DHCP with public wifi

Unanswered Question

I am having some difficulties setting up public wifi for a customer. They currently are using AP1121G access points to provide wifi for corporate users. They would like to add a public SSID to allow visitors to access the internet only (no access to the corporate network).

There are no issues creating the new SSID and VLAN, but blocking access to the corporate network is causing issues with DHCP for the public wifi users. A Catalyst 3560 is providing layer 2 and 3 routing for the corporate LAN. On that Catalyst I have added an access list to block traffic from the public wifi VLAN to the internal networks, while permitting traffic to the internet. This ACL is applied to the public wifi VLAN.

access-list 103 deny ip

access-list 103 permit ip any

int vlan70

ip access-group 103 in

where VLAN70 ( /24) is the public wifi subnet, and VLAN10 ( /24) is the corporate network.

This works fine except to for one issue: The public wifi clients can't get a DHCP address assignment (if they have a static address in the network, everything works fine). Apparently the ACL is blocking traffic from the clients to the DHCP server (which is the Catalyst switch - interface VLAN70 is assigned address

In short, how do I design an ACL that will block access to the internal network, but allow access to the internet and allow clients to request/receive a DHCP address from the Catalyst switch?

I have also tried using the AP1121G as a DHCP server for the public wifi, but could not get it to work.

Any suggestions? Thanks in advance for any replies.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
drolemc Wed, 01/16/2008 - 09:06

Can you post the complete configuration on the AP and the switch? I think the issue is with the configuration. Once we have a look at the complete configuration we should be able to narrow down and resolve the issue.

An edited config for the WAP and the switch are attached. I have removed the password info and some parts of the config that I believe are not relevant (QOS settings, static routes, BGP, OSPF, the configs for switch ports used by other devices).

To clarify:

VLAN30 is the native VLAN used for device management.

VLAN10 is the VLAN used for the corporate LAN.

VLAN70 is the VLAN to be used for the public wifi.

Thank you in advance for any assistance.

olhcc Wed, 02/20/2008 - 10:53

Did you get an offline answer yet?

We use Cisco WAPs, but have Nortel switch gear. On our Nortel stuff, a DHCP proxy must be set up to route DHCP requests (broadcasts) because broadcasts don;t go between networks unless there is a Layer 3 device configured to do so.

Again, I can't help with the actual commands because I don't have Cisco gear, but hopefully the concept will help.

We do the same thing with a public wifi VLAN, and assign that VLAN an IP address on the core switch. Then, on that core switch, I set up a DHCP proxy to forward all DHCP requests to the DHCP server on the corporate LAN. It is assumed that even though an ACL blocks all other traffic, DHCP requests are passed.

bsumardi1980 Tue, 03/04/2008 - 08:35

maybe can consider to set the DHCP on the AP instead of the 3560? Clients will definitely get IP addresses first before being filtered by the Core 3560.

Cheers ^^


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode