Guest Network design (GRE?)

Unanswered Question
Apr 20th, 2009
User Badges:

Hi,

I have a design question for my new inter-campus site. We recently build out a new site and made it a point to point connection back to my core network. My issues is rolling out my current Guest network to it. We currently have the Guest network (172.20.99.0/24) off the ASA router and we trunk it to all of our distribution switch (vlan 99). With my new site being layer 3 how do I offer guest network to that site? Do I create a GRE tunnel? Any thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 04/20/2009 - 20:16
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You can use GRE as one solution as long as you have devices at either end that support GRE tunneling. Other alternatives are using acl's to filter the traffic or utilising something like vrf-lite. Cisco have got a design doc for this type of requirement ie. path isolation -


http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html#wp80366


Jon

siskoboy2007 Tue, 04/21/2009 - 06:56
User Badges:

Thanks for the information Jon. Looks like the Catalyst 3750 which I have at my new site does not support GRE. I'll look into using VRF-lite. I'll let you know if I have any questions.

mark.cronin Tue, 04/21/2009 - 11:43
User Badges:

The Cisco Wireless WLC 4400 Series offer a wireless guest access service which includes a username and password lobby ambassador function. The WLC can be used for Wired guest access but would need to be located locally on the same broadcast network.



mark.cronin Tue, 04/21/2009 - 11:44
User Badges:

To add to the above it uses an EoIP tunnel rather than GRE and you would need a remote WLC in your internet DMZ

siskoboy2007 Tue, 04/21/2009 - 11:48
User Badges:

We do have a WLC 4400, but for the guest access to work properly, doesn't it have to be in the DMZ?

mark.cronin Wed, 04/22/2009 - 11:17
User Badges:

This link describes what you need if you go for the WLC option


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml


Basically 1 WLC at your remote site on the same broadcast domain and 1 in your internet gateway DMZ.


An EoIP tunnel which is similar to GRE is formed between the WLC's which wired guest user traffic is tunneled in.


The lobby ambassador feature is fairly simple to implement.


siskoboy2007 Wed, 04/22/2009 - 13:40
User Badges:

Thanks Mark. However I have no budget for a new WLC yet so I'm back to finding a simple solution. Since GRE tunnels are not supported on the 3750s, does any know how I can accomplish this with either VRF Lite End to End or L2TPv3?

siskoboy2007 Thu, 04/23/2009 - 10:55
User Badges:

Mark,

I was thinking, I do have WLC at my remote site and another one back at HQ. The WLC at HQ does have a trunk to the Guest network (off the firewall) which is VLAN 99. Can I use EoIP to trunk all wired and wireless network (vlan 99) back to my HQ WLC which in turn will send it to my Guest network on the firewall?

siskoboy2007 Thu, 04/23/2009 - 13:49
User Badges:

Here's the diagram Mark. Let me know if you have any questions. I'm just wonder if I use the WLC, how do I tell the switches at my remote site (1450) that VLAN 99 needs to go thru the WLC. Do I put a static route point to the WLC?



mark.cronin Sat, 04/25/2009 - 00:25
User Badges:

So i think if you have configured a DHCP scope on you HQ WLC and there is an EoIP tunnel between the remote and HQ WLC via your production network, guest access will work.


The Lobby Ambassador feature will be administered on the HQ WLC and guest will be allowed on the guest network once they have web authenticated.


siskoboy2007 Mon, 04/27/2009 - 11:57
User Badges:

Thanks for the suggestion Mark. Can I have the WLAN and wired guest use the same interface (VLAN 99) on the WLC? Right now I have both of them using VLAN 99 at my HQ, but only the WLAN is using the VLAN 99 on the WLC.

Hi Experts.

This is Raja. Im a baby to this field and planning to start a business which is gonna support a application through online, I want to do a network set up for the communication.Its gonna be a 10 node small business.where i want to manage the LAN connection for internet and also the tunneling. can some one suggest me which series of switch , router and firewall will work out my set up. waiting for you experts.. thanks in advance..


Actions

This Discussion