Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
0
Helpful
8
Replies

IP redirection feature.

andrea.meconi
Level 2
Level 2

‎09-17-2007 02:50 AM - edited ‎07-03-2021 02:38 PM

Hello.

I'm using a 1200 ap with IOS 12.3(8), with two vlan and two SSID. One of these SSIDs is for the guests.

There is an application note at http://www.cisco.com/en/US/partner/docs/wireless/technology/ip-redirect/technical/reference/ipredir.html.

How can I use the ip redirection feature to establish next-hop routing; for example, pushing all guest traffic to the Internet router.

Now, with my configuration, all requests from that SSID will end up to the redirected IP.

Thanks.

Andrea.

Labels:
0 Helpful
8 Replies 8

ericgarnel
Level 7
Level 7

‎09-17-2007 11:09 AM

I think this is what you are asking

similar doc:

http://www.cisco.com/en/US/docs/wireless/technology/ip-redirect/technical/reference/ipredir.html#wp36493

Step 1 Configure an access point with at least two SSIDs and VLANs with any combination of authentication and encryption.

Step 2 Configure at least one wireless client on each SSID and VLAN.

If there is a router between the AP & the internet router, why not just use PBR?

Step 3 Verify that the client on VLAN 20 is able to use Telnet to connect to a host on the wired network for VLAN20.

Step 4 Verify that the client on VLAN 10 is able to use Telnet to connect to a host on the wired network for VLAN10.

Step 5 (Optional) - Verify that the clients on each VLAN can browse to a page on the wired-side hosts for their respective VLANs.

Step 6 Chose the Security > Global SSID Manager screen, scroll to the General Settings section, and enable IP Redirection on one of the SSIDs pointing to the IP address of the host on the other VLAN as shown in Figure 2.

0 Helpful

andrea.meconi
Level 2
Level 2
In response to ericgarnel

‎09-17-2007 10:18 PM

Many thanks for your help.

When you use the ip redirect feature the access-point replaces the destination address so I don't understand how I can use it like a next-hop utility.

Andrea.

0 Helpful

ericgarnel
Level 7
Level 7
In response to andrea.meconi

‎09-18-2007 05:51 AM

On the url in my previous post it states:

This feature is specifically applicable to a retail requirement for directing IP data traffic to a specific destination over a shared network. Some customers may be able to accomplish this using policy based routing in the routers. However, there are many instances where the store based routers are managed by service providers or are non Cisco devices. Further, it is not uncommon for a service provider to charge a customer as much as $100 per store location to provide policy based routing.

IP Redirect can also be used to auto redirect traffic to a gateway for guest authentication.

I;m not sure how to better explain it

0 Helpful

andrea.meconi
Level 2
Level 2
In response to ericgarnel

‎09-18-2007 09:26 AM

On url in my first post:

An example of how this feature might be used is: establish next-hop routing; for example, pushing all guest traffic within an organization to the Internet router.

Regards,

Andrea.

0 Helpful

ericgarnel
Level 7
Level 7
In response to andrea.meconi

‎09-18-2007 10:34 AM

Are you planning to separate the guest & user ssids into separate vlans/subnets?

Assuming that is the case, there needs to be a mechanism in the network to separate and/or route multiple subnets

guests------\

router---internet gw

internal-----/

internal svc/

The cheesy diagram above intends to show that that guests get internet access only, while internal get both internet and internal.

There are several ways to do this, but it really depends on your environment, # of users, how much control & access you have to internal client machines, etc.

For example, if the internet gw above can support vlan encapsulation or has a dmz interface as well as an internal interface, you could eliminate the middle router.

here is a small part of the ap config. You will also have to setup trunking on the switch port as well

guest net 192.168.3.0

internal net 192.168.2.0

dmz net 192.168.1.0

access-list 10 permit 192.168.3.0

! anything else hits the implicit deny

#ssid guest_SSID

! name of ssid for guests

ip redirection host 192.168.1.1

! ip address of internet gateway

access-group 10 in

! force traffic from guest ssid to be redirected

There are several options, many of which can be configured on the wired side

0 Helpful

andrea.meconi
Level 2
Level 2
In response to ericgarnel

‎09-19-2007 01:14 AM

Hello Eric and many many thanks for your help.

I understand what you are saying but when I try to redirect to a host (on the same subnet) the access-point replaces the destination ip address and the connection ends at the redirected ip.

Andrea.

0 Helpful

ericgarnel
Level 7
Level 7
In response to andrea.meconi

‎09-19-2007 07:29 AM

I'm not sure if the redirect command will do that, I've never tried using a redirect to send to an ip on the same subnet. In the example from the url in the earlier post, it shows a redirect to a host in a different subnet. What is the redirected ip address you mention? is it on the same subnet?

0 Helpful

ericgarnel
Level 7
Level 7

‎09-19-2007 07:31 AM

Andrea, perhaps if you give some more info on the wired side of the network it may help us understand better what you are trying to accomplish.

Thanks,

Eric

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card