I am having some difficulties setting up public wifi for a customer. They currently are using AP1121G access points to provide wifi for corporate users. They would like to add a public SSID to allow visitors to access the internet only (no access to the corporate network).
There are no issues creating the new SSID and VLAN, but blocking access to the corporate network is causing issues with DHCP for the public wifi users. A Catalyst 3560 is providing layer 2 and 3 routing for the corporate LAN. On that Catalyst I have added an access list to block traffic from the public wifi VLAN to the internal networks, while permitting traffic to the internet. This ACL is applied to the public wifi VLAN.
access-list 103 deny ip 192.168.70.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.70.0 0.0.0.255 any
ip access-group 103 in
where VLAN70 (192.168.70.0 /24) is the public wifi subnet, and VLAN10 (192.168.10.0 /24) is the corporate network.
This works fine except to for one issue: The public wifi clients can't get a DHCP address assignment (if they have a static address in the 192.168.70.0 network, everything works fine). Apparently the ACL is blocking traffic from the clients to the DHCP server (which is the Catalyst switch - interface VLAN70 is assigned address 192.168.70.1).
In short, how do I design an ACL that will block access to the internal network, but allow access to the internet and allow clients to request/receive a DHCP address from the Catalyst switch?
I have also tried using the AP1121G as a DHCP server for the public wifi, but could not get it to work.
Any suggestions? Thanks in advance for any replies.