SR520 Guest Wireless setup

Unanswered Question
Jun 2nd, 2009

What is the best and CCA compatible way to setup a guest wireless?

I have created a beacon SSID: Guest, Vlan2 (10.1.11.0), DHCP Server for Vlan2 and the laptop connects no problem. The vlan2 has access to the inside network vlan75 (192.168.1.0, which I dont want) and internet access.

How do I keep vlan2 as a guest vlan and out of our inside network? I know its an access-list but how can I do it in a way that does not render me unable to use CCA in the future?

What is the correct way? Please suggest an access-list that would prevent traffic between the two vlans. I am unsure of how to get the vlan2 to use the access-list after I create it.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eoncablewire Tue, 06/02/2009 - 17:27

I am not using a wireless controller in this case. When creating the ssid for the SR520 there is no option for guest.

addis Wed, 06/03/2009 - 06:42

Hi eoncablewire -

I do understand that the option for an ssid is not present, but the procedure is generally the same. This document provides the building blocks for creating a guest setup that can be applied to the SR520.

You need to:

-create a new VLAN

-create an SSID

-choose security for the connection (or leave it open if that's what you want)

eoncablewire Wed, 06/03/2009 - 09:01

I appreciate your help in this matter. Have you worked with the SR520 yet? The CCA options are nowhere near the same as for the wireless controller and there is NO option for guest wlan, wireless users, or otherwise in the configuration pages within CCA. You can create an SSID and assign a vlan and thats pretty much it.

Everything else with the SR520 is CLI. If you have setup an SR520 with CCA please send me a screen shot so I can see what you are seeing.

Thanks

addis Wed, 06/03/2009 - 10:58

You're welcome. I answered quickly earlier before I headed to some meetings, but I'll try to provide some more details here.

Creating a guest wireless network is basically the same as creating any other VLAN / SSID combination.

The steps here will walk you through the exact screens you will see in CCA.

https://www.myciscocommunity.com/docs/DOC-1763

While you will not see 'guest' as a default option, you can follow these directions except you simply add the VLAN-SSID setup manually.

You may want to setup:


VLAN 25

SSID Cisco-Guest

DHCP Scope for VLAN 25    192.168.25.0 255.255.255.0

As for wireless security, its up to you whether you want it open or prefer to have it secured and then give guest a password.

Hopefully that makes a little more sense, but just let me know.

eoncablewire Fri, 06/05/2009 - 11:00

It seems you are giving me instructions on how to setup a WLAN. That part is simple. Now I need to restrict the access between the guest WLAN and the corporate network. What do you suggest there?

eoncablewire Fri, 06/05/2009 - 12:18

The problem has been solved. The question was involving access-lists and what to create and how to apply it.

The guest vlan is vlan2 with an ip of 10.1.10.1 and the corporate vlan is vlan75 with an IP address of 192.168.75.1

So two access-lists were made

access-list 198

10 deny ip any 10.1.10.0 0.0.0.255 in

20 permit ip any any

access-list 199

10 deny ip any 192.168.75.0 0.0.0.255 in

20 permit ip any any

Then add the ACL to the BVI interfaces

Bvi2 - Add 'ip access-group 199 in'

Bvi75 - Add 'ip access-group 198 in'

That was it. Now the guest users have no access to the router or the corporate network.

I knew roughly what the ACL should be but my biggest problem was not know where to add the ip access-group XXX in statement. I wasnt sure if it needed to be addes to Vlan2, or BVI2

Thanks

addis Fri, 06/05/2009 - 13:00

Great news!


I was digging through ACL commands to recommend to you but this looks good.

jwaters24 Fri, 07/17/2009 - 08:14

ok.  here are the steps that I have done.

on the UC520

created VLAN 25

ip address 192.168.2.1 255.255.255.0

default gateway: 192.168.1.1 (the UC520)

dhcp pool AnQ_Guest

192.168.2.0 255.255.255.0

ip helper-address 192.168.1.1

fastEthernet 0/1/7

switchport access vlan 25 (needs access to native vlan (1) also)

on the 521AP

SSID AnQ_guest (broadcast)

vlan 25

WEP Key

SSID Anderson and Quill (non-broadcast)

vlan 1 (native)

open authenication ( for now. will be radius)

I can see both networks from a wireless card and can conntect to Anderson and Quill fine.  I can connect to the AnQ_guest, but i do not recieve an ip address and it times out with limited or no connectivity.

any help would be greatly appreciated.

I have attached the config

thanks,

Attachment: 
Marcos Hernandez Fri, 07/24/2009 - 07:22

The connection between the AP and the UC500 should be a trunk, so do not make that port an access port for VLAN 25. If you use CCA, you can use smartport role "AP" and this should work...

Thanks,


Marcos

Actions

This Discussion