10-03-2007 12:31 PM - edited 07-03-2021 02:43 PM
I am trying to set up a WLAN with internal users and guest users.
I have 2 ssid's one visible one hidden, the visible one is for guest use.
Problem is when I connect to the guest wlan and web auth, I can then ping and telnet to the rest of the corporate network. How do I stop this?
10-04-2007 10:36 AM
Hi
Have you got separate vlans setup ie.
vlan 10 = users
vlan 11 = guest
You would then hand out different IP address ranges for each vlan eg.
vlan 10 = 192.168.5.0/24
vlan 11 = 192.168.10.0/24
Then you can either use a firewall or use access-lists on the vlan interfaces ie. suppose the coporate network was made up of subnets
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
Also assume you want to allow your guest users out to the Internet
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
etc..
int vlan 11
ip access-group 101 in
This would allow guest users on 192.168.10.0 to access the Internet but not coporate LAN.
HTH
Jon
10-05-2007 06:38 AM
Thanks Jon,
Looks like this is one of two ways to go.
ACL's on the switch/Router or put the WLC onto a DMZ.
Second option just means we use a wlc for 4 AP's taht will provide the Guest access.
Not so bad as we have 4 in total.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide