Re: Public Use VLAN (x-posted to netman listserv)

[Jeff Kell <jeff-kell () UTC EDU>]

On 10/2/2012 11:49 PM, Aaron Hockett wrote:
> Jeff,
>
> Good read.  How are you handling DHCP on what I'm assuming is your core firewall that keeps the public away from the 
> private?  We're facing a similar push and I'm looking at moving all resnet and wireless to a "public" vlan that just 
> dumps it to the net with public DNS (Google or Century link) but I'm looking for suggestions on how to handle DHCP 
> off a single public IP via NAT.

We are also an Aruba shop (to follow-on to Bruce Osborne's reply) so all of the wireless
users traffic comes back to the controllers, but the traffic is routed by an attached
router that terminates each of the user "roles" (vlans).  The "guest" role consists of a
couple of vlans (to differentiate what sort of guest, we have slightly different
policies) in a guest VRF.  We also have some wired guest vlans in the same VRF and can
offer the same limited/restricted access over wired and wireless (wired being popular
with media folks at sporting events).  The guest VRF is basically just a default route
to our border, and DHCP hands out our external name servers (rather than internal) so
you get only the public services we offer to anyone else on the internet.

As for DHCP, you're going to have to hand out some RFC1918 network to the guests; the
NAT will be handled by your router and/or firewall.  If you "truly" terminate the guests
outside your firewall, you're going to have to find another way to handle NAT.  Ours are
physically inside our firewall, but the traffic is "escorted to the door" (outside
access) as soon as it lands, and NAT occurs on the way out.

Jeff