Sometimes we overthink problems. It’s what we do in IT. We’re provided a problem statement and our mind starts racing to solve it. One of the common ways that I do that is by running through the mechanics of how I would implement the solution. Given how much time I’ve spent solving problems, I often wonder if my solutions to those issues are overly complicated.
Take guest wireless access, for example. How do we configure them to be totally separated from traffic on the internal network? Given the crazy regulations that we need to deal with in enterprise IT, such as PCI-DSS or HIPAA, we tend to go to the most complete solution first. But what happens if you’re trying to apply enterprise solutions to consumer gear? Like an Apple Airport, for example.
Thankfully, I don’t have to wonder about this any longer. Long-time wireless expert Joel Crane took some time to do a packet capture on a pair of Apple Airports to find out how they segment their guest wireless traffic from the other traffic. I know that I would use VLANs to do that in the enterprise. But can you even configure a VLAN on a consumer Apple device?
Joel has lots of PCAP screenshots and some fun little tidbits about the process:
I created a unique guest SSID on the second AirPort Extreme to ensure my client would associate to the right one. Next, I started a PCAP in Wireshark on the correct interface, and then I finally ran a throughput test from the client device, just to generate some traffic. After seeing a few TCP frames from the the client fly by, I stopped the PCAP to investigate.
In the packet, we can see the Destination, Source, and Type, which is 802.1Q Virtual LAN. The ID is 1003, indicating that this Ethernet frame is tagged for VLAN 1003.
Read more to find out Joel’s analysis here: Does the Apple Airport Extreme use VLANs?