Seperating Guest WLAN from Internal WLAN

Answered Question
Sep 22nd, 2010

Hi,

I am having trouble configuring a Guest WLAN using web authentication.  I am using a 4402 WLC running 5.2.93.0 to set it up.  I also have a 3750 switch that the WLC connects to and the 3750 connects to my ASA 5510 running 8.3.1  The guest wlan is for internet access only.  I can get onto the the guest wlan and at first the guest and  internal networks can not communicate with one another but once I access the internet they start responding to one another.

On the WLC it is set up for web auth.  Under wlan tab, no layer 2 or 3 security.  Web policy and auth are selected (thinking about using pass-through).  Under interface i have the ip, gateway and dhcp servers entered.

I have tried extended acl's on the asa to block our internal network while allowing the guest wlan internet access.  I have also configured the switch port on the 3750 that the wlc connects to for trunking and allowing the guest vlan.

Any ideas what I am missing or not configuring correctly?

Thanks.

I have this problem too.
0 votes
Correct Answer by George Stefanick about 6 years 3 months ago

Hey Len,

I don't know exactly how your network is configured. Are you using an ANCHOR or are you dropping the traffic on the door step of the WLC. So lets start with the basics.

I took the time and included a short topology for your own visual based and what you provided so far. I understand you dont want the guest network to talk to the production network, correct? If this is the case i might suggest applying an ACL on the SVI interface of your GUEST WLAN.

Lets follow the packet ... A user on guest network 192.x.x.x pings a production client on 10.x.x.x network.

1. The packet leaves the wireless client

2. It reaches the AP and LWAPP headers are applied

3. The packet travels the LWAPP tunnel back to the WLC

4. The WLC rips off the LWAPP 802.11 headers and applies the 802.3 headers

5. The WLC puts the packet on the wired interface

6. The next stop for the packet is through the SVI interface on your 3750

7. The ACL drops anything going to 10.x.x.x

make sense?

You could apply an ACL in the WLC but i would not recommend that...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
George Stefanick Wed, 09/22/2010 - 21:26

Hey Len,

I don't know exactly how your network is configured. Are you using an ANCHOR or are you dropping the traffic on the door step of the WLC. So lets start with the basics.

I took the time and included a short topology for your own visual based and what you provided so far. I understand you dont want the guest network to talk to the production network, correct? If this is the case i might suggest applying an ACL on the SVI interface of your GUEST WLAN.

Lets follow the packet ... A user on guest network 192.x.x.x pings a production client on 10.x.x.x network.

1. The packet leaves the wireless client

2. It reaches the AP and LWAPP headers are applied

3. The packet travels the LWAPP tunnel back to the WLC

4. The WLC rips off the LWAPP 802.11 headers and applies the 802.3 headers

5. The WLC puts the packet on the wired interface

6. The next stop for the packet is through the SVI interface on your 3750

7. The ACL drops anything going to 10.x.x.x

make sense?

You could apply an ACL in the WLC but i would not recommend that...

davy.timmermans Thu, 09/23/2010 - 01:36

Hello!

I'm not sure if you configured the rest of your network like this:

3750:

guest vlan (corresponding with the vlan on the wlc for guest)

no layer 3 interface for this vlan (not routable)

ASA

create an interface for this vlan on the asa serving as default gateway.

Then on the ASA you can regulate the traffic

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network