Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Guest SSID

Hello

i want to configure a guest SSID on WLC 4400 series

but i want it to go direct to the internet i mean it can not use the corporate network (server and other applications)

and i want layer 2 security on it WPA2

as i know i need to configure a internal DHCP pool on the controller it self for the guest users vlan right?

and map that to guest ssid.

it is not web authentication so shall i need to configure any access list for this subnet or no need?

any seggustion please

many thanks in advance

14 REPLIES
Cisco Employee

Guest SSID

you try can something like this:

WLC -- L2/L3 switch (with l2 vlan for guest traffic) -- firewall (Cisco ASA) -- Internet

once you create the guest ssid on the wlc and map it to a dynamic interface (say vlan 100). create a vlan 100 on the switches along the path between WLC and firewall. Make sure that vlan 100 is purely layer 2 along the path i.e there is not SVI interface on any of the switches. You can define the gateway for vlan 100 on the firewall and configure the firewall to route traffic for vlan 100 directly to the internet.

New Member

Guest SSID

what about if i configure a local DHCP pool for the guest users vlan and it will not go through virtual interface and will be isolated from he corporate network?

Cisco Employee

Guest SSID

even if you create a local dhcp scope, you will still need to create a dynamic interface on the wlc to which you will tie/map the guest ssid

New Member

Guest SSID

yeah i am agree with you on this

can you please explain that how the guest users will go to the internet through virtual interface i mean how does this works and how guest users are not coming to corporate network like applications and printers etc etc?

Hall of Fame Super Silver

Re: Guest SSID

To add to Viten post, Viten explains that the guest SSID will be played on the dynamic interface you use for guest. Hen using the wlc as a dhcp server for guest users, the users will see the virtual ip as the dhcp sever. So this has really nothing to do with connectivity to the Internet. To prevent guest users from accessing your internal network, Viten explains that you need a L2 connection to your FW. This means no L3 interface for that guest subnet. With no L3 interface, guest gets pushed to the FW and not able to route internally.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Guest SSID

thanks guys for your reply

but i have not any firewall in my network and i want to configure wlc as a dhcp server for guest users and to avoid them to access to the internal netwrok aplication and all our other servers

what you say if i hit my local DNS server ip addresses in DHCP pool or it is not really necessary?

i already configured it without firewall local DHCP for guest users vlan on wlc but my guest users can access to the application how i can avoid them?

also i can see virtual interface ip address as a DHCP ip address on client side which connected to guest ssid so what should i do any one has any idea?

many thanks

Hall of Fame Super Silver

Guest SSID

what you say if i hit my local DNS server ip addresses in DHCP pool or it is not really necessary?

If you are going to use the wlc for dhcp for the guest users, you still need to create a dynamic interface to place the guest users on.  You also need to use the wlc managment ip address as your dhcp server ip address.

i already configured it without firewall local DHCP for guest users vlan on wlc but my guest users can access to the application how i can avoid them?

Configured what.... if you have created another subnet on your layer 3 switch and also created a layer 3 interface, then you are routing between the guest network and all your other netowrks.  You would need to create an access list (ACL) to prevent this.  You do have a layer 3 switch correct?

also i can see virtual interface ip address as a DHCP ip address on client side which connected to guest ssid so what should i do any one has any idea?

Don't worry about this... it is because you have dhcp proxy enabled.   If you diable dhcp proxy then users will see the ip of the dhcp server.

So basically what equipment do you have.... a 4400WLC that connects to a layer 3 switch then to a router for internet?

-Scott
*** Please rate helpful posts ***
New Member

Guest SSID

thanks for your reply Fella

yes i have wism card in 6500 series switch and i have configured the same guest user vlans on that switch too but also i configured the same vlans on WLC locally too and DHCP as well and configured controllers mgmt ip in dhcp server ip address place  in wlan advance tab

but as i guess ACL we creat to give access to applications to our guest vlan users if we configure local DHCP for them what you say about this ? or can we configure ACL to avoide them to go to applications ?

So basically what equipment do you have.... a 4400WLC that connects to a layer 3 switch then to a router for internet?

Ans:

i have wism in 6500 series switch and switch is conected to core switch and core is connected to our main office via layer 3 link OSPF.

any idea please?

Hall of Fame Super Silver

Re: Guest SSID

Okay so you need to create an acl on the guest layer 3 interface to deny traffic to your internal networks. You can still use the wlc for dhcp for the guest. This doesn't matter if you do the dhcp in the wlc, switch or internal dhcp server. You still need to create an acl.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Guest SSID

If you want to create an ACL on the WLC, here is a link.  I suggest doing ti on the L3... works better:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00807ce372.shtml

-Scott
*** Please rate helpful posts ***
New Member

Re: Guest SSID

thanks for your replyy fella

i configured acl with but i donot know may be i configured wrong i can still acces other server from guest ssid

i want to configure it to use only our external local  DNS server for internet only whil all the other accesses i want to block them

DHCP will be at controller the sane i want to use that

please tell me how i can deny these all accesses and only alow acces to DNS ?

many thanks

Cisco Employee

Re: Guest SSID

Waseem,

I think its time for a TAC case.

thanks.

New Member

Re: Guest SSID

Thanks for your all reply scott

but unfortunately still i did not solve this issue please help me on this?

i have one vlan subnet 10.135.104.0/24 for guest users

External DHCP for this vlan 10.5.2.22

External local DNS server 10.5.2.23

i want to allow them to use only internet like HTTP only

but they will get ip from external DHCP   *** here please advise me what is good to use external or local DHCP server?

for DNS this is only external i have they should use that one

i have not any firewall in my network

i know the solution is only to configure ACL on WLC

but i don't know how to configure it, i followed one doc. but failed to configure it

i mentioned my vlan ip above please tell me how i can configure ACL for that in order to give only internet access to that WLAN's users step by step.

many thanks in advance

Re: Guest SSID

You can configure a typical ACL on the SVI interface of GUEST. Thus allowing you to manage what goes where.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
721
Views
0
Helpful
14
Replies
CreatePlease to create content