SOLVED
Hello,
M220 is an entry level AP and misses a lot of the advanced bandwidth management and traffic prioritization features other models and brands have. I reviewed the documentation once again and couldnt find any option to achieve what you intend.
I can think of one workaround however it is very specific and the implementation may not match your needs. The AP supports 802.11n as the highest WLAN standard with 2 spacial steams, this means 300Mbps as the highest data rate (real data throughput about the half). The 802.11n standard has some requirements regarding the wireless security features. It can only be used with WPA2 with AES. If you enabled WPA with TKIP or WEP on a wireless community, 802.11n is disabled and the AP will support 802.11g or 802.11a only with the highest data rate of 54Mbps. This is mentioned in the manual
https://internal.support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c04483535
WPA with TKIP encryption. Note: If this version is selected and the chosen wireless mode supports 802.11n, then wireless clients that support 802.11n cannot connect at 802.11n transmission rates. They will be connected at legacy rates. If the chosen wireless mode is one of the 802.11n-only modes, then you cannot select this option alone (that is, WPA2 must also be selected)
So if you plan to implement preshared key authentication for both SSIDs, you can configure the radio mode as 802.11b/g/n or 802.11a/n, in the wireless community settings you can then specify different security methods and WPA versions for both SSIDs. The guest SSID can be using WPA-Personal with TKIP while the employee SSID WPA2-Personal with AES.
If you cannot implement wireless authentication for the guest SSID (for example you cannot distribute the password to guests) this restriction cannot be enforced and I cannot think of another way to do it on the AP.
Running employee and guest SSID on a single VLAN is not recommended because this opens the door for wireless peer to peer attacks, thus the utrusted guests are able to attack employees, distribute malware and viruses and so on. If you cannot change it then you need some additional security on the wired side which blocks the comminication between stations in the same VLAN and allows it only to a gateway. It is better to have separate VLANs for both SSIDs, this can possibly also allow you to implement more granular QoS or bandwidth restriction on the wired side.
Hello,
Yes, I agree this workaround is not very flexible.
If you have a switch between the AP and the router, you have to configure the VLANs to match between the AP and the switch on the one hand and also between the switch and the router on the other hand.
The AP M220 can support multiple VLANs on its single port. One VLAN is untagged (also called native VLAN or PVID on some switches) the rest of the VLANs are tagged.
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c04483535
on page 75 you can find which options do you have for the Ethernet configuration (Network ->IP ->Ethernet Configuration). You can specify the Management VLAN of the AP and the untagged VLAN. By default the management and the untagged VLAN is VLAN 1. You can change them or you can disable the untagged VLAN which will make the AP send all the frames with a VLAN tag.
On page 34 you have all the options in the menu Wireless ->Communities. Here you can assign the VLAN to the SSID ( specify the VLAN ID to which the AP is mapping the wireless traffic when it is forwarded to the LAN). You can specify different VLAN IDs for different communities (SSIDs). All the VLANs expect the VLAN that you specified as untagged in (Network ->IP ->Ethernet Configuration) will be sent out with a VLAN tag. Or if you disabled the untagged VLAN all the VLANs will be send with a VLAN tag. The port of the switch has to be configured accordingly.
Assigning a subnet to a SSID is not done at the AP level. The AP is a Layer 2 device which has an IP address only for management access, no separate IP is assigned to every single SSIDs or VLAN. The IP subnet is assigned at the router.