12-29-2008 07:07 AM - edited 03-04-2019 03:15 AM
I have an AP at a branch office with a production and guest vlan. I have the local LAN secure, but how would I forward the guest wireless vlan to connect to our ASA vlan at the corporate office.
The traffic will go across MPLS to a 3750 catalyst core.
Solved! Go to Solution.
12-29-2008 07:45 AM
Jason
Yes you can as long as your device supports PBR recursive next-hop -
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html
As i say it really does depend on
1) how much effort you want to put in
2) just how secure you want your network to be
For guest access from one site to HQ then acl's/PBR is perfectly acceptable solution.
Jon
12-29-2008 07:25 AM
Jason
There are a number of approaches you could use depending on the security requirements and devices you have.
The simplest would be to use acl's to restrict the guest traffic to only be allowed to the ASA which could also be used together with PBR to force traffic to go one way.
Next you could look to implement GRE tunneling between the branch and head office but you would need a router at either end that could support GRE.
In conjunction with GRE you could use vrf-lite which would allow you to keep totally separate routing and forwarding tables within your HQ and branch sites.
And if you wanted you could have a 2nd MPLS VPN for guest access only and map this into your vrf-lite vrf's within your sites.
It really depends on how much effort you want to put in and whether the features such as GRE/Vrf-lite are supported by your devices. Attached is a link to a Cisco design doc for Path Isolation and Virtualisation which goes into some detail about how you can segregate different types of traffic on your network -
http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html
Jon
12-29-2008 07:37 AM
jon,
Could i use a route map and just use the ASA interface as the next hop?
12-29-2008 07:45 AM
Jason
Yes you can as long as your device supports PBR recursive next-hop -
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html
As i say it really does depend on
1) how much effort you want to put in
2) just how secure you want your network to be
For guest access from one site to HQ then acl's/PBR is perfectly acceptable solution.
Jon
12-29-2008 07:27 AM
You could use a GRE tunnel, perhaps a new vrf.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: