Setup Airport Express on a Separate Network

[BNg]

The company I work for recently purchased an airport express. They want the network from the Airport Express separate from the internal LAN network. Basically, none of the networks should have access to each other and the Airport Express should be a different subnet than the LAN.

I set the configuration to Bridge Mode in the Airport Utility to bypass the DHCP and made sure I updated the settings. However when I do an ipconfig, I still notice the wireless network is in the same subnet as our LAN.

What's the best way to go about this? Is this even possible with the Airport Express?

Thanks

BNg

 

[Solaris17]

I dont know the airport express well enough. but you might want to look into VLANS and simply putting the APE on its own VLAN to keep it segregated.

 

[BNg]

Yeah, that's what I was thinking. We have cisco 2960 poe switches so I think they have this capability. The thing now is finding the correct way to configure the firewall, router, and switches for this separate network.

 

[Solaris17]

Yeah, that's what I was thinking. We have cisco 2960 poe switches so I think they have this capability. The thing now is finding the correct way to configure the firewall, router, and switches for this separate network.

That unfortunately I cant quite help with. I dont run a Cisco shop I am not familiar with the syntax.

 

[BNg]

No worries. Thanks anyways.

 

[brandonwh64]

You will need just to setup a vlan on the cisco and trunk it through your core network. Also does this network need access to the internet? If so you will need to go to your core router and setup a separate interface that will handle the NAT for that subnet.

Example

(Linux router config)

WAN interface (Internet)
LAN1 interface (subnet one) 192.168.1.1/24 (254 usable addresses) (192.168.1.1 being the default gateway to this subnet)
LAN2 interface (subnet two) 192.168.2.1/24 (254 usable addresses) (192.168.2.1 being the default gateway to this subnet)


(sample Switch config)

vlan 5 is LAN1
vlan 4 is LAN2
port 24 on the switch is the uplink to the rest of the network

Cisco# configure
Cisco# vlan database
Cisco# vlan 5
Cisco# vlan 4
Cisco# exit
Cisco# interface gigabitethernet 1
Cisco# switchport mode access
Cisco# switchport access vlan 5
Cisco# exit
Cisco# interface gigabitethernet 2
Cisco# switchport mode access
Cisco# switchport access vlan 4
Cisco# exit
Cisco# interface gigabitethernet 24
Cisco# switchport mode trunk
Cisco# switchport trunk allowed vlan add 4,5 tagged
Cisco# exit
Cisco# exit
Cisco# copy running config startup config
Cisco#

now this is just a simple sample config. below is a sample config off of a cisco SG300 we have for testing

config-file-header
v1.4.5.02 / R800_NIK_1_4_194_194
CLI v1.0
set system mode switch

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
no spanning-tree
vlan database
vlan 4-5
exit
hostname test
username admin password encrypted test privilege 15
ip ssh server
ip http secure-server
clock timezone " " 0 minutes 0
ip telnet server
!
interface vlan 5
ip address 10.10.10.1 255.255.0.0
!
interface gigabitethernet1
switchport mode access
switchport access vlan 4
!
interface gigabitethernet3
switchport mode access
switchport access vlan 5
!
interface gigabitethernet5
switchport mode access
switchport access vlan 4
!
interface gigabitethernet7
switchport mode access
switchport access vlan 4
!
interface gigabitethernet12
switchport mode access
switchport access vlan 5
!
interface gigabitethernet13
switchport mode access
switchport access vlan 4
!
interface gigabitethernet14
switchport mode access
switchport access vlan 16
!
interface gigabitethernet17
switchport mode access
switchport access vlan 4
!
interface gigabitethernet28
switchport trunk allowed vlan add 4-5
!
exit
ip default-gateway 10.10.253.253

 

[Solaris17]

network engineering to the max

well done!

 

[BNg]

You will need just to setup a vlan on the cisco and trunk it through your core network. Also does this network need access to the internet? If so you will need to go to your core router and setup a separate interface that will handle the NAT for that subnet.

Example

(Linux router config)

WAN interface (Internet)
LAN1 interface (subnet one) 192.168.1.1/24 (254 usable addresses) (192.168.1.1 being the default gateway to this subnet)
LAN2 interface (subnet two) 192.168.2.1/24 (254 usable addresses) (192.168.2.1 being the default gateway to this subnet)


(sample Switch config)

vlan 5 is LAN1
vlan 4 is LAN2
port 24 on the switch is the uplink to the rest of the network

Cisco# configure
Cisco# vlan database
Cisco# vlan 5
Cisco# vlan 4
Cisco# exit
Cisco# interface gigabitethernet 1
Cisco# switchport mode access
Cisco# switchport access vlan 5
Cisco# exit
Cisco# interface gigabitethernet 2
Cisco# switchport mode access
Cisco# switchport access vlan 4
Cisco# exit
Cisco# interface gigabitethernet 24
Cisco# switchport mode trunk
Cisco# switchport trunk allowed vlan add 4,5 tagged
Cisco# exit
Cisco# exit
Cisco# copy running config startup config
Cisco#

now this is just a simple sample config. below is a sample config off of a cisco SG300 we have for testing

config-file-header
v1.4.5.02 / R800_NIK_1_4_194_194
CLI v1.0
set system mode switch

file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
no spanning-tree
vlan database
vlan 4-5
exit
hostname test
username admin password encrypted test privilege 15
ip ssh server
ip http secure-server
clock timezone " " 0 minutes 0
ip telnet server
!
interface vlan 5
ip address 10.10.10.1 255.255.0.0
!
interface gigabitethernet1
switchport mode access
switchport access vlan 4
!
interface gigabitethernet3
switchport mode access
switchport access vlan 5
!
interface gigabitethernet5
switchport mode access
switchport access vlan 4
!
interface gigabitethernet7
switchport mode access
switchport access vlan 4
!
interface gigabitethernet12
switchport mode access
switchport access vlan 5
!
interface gigabitethernet13
switchport mode access
switchport access vlan 4
!
interface gigabitethernet14
switchport mode access
switchport access vlan 16
!
interface gigabitethernet17
switchport mode access
switchport access vlan 4
!
interface gigabitethernet28
switchport trunk allowed vlan add 4-5
!
exit
ip default-gateway 10.10.253.253

Yes, the separate network will need access to the internet and also the company printer. What's happening is we're renting out the space to some recruits and we don't want them accessing the employee network, only the company printer. We currently don't have any VLANs in place. We want to take the main internal network (which is through Cogent) and create a VLAN. Our current setup is as follows: we're getting internet from the Cogent broadband modem and then distributing it around the office via a Cisco Meraki MR8 and a Cisco Aironet 1130ag. We're utilizing some Cisco Injectors, some Cisco 2960 PoE switches and some Cisco SLM 2008 switches behind a dell SonicWall firewall. We also have a guest network from a separate internet service provider distributing internet via 3 other Cisco Aironets 1130ag around the office. However, this network is too slow to create a VLAN with (5mb/s down, 700kb/s up). If I connect the Airport Express to the Cisco 2960 PoE switch and configure the trunks, would this do the job? I appreciate your help. I want to make sure I'm understanding the process correctly. I'm a noob and I'm still learning all of this.