Securing Guest Wireless Across WAN

Answered Question
Dec 29th, 2008

I have an AP at a branch office with a production and guest vlan. I have the local LAN secure, but how would I forward the guest wireless vlan to connect to our ASA vlan at the corporate office.

The traffic will go across MPLS to a 3750 catalyst core.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 3 weeks ago

Jason

Yes you can as long as your device supports PBR recursive next-hop -

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

As i say it really does depend on

1) how much effort you want to put in

2) just how secure you want your network to be

For guest access from one site to HQ then acl's/PBR is perfectly acceptable solution.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jon Marshall Mon, 12/29/2008 - 07:25

Jason

There are a number of approaches you could use depending on the security requirements and devices you have.

The simplest would be to use acl's to restrict the guest traffic to only be allowed to the ASA which could also be used together with PBR to force traffic to go one way.

Next you could look to implement GRE tunneling between the branch and head office but you would need a router at either end that could support GRE.

In conjunction with GRE you could use vrf-lite which would allow you to keep totally separate routing and forwarding tables within your HQ and branch sites.

And if you wanted you could have a 2nd MPLS VPN for guest access only and map this into your vrf-lite vrf's within your sites.

It really depends on how much effort you want to put in and whether the features such as GRE/Vrf-lite are supported by your devices. Attached is a link to a Cisco design doc for Path Isolation and Virtualisation which goes into some detail about how you can segregate different types of traffic on your network -

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html

Jon

jgorman1977 Mon, 12/29/2008 - 07:37

jon,

Could i use a route map and just use the ASA interface as the next hop?

Actions

This Discussion