Divide the Network and Ensure BYOD Security with Omada SDN Solution
Introduction
Nowadays, an increasing number of companies allow or even encourage their employees to work with personal mobile devices. The BYOD (Bring Your Own Device) trend will undoubtedly bring vitality back to the business world. However, it is not an easy job for staff to take full advantage of BYOD convenience without compromising safety standards. The threat to network security increases as staff move their devices around the office. It is particularly the case for large companies with multiple departments. Omada SDN Solution deals with these problems by leveraging Multi-SSID features and flexible ACL policies.
To learn more about Omada SDN Solution, see https://www.tp-link.com/en/omada-sdn/
Application Scenario
Let’s take an example to explain this in detail. A company has two departments in a building—R&D and Marketing. Each department is assigned an individual subnet and VLAN. The R&D department is in VLAN 10 and 172.31.10.0/24 subnet segment. The Marketing department is in VLAN 20 and 172.31.20.0/24 subnet segment. In this scenario, staff can bring their personal wireless devices to work and connect to their department network, but not the other department’s network for security purposes.
A whole set of products from the Omada SDN solution (such as the router ER605, the switch TL-SG3428MP, and the access points EAP610) can be used to build the network. All the devices are configured and monitored on a central platform— the Omada Controller OC300. You can access and manage the OC300 using its web UI on your computer.
Here are the steps for dividing the network and ensuring BYOD security using the web UI of OC300.
Step 1. Set up a WAN
Step 2. Set up a LAN and VLANs
Step 3. Set up Wi-Fi
Step 4. Set up an ACL
Step 1. Set up a WAN
We are going to set up a WAN connection for the router, which is the internet connection.
1. Go to Settings > Wired Networks > Internet. Select the connection type and configure the parameters according to your ISP. Click Apply to finalize the settings. If you get a dynamic IP from your ISP, you should select Dynamic IP.
If you get a static IP from your ISP, you should select Static IP and enter the IP address, subnet mask, default gateway, and DNS server provided by the ISP.
Step 2. Set up a LAN and VLANs
First, check the default LAN settings.
1. Go to Settings > Wired Networks > LAN. There you can see the default LAN settings.
2. Click . The parameters for LAN are shown in the following table. You can keep the default settings for LAN (VLAN 1).
Parameter |
Value |
Name |
LAN |
Purpose |
Interface |
Interface |
All the ports |
VLAN |
1 |
Gateway/Subnet |
192.168.0.1/24 |
DHCP Server |
Enable |
DHCP Range |
192.168.0.1 – 192.168.0.254 |
Divide the local network into two more VLANs and IP segments for different departments.
3. To create VLAN 10, click + Create New LAN. Configure the parameters in the following table. Click Save.
Parameter |
Value |
Name |
R&D |
Purpose |
Interface |
Interface |
All the ports |
VLAN |
10 |
Gateway/Subnet |
172.31.10.1/24 |
DHCP Server |
Enable |
DHCP Range |
172.31.10.1 - 172.31.10.254 |
3. To create VLAN 20, click + Create New LAN. Configure the parameters in the following table. Click Save.
Parameter |
Value |
Name |
Marketing |
Purpose |
Interface |
Interface |
All the ports |
VLAN |
20 |
Gateway/Subnet |
172.31.20.1/24 |
DHCP Server |
Enable |
DHCP Range |
172.31.20.1 - 172.31.20.254 |
To make the VLANs take effect, you need to set up port profiles about VLAN setup and then apply them to switch ports accordingly. The port profiles you need are shown in the following figure.
4. Go to Profile. The controller automatically created all the profiles you need according to your VLAN setup, including All, LAN, R&D, and Marketing.
You need to apply the port profiles to the ports according to the following table.
5. Go to Switch Settings. There is the switch on the list. Click . For example, if you want to apply the R&D profile to Port 4 and Port 6, select the two ports on the port list and click Edit Selected. Then set R&D as the profile and click Apply. With this method, you can apply the profiles to other switch ports.
Step 3. Set up Wi-Fi
In this example, you need to create multi-SSIDs for different departments in different VLANs, namely R&D Staff in VLAN 10, and Marketing Staff in VLAN 20. The Wi-Fi for each department is applied to all the EAPs and covers the whole office by default. However, you need to distribute different sets of SSIDs and passwords to the staff in each department to connect to the relevant VLAN.
1. To create an SSID for R&D Staff in VLAN 10, go to Wireless Networks and click + Create New Wireless Network. Configure the parameters in the following table. Click Save.
Parameter |
Value |
Network Name (SSID) |
R&D Staff |
Band |
2.4GHz, 5GHz |
Security |
WPA-Personal |
Security Key |
Customize the password for the wireless network. |
SSID Broadcast |
Enable |
VLAN |
Enable VLAN and set the VLAN ID as 10. |
2. To create SSID for Marketing Staff in VLAN 20, go to Wireless Networks and click + Create New Wireless Network. Configure the parameters in the following table. Click Save.
Parameter |
Value |
Network Name (SSID) |
Marketing Staff |
Band |
2.4GHz, 5GHz |
Security |
WPA-Personal |
Security Key |
Customize the password for the wireless network. |
SSID Broadcast |
Enable |
VLAN |
Enable VLAN and set the VLAN ID as 20. |
3. By default, the Wi-Fi settings are applied to all the EAPs. To check this, go to Devices and select the EAP. Then go to the Config tab, and click WLAN. You can confirm that the Wi-Fi settings are applied to the EAP.
Step 4. Set up an ACL
You need to create an ACL rule to segregate VLANs (also departments) from each other. Otherwise, clients in different VLANs will still be able to access each other through the VLAN interfaces.
Go to Network Security > Switch ACL and click + Create New Rule. Configure the parameters in the following table. Click Apply.
Parameter |
Value |
Name |
R&D and Marketing |
Status |
Enable |
Policy |
Deny |
Protocols |
All |
Bi-Directional |
Enable |
Source |
Select Network as the type and choose R&D as the source. |
Destination |
Select Network as the type and choose Marketing as the destination. |
Binding Type |
Ports |
Ports |
All Ports |
Finally, you’ve completed the setup, and all the network requirements are met:
1) There are wired and wireless networks for each department.
2) The local network is divided into different departments (VLANs). Each department operates independently of the other, but both departments can access the Internet.
3) BYOD security is guaranteed. Wi-Fi for each department is applied to all the EAPs and covers the whole office. However, we’ll distribute different sets of SSIDs and passwords to the staff in each department to connect to the corresponding VLAN.