Guest network design question

Unanswered Question
Mar 22nd, 2007
User Badges:


I am in the process of designing a Guest wireless network for one of our remote offices that would give our guests full access to the internet. The remote office ONLY has a single MLPS link to our corporate office. Internet access has to come in/out of our corporate office. We currently use Cisco Aironet 1230 AG series access point.

Guests should only have access to the internet but not any of our internal resources. Can anyone give me any suggestions on how seperate the GUEST traffic from our internal traffic?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
fmeetz Thu, 03/29/2007 - 06:45
User Badges:
  • Bronze, 100 points or more

Configure Guest users in seperate WLAN and use a seperate VLAN for the guest users.

bsomogyi Thu, 03/29/2007 - 11:31
User Badges:

Your should look into using a combination of GRE/IPIP tunnels and Policy Based Routing. By having a policy forcing all traffic from the wireless VLAN into a tunnel which terminates in the head office but only allows for Internet access, you should be able to keep a layer two separation between the guests and your internal resources. We were able to successfully use this approach when deploying CCA with centralized clean access servers (small remote office authorization vlans forced through GRE to data center and then through CCA server)

dd99onedd Fri, 03/30/2007 - 07:28
User Badges:

I was thinking about using GRE tunnels too. Since GRE tunnel is a point to point link. We have 2 MPLS routers in the head office and 2 routers in the remote office. Traffic are load balance between the 2 routers in each office. How do I configure GRE in this scenario?

bsomogyi Fri, 03/30/2007 - 08:03
User Badges:

What routing protocols are you using? Is the volume of traffic coming from the guest network significant enough that you would be concerned about load balancing it as well, or would simple redundancy be enough for the guest traffic (ie, guest vlan traffic traverses one link, and will failover to the second link if the first becomes unavailable)?

If simple failover is sufficient, you could configure two GRE tunnels, one between each of the two sets of remote and head end routers, each with keepalives enabled (which will track the usability of the tunnel). Have the PBR specify two next-hops, one for the first tunnel, and the second for the other tunnel. The traffic will use the first tunnel unless it becomes unavailable (because the underlying transport, ie wan link fails), in which case it will begin to use the second tunnel.

If you need to load balance the traffic, because of the need for the policy based routing, it would be difficult to load balance using equal cost routing, and I think you would be better off attempting to load balance the GRE traffic itself. In this scenario, again only one tunnel would be used at a time, but the GRE packets themselves would be load balanced to the other side. If you take this approach I would suggest configuring the tunnels anchored to loopback addresses on the four routers.

dd99onedd Fri, 03/30/2007 - 08:25
User Badges:

There will not be that much Guest traffic and I can setup the Guest Vlan for redundancy only. I think creating two GRE tunnels with PBR will work.

Thanks for everyone's input on this issue.

wiluszm Thu, 03/29/2007 - 12:11
User Badges:
  • Bronze, 100 points or more

I'm currently doing a blog series on this exact scenario now using WLAN controller and unified wireless. Check it out at


jahnathan1 Fri, 03/30/2007 - 01:21
User Badges:


As previuosly mentioned, create a separate VLAN for the wireless netowrk traffic, you should implement security on your network addition WPA 2 encryption also with a registration sheet for a network policy confirmation term - a condition of use disclaimer that can protect your company in the event that a user does something that has a legal i.e illegal music downloads etc.

I hope this helps, give you some idea.

If the AP is specifically being used for guest access, put an ACL on that switch port only allowing traffic out to the internet.

If the AP is shared between guest and employees, create an SSID for the guest network and apply the ACL to the SSID. I have not done this personally, but I'm fairly sure you can apply an ACL to an SSID.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode