Bridge multiple VLANs

This feature is extremely useful and popular for hotel (or service apartment) setup.

In most hotel compliance, it is required to isolate guest accesses, eg. block direct/peer-to-peer access among guests within the hotel network, particularly to minimize broadcast storms, prevent internal hacking and contain virus or worm outbreaks. For example, should one of the guest device is infected with worms, the worm propagation can't spread and infect other guest devices within the hotel.

In short, client isolation ensures that each guest's device is only allowed to communicate upstream to its default gateway for direct outbound Internet access.

A typical mid-large size hotel would have two ways for guest Internet access, wireless and wired. For wireless access, the premise will be covered with Wi-Fi and guest device can connect to hotel Wi-Fi; for wired access, each room would have a LAN point, where guest can plug-in their PC directly with a UTP cable to get Internet access.

Client isolation in wireless network

For wireless client isolation, many enterprise grade Wi-Fi products would support a featured called "client isolation". Once this feature is turned on, each associated wireless client (user device) can only communicate with its default gateway, unable to scan or reach to other devices within the same network.

Our MAP supports both AP or AP & SSID based client isolation. it is configurable in the template setting.

Client isolation in switch network

Client isolation in switched network essentially requires each switch-port (for each guest room) is isolated from each other.

There're 3 ways to implement switch-port isolation:

  1. Split rooms into VLANs. In the switch configuration, simply assign each switch-port to a different VLAN so that each guest room sits in a dedicated/separate VLAN. However, each VLAN also requires a dedicated network addressing. So the IP address planning can be massive, especially when there're many rooms (therefore many VLANs), eg. need to create many vlans and require many DHCP address pools for each VLAN etc. It's very tedious to configure and very difficult to maintain such network.
  2. Use Private VLAN. In private VLAN configuration, all the ports/rooms are in one primary VLAN, in one network (therefore only need to maintain one address pool), but each port is in a secondary VLAN in isolated mode. This perfectly solves port isolation and simplifies IP addressing. BUT, private VLAN is only supported in some brands/models of switches, and it does require strong networking knowledge/skills to configure private VLANs. Moreover, many hotels are using switches that don't support private VLAN feature.
  3. Bridge multiple VLANs. In this scenario, we put each room into a dedicated VLAN (similar to #1), then bridge all VLANs under one bridge, so that we only need to configure one flat network for the bridged network. This design has the best of both worlds - port isolation and simplified network addressing. And it only requires switches to support standard VLAN and trunking feature, which exist on most common/cheap switches already.

This section focuses on how to utilize mbox features to implement above #3 scenario.

In above design, the switch configuration is very simple:

  • On the switch, assign each room switch-port to a dedicated VLAN. In some hotels, where the Wi-Fi solution doesn't support "client isolation" feature, you may have a AP plugged into the room LAN port, so the Wi-Fi is isolated by the switch-port configuration.
  • each floor will have one or multiple switches, and each switch will uplink to the core switch in trunk mode, permitting all VLANs to pass through (you may further narrow down to the specific VLANs configured within the switch if needed)
  • the core switch will connect mbox LAN interface (eg. eth1) and the switch-port will be running in will trunk mode, trunking all room VLANs to mbox.
  • On mbox, we will configure VLANs to map to each room VLAN, and put all VLANs under a bridge interface
  • Configure IP address and DHCP pool for the bridge interface (if captive portal is required, enable hotspot for the bridge interface)

NOTE:

  1. if there're many VLANs/rooms, we should split the VLANs into two or multiple bridge groups. It's recommended not to have more than 1,000 IP for each bridged network.
  2. it's recommended to turn of spanning tree protocol under bridge interface (stp off). Some low-end switches may have spanning tree compatibility issues with mbox. So it's better just to turn off STP and prevent mbox to participate in switch spanning tree negotiation.

Below is an example of a typical hotel config:

-----------

!

hostname xxx-Hotel

!

interface eth0

description "to Internet"

enable

ip address dhcp

!

interface eth1

description "hotel - LAN/WLAN"

enable

!

interface vlan 1 113

enable

bridge-group 0

!

interface vlan 1 114

enable

bridge-group 0

!

interface vlan 1 115

enable

bridge-group 0

!

interface vlan 1 116

enable

bridge-group 0

!

interface vlan 1 117

enable

bridge-group 0

!

interface vlan 1 118

enable

bridge-group 0

!

interface vlan 1 119

enable

bridge-group 0

!

interface vlan 1 120

enable

bridge-group 0

!

interface vlan 1 121

enable

bridge-group 0

!

interface vlan 1 122

enable

bridge-group 0

!

interface vlan 1 213

enable

bridge-group 0

!

interface vlan 1 214

enable

bridge-group 0

!

interface vlan 1 215

enable

bridge-group 0

!

interface vlan 1 216

enable

bridge-group 0

!

interface vlan 1 217

enable

bridge-group 0

!

interface vlan 1 218

enable

bridge-group 0

!

interface vlan 1 219

enable

bridge-group 0

!

interface vlan 1 220

enable

bridge-group 0

!

interface vlan 1 221

enable

bridge-group 0

!

interface vlan 1 222

enable

bridge-group 0

!

interface vlan 1 223

enable

bridge-group 0

!

interface vlan 1 224

enable

bridge-group 0

!

interface vlan 1 225

enable

bridge-group 0

!

interface vlan 1 301

enable

bridge-group 0

!

interface vlan 1 302

enable

bridge-group 0

!

interface vlan 1 303

enable

bridge-group 0

!

interface vlan 1 304

enable

bridge-group 0

!

interface vlan 1 305

enable

bridge-group 0

!

interface vlan 1 306

enable

bridge-group 0

!

interface vlan 1 307

enable

bridge-group 0

!

interface vlan 1 308

enable

bridge-group 0

!

interface vlan 1 309

enable

bridge-group 0

!

interface vlan 1 310

enable

bridge-group 0

!

interface vlan 1 311

enable

bridge-group 0

!

interface vlan 1 312

enable

bridge-group 0

!

interface vlan 1 325

enable

bridge-group 0

!

interface vlan 1 326

enable

bridge-group 0

!

interface vlan 1 327

enable

bridge-group 0

!

interface vlan 1 328

enable

bridge-group 0

!

interface vlan 1 329

enable

bridge-group 0

!

interface vlan 1 330

enable

bridge-group 0

!

interface vlan 1 331

enable

bridge-group 0

!

interface vlan 1 332

enable

bridge-group 0

!

interface vlan 1 333

enable

bridge-group 0

!

interface vlan 1 334

enable

bridge-group 0

!

interface vlan 1 401

enable

bridge-group 0

!

interface vlan 1 402

enable

bridge-group 0

!

interface vlan 1 403

enable

bridge-group 0

!

interface vlan 1 404

enable

bridge-group 0

!

interface vlan 1 405

enable

bridge-group 0

!

interface vlan 1 406

enable

bridge-group 0

!

interface vlan 1 407

enable

bridge-group 0

!

interface vlan 1 408

enable

bridge-group 0

!

interface vlan 1 409

enable

bridge-group 0

!

interface vlan 1 410

enable

bridge-group 0

!

interface vlan 1 411

enable

bridge-group 0

!

interface vlan 1 412

enable

bridge-group 0

!

interface vlan 1 413

enable

bridge-group 0

!

interface vlan 1 414

enable

bridge-group 0

!

interface bridge 0

enable

stp off

ip address 10.72.0.1/21

!

interface loopback

enable

ip address 2.1.2.1/32

!

ip name-server 8.8.8.8 8.8.4.4

ip host macc.ransnet.com 2.1.2.1 rewrite

ip host mysqldb 127.0.0.1

ip host splash.ransnet.com 2.1.2.1 rewrite

!

ip ntp-server 203.211.159.1 62.201.225.9

!

firewall-input 99 permit all tcp dport 22

!

firewall-access 10 permit outbound eth0

!

firewall-snat 10 overload outbound eth0

!

security radius-server

client 127.0.0.1 key testing123 name LOCALHOST

data-lifetime 30

start

!

security hotspot br0

client-bandwidth 3000000 3000000

client-timeout 1800

client-sticky last 7

bypass-domain list

dn akamaihd.net

dn facebook.com

dn facebook.net

dn fbcdn.net

hotspot-portal http://splash.ransnet.com/pid/xxxhotel/login.php

start

!