IP redirection feature.

Unanswered Question

Hello.

I'm using a 1200 ap with IOS 12.3(8), with two vlan and two SSID. One of these SSIDs is for the guests.

There is an application note at http://www.cisco.com/en/US/partner/docs/wireless/technology/ip-redirect/technical/reference/ipredir.html.

How can I use the ip redirection feature to establish next-hop routing; for example, pushing all guest traffic to the Internet router.

Now, with my configuration, all requests from that SSID will end up to the redirected IP.

Thanks.

Andrea.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ericgarnel Mon, 09/17/2007 - 11:09

I think this is what you are asking

similar doc:

http://www.cisco.com/en/US/docs/wireless/technology/ip-redirect/technical/reference/ipredir.html#wp36493

Step 1 Configure an access point with at least two SSIDs and VLANs with any combination of authentication and encryption.

Step 2 Configure at least one wireless client on each SSID and VLAN.

If there is a router between the AP & the internet router, why not just use PBR?

Step 3 Verify that the client on VLAN 20 is able to use Telnet to connect to a host on the wired network for VLAN20.

Step 4 Verify that the client on VLAN 10 is able to use Telnet to connect to a host on the wired network for VLAN10.

Step 5 (Optional) - Verify that the clients on each VLAN can browse to a page on the wired-side hosts for their respective VLANs.

Step 6 Chose the Security > Global SSID Manager screen, scroll to the General Settings section, and enable IP Redirection on one of the SSIDs pointing to the IP address of the host on the other VLAN as shown in Figure 2.

ericgarnel Tue, 09/18/2007 - 05:51

On the url in my previous post it states:

This feature is specifically applicable to a retail requirement for directing IP data traffic to a specific destination over a shared network. Some customers may be able to accomplish this using policy based routing in the routers. However, there are many instances where the store based routers are managed by service providers or are non Cisco devices. Further, it is not uncommon for a service provider to charge a customer as much as $100 per store location to provide policy based routing.

IP Redirect can also be used to auto redirect traffic to a gateway for guest authentication.

I;m not sure how to better explain it

ericgarnel Tue, 09/18/2007 - 10:34

Are you planning to separate the guest & user ssids into separate vlans/subnets?

Assuming that is the case, there needs to be a mechanism in the network to separate and/or route multiple subnets

guests------\

router---internet gw

internal-----/

internal svc/

The cheesy diagram above intends to show that that guests get internet access only, while internal get both internet and internal.

There are several ways to do this, but it really depends on your environment, # of users, how much control & access you have to internal client machines, etc.

For example, if the internet gw above can support vlan encapsulation or has a dmz interface as well as an internal interface, you could eliminate the middle router.

here is a small part of the ap config. You will also have to setup trunking on the switch port as well

guest net 192.168.3.0

internal net 192.168.2.0

dmz net 192.168.1.0

access-list 10 permit 192.168.3.0

! anything else hits the implicit deny

#ssid guest_SSID

! name of ssid for guests

ip redirection host 192.168.1.1

! ip address of internet gateway

access-group 10 in

! force traffic from guest ssid to be redirected

There are several options, many of which can be configured on the wired side

ericgarnel Wed, 09/19/2007 - 07:29

I'm not sure if the redirect command will do that, I've never tried using a redirect to send to an ip on the same subnet. In the example from the url in the earlier post, it shows a redirect to a host in a different subnet. What is the redirected ip address you mention? is it on the same subnet?

ericgarnel Wed, 09/19/2007 - 07:31

Andrea, perhaps if you give some more info on the wired side of the network it may help us understand better what you are trying to accomplish.

Thanks,

Eric

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode