Guest Wlan - Routing Question

Unanswered Question
Jan 29th, 2010

Hi everyone,

We are currently attempting to deploy a wireless guest network that is segregated from our internal network. We are using a Cisco 4404 wlan controller w/ 1142n wireless access points broadcasting a guest wlan on a separate vlan/subnet from all other wireless and wired traffic. When connected to it, I am able to access the Internet, as well as anything on our internal network. The WAPs connect to 3560 and 3750 POE switches which are trunked to our core switch, a Cisco 6509.

There is a route in our core switch that states:

ip route 0.0.0.0 0.0.0.0 10.0.0.1 (10.0.0.1 being the lan interface on our firewall)

and I think it might be the problem? Either that our a setting in our hardware firewall.

Is there a way to segregate this traffic via routing in the 6509? Perhaps with an ACL or a specific route? Any ideas would help. Thanks!

Mike

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 01/29/2010 - 06:29

senatore_mike wrote:

Hi everyone,

We are currently attempting to deploy a wireless guest network that is segregated from our internal network. We are using a Cisco 4404 wlan controller w/ 1142n wireless access points broadcasting a guest wlan on a separate vlan/subnet from all other wireless and wired traffic. When connected to it, I am able to access the Internet, as well as anything on our internal network. The WAPs connect to 3560 and 3750 POE switches which are trunked to our core switch, a Cisco 6509.

There is a route in our core switch that states:

ip route 0.0.0.0 0.0.0.0 10.0.0.1 (10.0.0.1 being the lan interface on our firewall)

and I think it might be the problem? Either that our a setting in our hardware firewall.

Is there a way to segregate this traffic via routing in the 6509? Perhaps with an ACL or a specific route? Any ideas would help. Thanks!

Mike

Mike

It's not entirely clear what you want to do. Is it just to allow internet access for the guest vlan and nothing else ? If so have a look at this recent thread which is about the same thing -

guest access

Jon

glen.grant Fri, 01/29/2010 - 06:42

    Sounds like a wireless controller setup  problem .  A default route pointing to the internet is a normal setup .   Sounds  like guest was just setup like another SSID and it would then be routed normally .  I would do search a on configuring guest on a wireless controller  and see whats incorrect.

sachinraja Fri, 01/29/2010 - 07:24

Hi Mike

Do you have anchor controller and guest NAC in your setup ? If not Jon's answer points you to the right direction .. Can you let us know more on your setup ? We have implemented guest access with VRF-lite on the edge, which will isolate the routing instance of the guest subnet , and will not override with the internal routing table of the customer... but designing this would be quite a challenging task, and the devices to support this technology.. If it is a simple setup of wireless access, VLAN ACLs are probably the way to go !

Infact, your Wireless controller internally has ACL configurations where you can specify access based on SSID's...

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml#backinfo

Just a note on Wireless controller ACLs - these acls are not stateful.. you need to define ACLs for both the incoming and outgoing traffic...

Hope this helps.. all the best..

Raj

senatore_mike Mon, 02/01/2010 - 06:46

Thanks for your responses.

@jon.marshall

     Yes, we would like to allow Internet access on the guest vlan and nothing else (no access to any of our internal services/vlans). It seems like it might involve some WLC configuration as well as some router configuration in our 6509.

@glen.grant

Currently, I believe the guest SSID is setup like the other non-guest SSIDS. I have tried adding an ACL denying certain routes, but it doesn't seem to block access to the LAN. Also, I have tried to route traffic on the guest SSID directly to our Internet router (it's public IP), but it does not allow me to do so (says something like it is not valid, or it must be on the same subnet as the managemenet interface).

@sachinraja

We do not have an anchor controller. We only have 1 Cisco 4404 WLC. Can I use the guest functionality with only 1 physical WLC? Should I only be setting VLAN ACL's in the WLC and not worry about setting them up in the Cisco 6509? I have tried adding some of the SSID ACLs but to no avail...I will read the links posted a bit more today.

Is there anything in particular you would like to know about our setup that I have no explained in my initial post?

Mike

Jon Marshall Mon, 02/01/2010 - 07:51

Mike

    Yes, we would like to allow Internet access on the guest vlan and nothing else (no access to any of our internal services/vlans). It seems like it might involve some WLC configuration as well as some router configuration in our 6509.

Don't know about the WLC but applying an acl to the L3 routed interface for the guest vlan would do what you want. Did you look at the link i sent to the other thread. It is exactly what you are trying to do.

Jon

senatore_mike Mon, 02/01/2010 - 10:40

Thanks for your help! I was able to prevent access to all vlans on our guest network that I specified within our 6509 (VACLs). At this point in time I am wondering if I am using the WLC as much as I should be. I will read the other article you guys mentioned earlier regarding guess access on the WLC. I currently have a web policy in place that requires the guest user to login via a web browser. It seems an client can pull an IP address (from the DHCP server on the WLC) before authenticating. I am looking at creating a pre-authentication ACL on the SSID in the WLC to prevent the handing out of DHCP addresses before authentication. Anyone have any experience with this?

Mike

Actions

This Discussion