cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1810
Views
0
Helpful
7
Replies

Guest Vlan

anthony.dyne
Level 1
Level 1

Hi

I have been told to configure Guest VLAN on WLC 5508 and ensuring no access to LAN network while connected to Guest Vlan. I am looking for best practises in configuring

  • the DHCP for guest vlan
  • the security paramenter for authentication,
  • the vlan configuration and bandwidth limitation.

ISP------Firewall--------L3_switch--------------users

my setup goes as above with WLC on different vlan, users on different vlan, server on different vlan

appreciate some quick help

thanks

Anthony

1 Accepted Solution

Accepted Solutions

You are better off doing the bandwidth limitation on the vlan not on the wlc. On the wlc, you can limit how much per user, but not total. I don't think smartphones use up bandwidth that much since its usually http or email traffic.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

View solution in original post

7 Replies 7

Scott Fella
Hall of Fame
Hall of Fame

Since you don't have an anchor wlc in the dmz, you need to create a acl's on the guest subnet to block them from accessing your other local subnets. For dhcp, I would put the dhcp scope on the L3 switch. If you don't want to create the dhcp there, you can create that on the wlc.  Just note that the wlc dhcp will not be as reliable. You can also limit the bandwidth using policy maps for that subnet or you can look at setting the QoS limits per user.

Edit:  HEre are some links:

https://supportforums.cisco.com/message/3421753#3421753

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Thanks Scott, very helpful reply

We block facebook,twitter and other social networking sites for LAN users. Organization approved Internet access for Iphone & IPad users with bandwidth limitation and allowing all sites. what config setup you advice for such scenario ( different ssid , authentication supporting iphone, different vlan, access restriction )

Well it depends on what you are using now... I have clients that need to create a new ssid and vlan just for these "Bring your own device".  So it comes down to i you need to police traffic, then you need to either place the traffic on a vlan that is policed or create a new vlan with specific acl's just for those devices.  Its hard to say, because you can go either way.  Ususally these devices don't need to access certain vlans anyways and that is why I see more of my clients creating a seperate subnet for these devices.  Authentication varies too... if you want to secure the traffic then use 802.1x, but all the device will need to support that.  You now need to determine what devices you will allow on and what is the limitation for security on those devices.  If you have 802.1x as a standard, you can maybe use one ssid and have the radius server send an attribut to the wlc to place the user in a specific vlan.  So for example, if your laptops do computer or machine authentcation, that AD group will be placed in vlan 100,  If they are domain users or add these user to own device (new ad group), they are placed in vlan 105. 

Now for guest users, it is almost easier to keep the authentication open using webauth to access the network.  This eliminates your IT staff from having to troubleshoot or help setup guest client devices.

-Scott
*** Please rate helpful posts ***

Thanks Scott

For Iphone & Ipad user I would go ahead and create another SSID mapping to a new vlan. For security i am still evaluating to go with WPA2. Restricting the bandwidth to 2MB for example for SSID 'Smartphone' to be done on WLC or vlan interface. which is preferred.

Also restricting this vlan to  communicate with other vlan should be done on vlan interface

Configuration On WLC

SSID - SmartPhone

Vlan 5

Configuration on Layer 3 switch

vlan 5

name smartphone Vlan

int vlan 5

description vlan for smartphone

ip address 10.10.10.1 255.255.255.0

ip access-group ACL in

interface vlan 6

description server vlan

ip address 192.168.1.1 255.255.255.0

ip access-list extended ACL

deny ip 192.168.1.0 255.255.255.0

permit ip any any

You are better off doing the bandwidth limitation on the vlan not on the wlc. On the wlc, you can limit how much per user, but not total. I don't think smartphones use up bandwidth that much since its usually http or email traffic.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Thanks

No problem Anthony... Thanks for the rating.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: