a-893d-598a258a03ed@grasehotspot.org>
UTC Datetime: 2019-09-02 14:02:42 UTC
Raw Date: Mon, 02 Sep 2019 14:02:42 -0700

Raw message

I have had success running Grase under VMWare and Hyper-V with two vNICs - one for internet/management and one for the guests.
On the VM side these NICs have no VLAN - they are just untagged plain vanilla NICs presented to Ubuntu/Debian and Grase.
On the VMWare/Hyper-V side the vNICs are attached to their respective networks and the VLANs are trunked through the physical network and tagged as per normal.

One of the sites I look after has 20+ Ubiquiti APs - one of the SSIDs is the Guest Wifi which is associated with the same VLAN as the guest side on Grase. It has to be a boring layer 2 VLAN as Grase takes care of DHCP, DNS etc.

All we do is make sure the VLAN is trunked and tagged all the way from our Hypervisors through to all the APs. Since the APs support VLAN tags for the SSIDs, guests just end up on the network when they connect.

On the other side, we tag through the management/internet VLAN through to our router (which appears as a vlanned sub-interface - but you could also present it on an untagged switch port) and then set up the rules for internet and management access to Grase. This keeps guest traffic completely separate to our staff network.

As for KVM support - it doesn't hurt to try but I haven't had experience with it. I would recommend making sure that you present vNICs that are untagged on the respective networks to Grase - I wouldn't do the vlanning inside Ubuntu/Debian/Grase.

If your APs support a separate management VLAN and/or have a central management console then it will make things easier. If the APs are all standalone then you can put them on the guest side of the network but be aware you're exposing the management interface of the APs to guests.

There are a multitude of ways to architect your network with Grase - you just need to weigh up the risks associated with each and experiment (in non-production of course...)

Hope that helps

Michael

Thread