ACL on guest wireless network

Unanswered Question
Oct 26th, 2011

Hi All,

I've run into a bit of a problem with restricting access on our guest wireless network in one of our branch offices.  Essentially the set up we have is 4400 WLC's in our DC with the AP's in the branches registered against them and using H-REAP to place devices into either the corporate wireless network or guest wireless network.  Now the standard approach for us is to have the guest wireless network on a layer2-only VLAN on the switches and the layer3 gateway being a simple Internet router.  That way it keeps guests away from our corporate network.  However, we have a site which was implemented by a third party on our behalf due to resource issues who have implemented things in a very poor way.  Essentially there is no guest Internet router and the guest Internet traffic is routed via the guest VLAN as it has been configured as layer3.  So guest Internet traffic is routing onto our corporate network and using our corporate Internet link.  What's worse is there are NO RESTRICTIONS at the moment so once someone is on the guest network they have carte blanche access to our entire network.  Needless to say when I found about this I was livid but I need to sort this ASAP.  My goal is to fix this by removing the layer3 VLAN interface and place an Internet router to handle guest Internet access and DHCP but as this office is thousands of miles away I can't do this straight away. 

What I would like to do is place an ACL on the layer3 VLAN interface that is the guest VLAN on the corporate switches.  I want to block anything towards the corporate network, i.e. 10.0.0.0/8 and allow anything else, i.e. the Internet.  The problem is I've tried implementing this and when I do guests are no longer sent to the WLC's Web Authentication page in order for them to log in and continue.  I've got logs against the Deny rules in the ACL's but nothing is showing up and there are no hits either.  As soon as I take away the ACL users can then attempt to browse to any website and are forwarded to the Web Authentication page first. 

I'm hoping someone on here has a simple answer to what is required on a guest network ACL so I can get the guest wireless up and running and more secure at the same time.  Here is the ACL as it stands:

Extended IP access list 140

    10 permit udp any any eq bootps (325 matches)

    20 permit udp any any eq bootpc

    30 permit ip any host 10.xxx.xxx.62  ! Default Gateway (layer3-VLAN)

    40 deny ip any 10.0.0.0 0.255.255.255 log (4 matches)

    50 permit ip any any

Kind Regards

Craig J

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
chucktranhpb Wed, 10/26/2011 - 20:44

Change the WLAN for that site to a centrally switched vlan and then apply your acl to that vlan.

craig.juhas Thu, 10/27/2011 - 01:30

Hi Chuck,

Please can you give a bit more detail on what you mean by this?  When you say a centrally switched VLAN do you mean at the location of the WLC's?

Craig

chucktranhpb Thu, 10/27/2011 - 16:05

Craig,

Your guest clients are unable to reach your WLC to download the web auth page.

A centrally switched VLAN allows the remote wireless traffic to be tunneled across your network and placed on a VLAN directly connected to the WLC. You can apply that same ACL on that VLAN and it should work.

Or before doing that, perhaps you can alter the ACL on your existing guest wireless VLAN to allow http access to your WLC.

craig.juhas Fri, 10/28/2011 - 00:59

Hi Chuck,

I will try opening access to the WLC's from the guest VLAN first. 

I'm not keen to send the guest traffic across our WAN to the WLC's VLAN as this is very low priority traffic and I don't want it interfering with corporate traffic on the MPLS.  I know I could implement QoS and so on but I don't want to overcook this. 

Craig

Actions

Login or Register to take actions

This Discussion

Posted October 26, 2011 at 1:40 AM
Stats:
Replies:4 Avg. Rating:
Views:2180 Votes:0
Shares:0

Related Content

Discussions Leaderboard