10 Replies Latest reply on Sep 6, 2013 7:40 AM by nick

    BSC-600 - Guest Network Question

    pilly170 New Member

      Hi,

       

      I have a BSC-600. firmware V6.5.1.03. 2 APs

       

      Managed NW Ip = 192.168.200.x  

      Protected NW IP = 10.x.x.x

       

      Connection to Internet in Managed Port 1

      Connection to AP1 in Managed Port2

      Connection to AP2 in Managed Port3

      Connection to LAN in Protected Port

       

      my question is this, I only use this appliance for guest users to our company. so when a device logs in via the web login they can only access the managed side (internet).

       

      When I login my device (iphone) to the appliance, I can ping and access the protected side of the network. Is this right? how can I stop this as I only want them to access the managed side?

       

       

      Thanks for any assistance.

        • Re: BSC-600 - Guest Network Question
          kennethfernandes Employee

          With the BSC, the managed interface is the ingress and the protected interface is the egress. The internet should be on the protected side while the clients reside on the managed side. It sounds like whatever network you have the managed plugged into, the protected should be plugged into instead.

            • Re: BSC-600 - Guest Network Question
              pilly170 New Member

              Ok,

               

              But when I look at the GUI it says

               

              Protected - the BSC to communicate with the protected (i.e., wired) side of your network.     ( I would assume LAN)

              Managed - the BSC to communicate with the managed (i.e., wireless) side of your network. 

               

              So you are saying Ive got these two mixed up....

                • Re: BSC-600 - Guest Network Question
                  kennethfernandes Employee

                  That is correct. The protected is typically plugged into your existing wired network and clients reside on the managed side of the BSC. Traffic flows in the managed and out the protected. By default the BSC will NAT the managed network IP addresses to the protected IP address. Traffic must flow through the BSC in order for it to enforce firewall policies, provide bandwidth management, etc. Guest traffic could flow in the managed, out the protected, over your existing wired network, and out to the internet and you could leverage the BSC's stateful firewall to prevent guests from accessing everything but the internet. In that case your existing wired network should reside on the protected. Instead of guest traffic flowing over your existing wired network, you could also have a dedicated internet connection just for guest access where guest traffic would flow in the managed, out the protected, and out to the internet. Again the internet should reside on the protected. So you said you had:

                   

                  1. Connection to Internet in Managed Port 1

                  2. Connection to AP1 in Managed Port2

                  3. Connection to AP2 in Managed Port3

                  4. Connection to LAN in Protected Port

                   

                  1 is incorrect as the internet should reside on the protected side of the BSC. 2 and 3 are correct. 4 could be correct if you wanted traffic to flow in the managed, out the protected,  over your existing LAN, and out to the internet. If you didn't want traffic to flow over your existing LAN but instead in the managed, out the protected, then out a dedicated internet connection, then the internet should be on the protected instead.

                    • Re: BSC-600 - Guest Network Question
                      pilly170 New Member

                      Ok, I will change my config.

                       

                      If I wished to be able to access the appliance from my LAN?

                       

                       

                      Thanks

                        • Re: BSC-600 - Guest Network Question
                          kennethfernandes Employee

                          BSC-600/1200s have a shared failover/admin port. If you are not using failover or loadsharing you could connect the admin port to your LAN so that you may access it from there. Another option if you are using failover/loadsharing is a protected side vlan. So the protected physical interface could go right out to the internet but the protected vlan could connect to your LAN for management. In that case the protected interfaces switchport would need to be configured as a trunk port where the protected physical vlan is set to the native vlan of the trunk and the protected "managment" vlan is allowed or tagged on the trunk.

                        • Re: BSC-600 - Guest Network Question
                          nick Employee

                          I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily as well as award points to the users that helped you. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply