Securing Guest Wireless Across WAN

Answered Question
Dec 29th, 2008
User Badges:

I have an AP at a branch office with a production and guest vlan. I have the local LAN secure, but how would I forward the guest wireless vlan to connect to our ASA vlan at the corporate office.


The traffic will go across MPLS to a 3750 catalyst core.

Correct Answer by Jon Marshall about 8 years 4 months ago

Jason


Yes you can as long as your device supports PBR recursive next-hop -


http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html


As i say it really does depend on


1) how much effort you want to put in

2) just how secure you want your network to be


For guest access from one site to HQ then acl's/PBR is perfectly acceptable solution.


Jon


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Jon Marshall Mon, 12/29/2008 - 07:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jason


There are a number of approaches you could use depending on the security requirements and devices you have.


The simplest would be to use acl's to restrict the guest traffic to only be allowed to the ASA which could also be used together with PBR to force traffic to go one way.


Next you could look to implement GRE tunneling between the branch and head office but you would need a router at either end that could support GRE.


In conjunction with GRE you could use vrf-lite which would allow you to keep totally separate routing and forwarding tables within your HQ and branch sites.


And if you wanted you could have a 2nd MPLS VPN for guest access only and map this into your vrf-lite vrf's within your sites.


It really depends on how much effort you want to put in and whether the features such as GRE/Vrf-lite are supported by your devices. Attached is a link to a Cisco design doc for Path Isolation and Virtualisation which goes into some detail about how you can segregate different types of traffic on your network -


http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html


Jon

jgorman1977 Mon, 12/29/2008 - 07:37
User Badges:

jon,


Could i use a route map and just use the ASA interface as the next hop?

Correct Answer
Jon Marshall Mon, 12/29/2008 - 07:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jason


Yes you can as long as your device supports PBR recursive next-hop -


http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html


As i say it really does depend on


1) how much effort you want to put in

2) just how secure you want your network to be


For guest access from one site to HQ then acl's/PBR is perfectly acceptable solution.


Jon


Collin Clark Mon, 12/29/2008 - 07:27
User Badges:
  • Purple, 4500 points or more

You could use a GRE tunnel, perhaps a new vrf.

Actions

This Discussion