Layer 2 isolation on wireless controller from USG Flex 500

Niels2021
Niels2021 Posts: 7  Freshman Member
Zyxel Certified Network Engineer Level 1 - Nebula Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - WLAN
in Security
Normally we set up our Access points (NWA210AX) in standalone mode. Most of our clients have maximum 5 AP's, so that's perfect. We often offer then a extra SSID on a separate VLAN with also Layer 2 Isolation enabled, so that clients can only access the internet.

For a big client now, we need minimum 25 AP's, so we decided to work with Wireless controller on Flex 500 in combination with WAX610D AP's. But I cannot find Layer 2 isolation in AP Profile on the Flex? It's in the firewall, but only available on LAN1/LAN2/Reserve/DMZ interface. I cannot select a VLAN. How can I be able to do this? We don't want to use Nebula(also because then the WAX610D would be overkill) :)

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @Niels2021  

    If AP is controlled by ZyWALL series, then there are many different scenarios in L2/L3 communication. So L2 isolation function removed from AP profile.

    As your requirement: Wi-Fi client can only access to Internet but is unable to communicate in layer 2 network.

     

    You can configure it to realize your scenario:

    (1) Enable Intra-BSS Traffic blocking in AP profile

    ->Prevents peeping from associated Wi-Fi clients those connected using the same AP and SSID.

    (2) Enable L2 isolation on your switch ports those connected to APs.

    ->Prevent switch replies client MAC address to others AP. So enable L2 isolation on AP connected ports.

  • Niels2021
    Niels2021 Posts: 7  Freshman Member
    Zyxel Certified Network Engineer Level 1 - Nebula Zyxel Certified Network Engineer Level 1 - Security Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Engineer Level 1 - WLAN
    Zyxel_Stanley said:

    Hi @Niels2021  

    If AP is controlled by ZyWALL series, then there are many different scenarios in L2/L3 communication. So L2 isolation function removed from AP profile.

    As your requirement: Wi-Fi client can only access to Internet but is unable to communicate in layer 2 network.

     

    You can configure it to realize your scenario:

    (1) Enable Intra-BSS Traffic blocking in AP profile

    ->Prevents peeping from associated Wi-Fi clients those connected using the same AP and SSID.

    (2) Enable L2 isolation on your switch ports those connected to APs.

    ->Prevent switch replies client MAC address to others AP. So enable L2 isolation on AP connected ports.


    Hello,

    Thank you for your response.

    Intra-BSS Traffic blocking is a begin, but not enough because everyone on another Access Point will still be able to access the client on a different Access Point.

    Preventing switch replies to other AP's is also not a solution, because the AP's also have an internal SSID where clients are free to communicate with other wireless clients.(for example a mobile phone screencasting over wifi to a laptop)


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited July 2021

    Hi @Niels2021  

    You still can achieve your requirement by configure different devices.

    (1) On FLEX500, create multiple VLANs for different SSIDs.  (e.g. VLAN10/20 are isolate/ VLAN30 non-isolate)

    (2) On FLEX500, Enable Intra-BSS Traffic blocking in AP profile those you would like to isolate. (e.g. VLAN10/20)

    (3) Enable VLAN isolation those you would like to limit VLAN ID. (some switches support it. e.g. GS1920) Then unlimited VLAN(SSID) clients are free to communicate with other wireless clients.


Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)