Divide the Network and Ensure BYOD Security with Omada SDN Solution

Introduction

Nowadays, an increasing number of companies allow or even encourage their employees to work with personal mobile devices. The BYOD (Bring Your Own Device) trend will undoubtedly bring vitality back to the business world. However, it is not an easy job for staff to take full advantage of BYOD convenience without compromising safety standards. The threat to network security increases as staff move their devices around the office. It is particularly the case for large companies with multiple departments. Omada SDN Solution deals with these problems by leveraging Multi-SSID features and flexible ACL policies.

To learn more about Omada SDN Solution, see https://www.tp-link.com/en/omada-sdn/

Application Scenario

Let’s take an example to explain this in detail. A company has two departments in a building—R&D  and Marketing. Each department is assigned an individual subnet and VLAN. The R&D department is in VLAN 10 and 172.31.10.0/24 subnet segment. The Marketing department is in VLAN 20 and 172.31.20.0/24 subnet segment. In this scenario, staff can bring their personal wireless devices to work and connect to their department network, but not the other department’s network for security purposes.

A whole set of products from the Omada SDN solution (such as the router ER605, the switch TL-SG3428MP, and the access points EAP610) can be used to build the network. All the devices are configured and monitored on a central platform— the Omada Controller OC300. You can access and manage the OC300 using its web UI on your computer.

Here are the steps for dividing the network and ensuring BYOD security using the web UI of OC300.

Step 1. Set up a WAN

Step 2. Set up a LAN and VLANs

Step 3. Set up Wi-Fi

Step 4. Set up an ACL

Step 1. Set up a WAN

We are going to set up a WAN connection for the router, which is the internet connection.

1. Go to Settings > Wired Networks > Internet. Select the connection type and configure the parameters according to your ISP. Click Apply to finalize the settings. If you get a dynamic IP from your ISP, you should select Dynamic IP.

If you get a static IP from your ISP, you should select Static IP and enter the IP address, subnet mask, default gateway, and DNS server provided by the ISP.

Step 2. Set up a LAN and VLANs

First, check the default LAN settings.

1. Go to Settings > Wired Networks > LAN. There you can see the default LAN settings.

2. Click . The parameters for LAN are shown in the following table. You can keep the default settings for LAN (VLAN 1).

 

 

Parameter

Value

Name

LAN

Purpose

Interface

Interface

All the ports

VLAN

1

Gateway/Subnet

192.168.0.1/24

DHCP Server

Enable

DHCP Range

192.168.0.1 – 192.168.0.254

 

Divide the local network into two more VLANs and IP segments for different departments.

3. To create VLAN 10, click + Create New LAN. Configure the parameters in the following table. Click Save.

Parameter

Value

Name

R&D

Purpose

Interface

Interface

All the ports

VLAN

10

Gateway/Subnet

172.31.10.1/24

DHCP Server

Enable

DHCP Range

172.31.10.1 - 172.31.10.254

 

3. To create VLAN 20, click + Create New LAN. Configure the parameters in the following table. Click Save.

Parameter

Value

Name

Marketing

Purpose

Interface

Interface

All the ports

VLAN

20

Gateway/Subnet

172.31.20.1/24

DHCP Server

Enable

DHCP Range

172.31.20.1 - 172.31.20.254

 

To make the VLANs take effect, you need to set up port profiles about VLAN setup and then apply them to switch ports accordingly. The port profiles you need are shown in the following figure.

4. Go to Profile. The controller automatically created all the profiles you need according to your VLAN setup, including All, LAN, R&D, and Marketing.

You need to apply the port profiles to the ports according to the following table.

5. Go to Switch Settings. There is the switch on the list. Click . For example, if you want to apply the R&D profile to Port 4 and Port 6, select the two ports on the port list and click Edit Selected. Then set R&D as the profile and click Apply. With this method, you can apply the profiles to other switch ports.

   

Step 3. Set up Wi-Fi

In this example, you need to create multi-SSIDs for different departments in different VLANs, namely R&D Staff in VLAN 10, and Marketing Staff in VLAN 20. The Wi-Fi for each department is applied to all the EAPs and covers the whole office by default. However, you need to distribute different sets of SSIDs and passwords to the staff in each department to connect to the relevant VLAN.

1. To create an SSID for R&D Staff in VLAN 10, go to Wireless Networks and click + Create New Wireless Network. Configure the parameters in the following table. Click Save.

Parameter

Value

Network Name (SSID)

R&D Staff

Band

2.4GHz, 5GHz

Security

WPA-Personal

Security Key

Customize the password for the wireless network.

SSID Broadcast

Enable

VLAN

Enable VLAN and set the VLAN ID as 10.

 

 2. To create SSID for Marketing Staff in VLAN 20, go to Wireless Networks and click + Create New Wireless Network. Configure the parameters in the following table. Click Save.

Parameter

Value

Network Name (SSID)

Marketing Staff

Band

2.4GHz, 5GHz

Security

WPA-Personal

Security Key

Customize the password for the wireless network.

SSID Broadcast

Enable

VLAN

Enable VLAN and set the VLAN ID as 20.

 

 3. By default, the Wi-Fi settings are applied to all the EAPs. To check this, go to Devices and select the EAP. Then go to the Config tab, and click WLAN. You can confirm that the Wi-Fi settings are applied to the EAP.

Step 4. Set up an ACL

You need to create an ACL rule to segregate VLANs (also departments) from each other. Otherwise, clients in different VLANs will still be able to access each other through the VLAN interfaces.

Go to Network Security > Switch ACL and click + Create New Rule. Configure the parameters in the following table. Click Apply.

 

Parameter

Value

Name

R&D and Marketing

Status

Enable

Policy

Deny

Protocols

All

Bi-Directional

Enable

Source

Select Network as the type and choose R&D as the source.

Destination

Select Network as the type and choose Marketing as the destination.

Binding Type

Ports

Ports

All Ports

 

Finally, you’ve completed the setup, and all the network requirements are met:

1) There are wired and wireless networks for each department.

2) The local network is divided into different departments (VLANs). Each department operates independently of the other, but both departments can access the Internet.

3) BYOD security is guaranteed. Wi-Fi for each department is applied to all the EAPs and covers the whole office. However, we’ll distribute different sets of SSIDs and passwords to the staff in each department to connect to the corresponding VLAN.

11

Comment

This is an awesome article. I have learned a lot of knowledge about Network and Ensure BYOD Security with Omada SDN Solution by reading this post. Thanks to the author of this post. Keep up the good work.