Guest Internet Access

Answered Question
Mar 6th, 2010
User Badges:

Hi


Looking for input on Guest Vlan subject.

How can I avoid routing of Guess VLAN traffic to DATA VLAN, any traffic from Guest VLAN should be routed to Internet directly.

Looking for similar setup as in Hotels, Guest are provided with username/password with time duration to access internet and limit the download speed.


Do I need to create another SSID on the WLC and how the guest users will acquire ip, from WLC DHCP or Windows DHCP.

If its Windows DHCP then Guest traffic reaches my Data VLAN


Any Help

Correct Answer by Scott Fella about 7 years 3 months ago

We got WLC 4420 ----- Do you mean a 4402-xx

AP 1200 series ( 5 in quantity )


I am new to WLC, can you help me to understand

  • How many SSID we can configure on WLC, does each ssid can have different config parameters.

The AP's and the Code you might have will only support 8-16.  You don't want to configure too many (best practice is around 4) because of all the beacons that needs to be sent might cause issues with certain devices.  You can configure eash ssid the same of different, it is up to you.  Follow best practices on this.


  • can we broadcast specific SSID on AP configured with WLC ( AP#1 can be used for SSID DATA & SSID Guest ) ( AP#2 can be SSID Guest & SSID Partners )

You can create WLAN Override (depends on code - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml) to specify what AP's will braodcast what SSID's.  This can be messy if you have gaps for roaming, unless that is not an issues.


  • For Guest SSID is it recommended to connect to a seprate port on WLC

You have different options:

  • You can use a guest anchor controller in you DMZ
  • You can use one port on the WLC connected to your internal network and the other port to the DMZ
  • You can trunk vlans and use ACL's to block guest traffic from inside networks.

All this depends on you current infrastructure and if you plan on buying more equipment or use the existing.


  • Instead of creating Guest Users on WLC with time restriction, can this be done third party with ease of management. ( Office secretary can give access to internet to guest )

You can use a NAC Guest Server... if you want to spend a lot of money.  You can configure a Lobby Admin account on the WLC so that the secretary has only read/write to add guest accounts.  This would be the same if you have WCS with a lobby admin account.

http://www.cisco.com/en/US/docs/wireless/wcs/4.2/configuration/guide/wcsmanag.html#wp1078208


  • How to have bandwidth control on WLC, restrict users with bandwidth limit

You would need to use a 3rd party tool for this like ZoneCD or again you can use the NAC Guest Server.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/data_sheet_c78-456124.html

http://www.google.com/url?q=http://cisco.com/application/pdf/paws/107630/WLC_NGS.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=1&ved=0CAgQzgQoAA&usg=AFQjCNF0eA-Z8nss7WzgpPRnFjtSdZnvWQ

http://www.google.com/url?q=http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/DeployingGuestAccess_051308.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=2&ved=0CAkQzgQoAQ&usg=AFQjCNGKgF_wWKQaI8lqHoFfwbg0iztVFg



Any configuration sample link with one Internet connection having DATA and Guest VLAN  using ACL to restrict  the traffic.


I put some links above... hope this helps.  Again, it will come down to your existing environment and how much more you want to spend.  You also have to look at the time it might take to setup, will the secertary want to do this, etc?  How I see guest access..... well.... they go out a seperate internet pipe, so I don't really care about bandwidth.  Its guests so they would have to deal with that anywhere the go, even hotspost or even worse hotels:)  Make it simple and make it work... then you can add to that later when you get more familiar to configuration and troubleshooting.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fella Sat, 03/06/2010 - 22:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You need to have a seperate ssid for guest.  Now you could use one port on the WLC for guest and this port would be connected to a seperate internet connection.  If you only have one internet connection, then you will have to use ACL's (filters) to block guest traffic from you internal traffic.  Depending on what equipment you have, there are various ways you can do this.  Here are some links.


http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html

http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00809ba482.shtml

saquib.tandel Sat, 03/06/2010 - 23:19
User Badges:

Thanks for replying.


We got WLC 4420

AP 1200 series ( 5 in quantity )


I am new to WLC, can you help me to understand

  • How many SSID we can configure on WLC, does each ssid can have different config parameters.
  • can we broadcast specific SSID on AP configured with WLC ( AP#1 can be used for SSID DATA & SSID Guest ) ( AP#2 can be SSID Guest & SSID Partners )
  • For Guest SSID is it recommended to connect to a seprate port on WLC
  • Instead of creating Guest Users on WLC with time restriction, can this be done third party with ease of management. ( Office secretary can give access to internet to guest )
  • How to have bandwidth control on WLC, restrict users with bandwidth limit


Any configuration sample link with one Internet connection having DATA and Guest VLAN  using ACL to restrict  the traffic.

Correct Answer
Scott Fella Sun, 03/07/2010 - 08:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

We got WLC 4420 ----- Do you mean a 4402-xx

AP 1200 series ( 5 in quantity )


I am new to WLC, can you help me to understand

  • How many SSID we can configure on WLC, does each ssid can have different config parameters.

The AP's and the Code you might have will only support 8-16.  You don't want to configure too many (best practice is around 4) because of all the beacons that needs to be sent might cause issues with certain devices.  You can configure eash ssid the same of different, it is up to you.  Follow best practices on this.


  • can we broadcast specific SSID on AP configured with WLC ( AP#1 can be used for SSID DATA & SSID Guest ) ( AP#2 can be SSID Guest & SSID Partners )

You can create WLAN Override (depends on code - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml) to specify what AP's will braodcast what SSID's.  This can be messy if you have gaps for roaming, unless that is not an issues.


  • For Guest SSID is it recommended to connect to a seprate port on WLC

You have different options:

  • You can use a guest anchor controller in you DMZ
  • You can use one port on the WLC connected to your internal network and the other port to the DMZ
  • You can trunk vlans and use ACL's to block guest traffic from inside networks.

All this depends on you current infrastructure and if you plan on buying more equipment or use the existing.


  • Instead of creating Guest Users on WLC with time restriction, can this be done third party with ease of management. ( Office secretary can give access to internet to guest )

You can use a NAC Guest Server... if you want to spend a lot of money.  You can configure a Lobby Admin account on the WLC so that the secretary has only read/write to add guest accounts.  This would be the same if you have WCS with a lobby admin account.

http://www.cisco.com/en/US/docs/wireless/wcs/4.2/configuration/guide/wcsmanag.html#wp1078208


  • How to have bandwidth control on WLC, restrict users with bandwidth limit

You would need to use a 3rd party tool for this like ZoneCD or again you can use the NAC Guest Server.

http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/data_sheet_c78-456124.html

http://www.google.com/url?q=http://cisco.com/application/pdf/paws/107630/WLC_NGS.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=1&ved=0CAgQzgQoAA&usg=AFQjCNF0eA-Z8nss7WzgpPRnFjtSdZnvWQ

http://www.google.com/url?q=http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/DeployingGuestAccess_051308.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=2&ved=0CAkQzgQoAQ&usg=AFQjCNGKgF_wWKQaI8lqHoFfwbg0iztVFg



Any configuration sample link with one Internet connection having DATA and Guest VLAN  using ACL to restrict  the traffic.


I put some links above... hope this helps.  Again, it will come down to your existing environment and how much more you want to spend.  You also have to look at the time it might take to setup, will the secertary want to do this, etc?  How I see guest access..... well.... they go out a seperate internet pipe, so I don't really care about bandwidth.  Its guests so they would have to deal with that anywhere the go, even hotspost or even worse hotels:)  Make it simple and make it work... then you can add to that later when you get more familiar to configuration and troubleshooting.




Scott Fella Mon, 03/08/2010 - 08:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

No problem.

Actions

This Discussion

 

 

Trending Topics - Security & Network