Route Guest VLAN directly to the internet

Unanswered Question
Aug 1st, 2007

All, I am wanting to create a guest SSID/VLAN that is redirected straight to the internet, without any access to our network? I know how to create a guest SSID/VLAN but dont know how to send all traffic on that VLAN directly to the internet? How would the client obtain a DHCP address if its on a VLAN seperate the network?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
DANIEL WANG Wed, 08/01/2007 - 08:07

Here is how I set up our wireless guest vlan:

1. I use 802.1x with PEAP to authenticate guests against a MS RADIUS server. Once successful, the AP allows guest to broadcast DHCP request.

2. My router forward the DHCP request to DHCP server which assign IP and necessary options to guests, using IP helper-address command.

3. My router has access-lists to prevent guests from accessing any corporate IP addresses (allowing only DHCP broadcasts)

4. A route-map is configured on the default router on the guest vlan so that it will route all traffic sourced from that vlan out to the Internet. I use "set IP default next-hop" to route the traffic directly to our proxy server or firewall.

This is not a very user-friendly setup on the client side, because I have to mannually configure guest laptops to do 802.1x w/ PEAP. Sometime it is a pain with work with so many different wireless cards/utilities.



DANIEL WANG Wed, 08/01/2007 - 14:22

Thanks for the link. I will read more about network virtualization. My current network has a collapsed core with two 4006 w/sup3. It's not capable of network partitioning. The only device on my network that can do it is my ASA5100 firewall.

I am considering a wireless controller and upgrading all my 1220B APs to lightweight APs. That way I can at least a Vlan guest wireless "hotspot" where they can just pick up the wireless sign and authenticate through a web browser and be routed out to the Internet.

On my corporate wireless side, I may still have to configure corporate laptops for more secure EAP-TLS or PEAP over 802.1x


da.beaver Thu, 08/02/2007 - 04:57

We have a guest VLAN that is not routed on our network. We have it going strait to a DSL router so as not to take away any of our main internet connection bandwidth. I have configured a DHCP scope on the controllers for the guest clients and am pointing them to the DSL router for DNS. I have also written an ACL on the controller and applied it to the guest VLAN to prevent any type of access to any other network resources just in case.

As for the guest authentication, we are doing external web authentication with just an "Accept" button so we don't have to create accounts for the guests. The external page has our policies and procedures on it and then redirects to our homepage. We had looked at the idea of using an external controller on the dmz, but canned it since we weren't going to authenticate users and also since we were going to use a DSL circuit. It works pretty good.

DANIEL WANG Fri, 08/17/2007 - 07:17

Sorry for the late reply. Somehow I missed to chekc the thread.

Thanks for sharing your setup. I have several questions if you don't mind.

1. Is your controller Cisco WLC? If yes, what model? I am considering 2106 for the size of our WLAN (only 4-5 APs). But the 2106 only comes with an 100mbps uplink, sorta of a bottleneck to me if I have a bunch of heavy G users at the same time.

2. How do you route your guests straight out to the Internet? I used PBR to source route them to a proxy at this point.

3. If you use Cisco WLCs, do you know if it can loadbalance users across multiple APs?



This Discussion



Trending Topics - Security & Network