cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
609
Views
4
Helpful
4
Replies

Securing Guest Wireless Across WAN

jgorman1977
Level 1
Level 1

I have an AP at a branch office with a production and guest vlan. I have the local LAN secure, but how would I forward the guest wireless vlan to connect to our ASA vlan at the corporate office.

The traffic will go across MPLS to a 3750 catalyst core.

1 Accepted Solution

Accepted Solutions

Jason

Yes you can as long as your device supports PBR recursive next-hop -

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

As i say it really does depend on

1) how much effort you want to put in

2) just how secure you want your network to be

For guest access from one site to HQ then acl's/PBR is perfectly acceptable solution.

Jon

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Jason

There are a number of approaches you could use depending on the security requirements and devices you have.

The simplest would be to use acl's to restrict the guest traffic to only be allowed to the ASA which could also be used together with PBR to force traffic to go one way.

Next you could look to implement GRE tunneling between the branch and head office but you would need a router at either end that could support GRE.

In conjunction with GRE you could use vrf-lite which would allow you to keep totally separate routing and forwarding tables within your HQ and branch sites.

And if you wanted you could have a 2nd MPLS VPN for guest access only and map this into your vrf-lite vrf's within your sites.

It really depends on how much effort you want to put in and whether the features such as GRE/Vrf-lite are supported by your devices. Attached is a link to a Cisco design doc for Path Isolation and Virtualisation which goes into some detail about how you can segregate different types of traffic on your network -

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html

Jon

jon,

Could i use a route map and just use the ASA interface as the next hop?

Jason

Yes you can as long as your device supports PBR recursive next-hop -

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

As i say it really does depend on

1) how much effort you want to put in

2) just how secure you want your network to be

For guest access from one site to HQ then acl's/PBR is perfectly acceptable solution.

Jon

Collin Clark
VIP Alumni
VIP Alumni

You could use a GRE tunnel, perhaps a new vrf.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: