03-22-2007 01:50 PM - edited 07-03-2021 01:49 PM
Hi,
I am in the process of designing a Guest wireless network for one of our remote offices that would give our guests full access to the internet. The remote office ONLY has a single MLPS link to our corporate office. Internet access has to come in/out of our corporate office. We currently use Cisco Aironet 1230 AG series access point.
Guests should only have access to the internet but not any of our internal resources. Can anyone give me any suggestions on how seperate the GUEST traffic from our internal traffic?
03-29-2007 06:45 AM
Configure Guest users in seperate WLAN and use a seperate VLAN for the guest users.
03-29-2007 11:31 AM
Your should look into using a combination of GRE/IPIP tunnels and Policy Based Routing. By having a policy forcing all traffic from the wireless VLAN into a tunnel which terminates in the head office but only allows for Internet access, you should be able to keep a layer two separation between the guests and your internal resources. We were able to successfully use this approach when deploying CCA with centralized clean access servers (small remote office authorization vlans forced through GRE to data center and then through CCA server)
03-30-2007 07:28 AM
I was thinking about using GRE tunnels too. Since GRE tunnel is a point to point link. We have 2 MPLS routers in the head office and 2 routers in the remote office. Traffic are load balance between the 2 routers in each office. How do I configure GRE in this scenario?
03-30-2007 08:03 AM
What routing protocols are you using? Is the volume of traffic coming from the guest network significant enough that you would be concerned about load balancing it as well, or would simple redundancy be enough for the guest traffic (ie, guest vlan traffic traverses one link, and will failover to the second link if the first becomes unavailable)?
If simple failover is sufficient, you could configure two GRE tunnels, one between each of the two sets of remote and head end routers, each with keepalives enabled (which will track the usability of the tunnel). Have the PBR specify two next-hops, one for the first tunnel, and the second for the other tunnel. The traffic will use the first tunnel unless it becomes unavailable (because the underlying transport, ie wan link fails), in which case it will begin to use the second tunnel.
If you need to load balance the traffic, because of the need for the policy based routing, it would be difficult to load balance using equal cost routing, and I think you would be better off attempting to load balance the GRE traffic itself. In this scenario, again only one tunnel would be used at a time, but the GRE packets themselves would be load balanced to the other side. If you take this approach I would suggest configuring the tunnels anchored to loopback addresses on the four routers.
03-30-2007 08:25 AM
There will not be that much Guest traffic and I can setup the Guest Vlan for redundancy only. I think creating two GRE tunnels with PBR will work.
Thanks for everyone's input on this issue.
03-29-2007 12:11 PM
I'm currently doing a blog series on this exact scenario now using WLAN controller and unified wireless. Check it out at http://cs-mars.blogspot.com
-Mike
03-30-2007 01:21 AM
Hi,
As previuosly mentioned, create a separate VLAN for the wireless netowrk traffic, you should implement security on your network addition WPA 2 encryption also with a registration sheet for a network policy confirmation term - a condition of use disclaimer that can protect your company in the event that a user does something that has a legal i.e illegal music downloads etc.
I hope this helps, give you some idea.
03-30-2007 07:21 AM
If the AP is specifically being used for guest access, put an ACL on that switch port only allowing traffic out to the internet.
If the AP is shared between guest and employees, create an SSID for the guest network and apply the ACL to the SSID. I have not done this personally, but I'm fairly sure you can apply an ACL to an SSID.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide