Guest network design question

dd99onedd · ‎03-22-2007

Hi,

I am in the process of designing a Guest wireless network for one of our remote offices that would give our guests full access to the internet. The remote office ONLY has a single MLPS link to our corporate office. Internet access has to come in/out of our corporate office. We currently use Cisco Aironet 1230 AG series access point.

Guests should only have access to the internet but not any of our internal resources. Can anyone give me any suggestions on how seperate the GUEST traffic from our internal traffic?

fmeetz · ‎03-29-2007

Configure Guest users in seperate WLAN and use a seperate VLAN for the guest users.

bsomogyi · ‎03-29-2007

Your should look into using a combination of GRE/IPIP tunnels and Policy Based Routing. By having a policy forcing all traffic from the wireless VLAN into a tunnel which terminates in the head office but only allows for Internet access, you should be able to keep a layer two separation between the guests and your internal resources. We were able to successfully use this approach when deploying CCA with centralized clean access servers (small remote office authorization vlans forced through GRE to data center and then through CCA server)

dd99onedd · ‎03-30-2007

I was thinking about using GRE tunnels too. Since GRE tunnel is a point to point link. We have 2 MPLS routers in the head office and 2 routers in the remote office. Traffic are load balance between the 2 routers in each office. How do I configure GRE in this scenario?

bsomogyi · ‎03-30-2007

What routing protocols are you using? Is the volume of traffic coming from the guest network significant enough that you would be concerned about load balancing it as well, or would simple redundancy be enough for the guest traffic (ie, guest vlan traffic traverses one link, and will failover to the second link if the first becomes unavailable)?

If simple failover is sufficient, you could configure two GRE tunnels, one between each of the two sets of remote and head end routers, each with keepalives enabled (which will track the usability of the tunnel). Have the PBR specify two next-hops, one for the first tunnel, and the second for the other tunnel. The traffic will use the first tunnel unless it becomes unavailable (because the underlying transport, ie wan link fails), in which case it will begin to use the second tunnel.

If you need to load balance the traffic, because of the need for the policy based routing, it would be difficult to load balance using equal cost routing, and I think you would be better off attempting to load balance the GRE traffic itself. In this scenario, again only one tunnel would be used at a time, but the GRE packets themselves would be load balanced to the other side. If you take this approach I would suggest configuring the tunnels anchored to loopback addresses on the four routers.

dd99onedd · ‎03-30-2007

There will not be that much Guest traffic and I can setup the Guest Vlan for redundancy only. I think creating two GRE tunnels with PBR will work.

Thanks for everyone's input on this issue.

wiluszm · ‎03-29-2007

I'm currently doing a blog series on this exact scenario now using WLAN controller and unified wireless. Check it out at http://cs-mars.blogspot.com

-Mike

jahnathan1 · ‎03-30-2007

Hi,

As previuosly mentioned, create a separate VLAN for the wireless netowrk traffic, you should implement security on your network addition WPA 2 encryption also with a registration sheet for a network policy confirmation term - a condition of use disclaimer that can protect your company in the event that a user does something that has a legal i.e illegal music downloads etc.

I hope this helps, give you some idea.

alefebvre · ‎03-30-2007

If the AP is specifically being used for guest access, put an ACL on that switch port only allowing traffic out to the internet.

If the AP is shared between guest and employees, create an SSID for the guest network and apply the ACL to the SSID. I have not done this personally, but I'm fairly sure you can apply an ACL to an SSID.