01-30-2012 11:48 PM - edited 07-03-2021 09:28 PM
Hi
I have been told to configure Guest VLAN on WLC 5508 and ensuring no access to LAN network while connected to Guest Vlan. I am looking for best practises in configuring
ISP------Firewall--------L3_switch--------------users
my setup goes as above with WLC on different vlan, users on different vlan, server on different vlan
appreciate some quick help
thanks
Anthony
Solved! Go to Solution.
02-01-2012 12:36 AM
You are better off doing the bandwidth limitation on the vlan not on the wlc. On the wlc, you can limit how much per user, but not total. I don't think smartphones use up bandwidth that much since its usually http or email traffic.
Thanks,
Scott Fella
Sent from my iPhone
01-31-2012 04:40 AM
Since you don't have an anchor wlc in the dmz, you need to create a acl's on the guest subnet to block them from accessing your other local subnets. For dhcp, I would put the dhcp scope on the L3 switch. If you don't want to create the dhcp there, you can create that on the wlc. Just note that the wlc dhcp will not be as reliable. You can also limit the bandwidth using policy maps for that subnet or you can look at setting the QoS limits per user.
Edit: HEre are some links:
https://supportforums.cisco.com/message/3421753#3421753
Sent from Cisco Technical Support iPhone App
01-31-2012 05:54 AM
Thanks Scott, very helpful reply
We block facebook,twitter and other social networking sites for LAN users. Organization approved Internet access for Iphone & IPad users with bandwidth limitation and allowing all sites. what config setup you advice for such scenario ( different ssid , authentication supporting iphone, different vlan, access restriction )
01-31-2012 06:10 AM
Well it depends on what you are using now... I have clients that need to create a new ssid and vlan just for these "Bring your own device". So it comes down to i you need to police traffic, then you need to either place the traffic on a vlan that is policed or create a new vlan with specific acl's just for those devices. Its hard to say, because you can go either way. Ususally these devices don't need to access certain vlans anyways and that is why I see more of my clients creating a seperate subnet for these devices. Authentication varies too... if you want to secure the traffic then use 802.1x, but all the device will need to support that. You now need to determine what devices you will allow on and what is the limitation for security on those devices. If you have 802.1x as a standard, you can maybe use one ssid and have the radius server send an attribut to the wlc to place the user in a specific vlan. So for example, if your laptops do computer or machine authentcation, that AD group will be placed in vlan 100, If they are domain users or add these user to own device (new ad group), they are placed in vlan 105.
Now for guest users, it is almost easier to keep the authentication open using webauth to access the network. This eliminates your IT staff from having to troubleshoot or help setup guest client devices.
01-31-2012 10:11 PM
Thanks Scott
For Iphone & Ipad user I would go ahead and create another SSID mapping to a new vlan. For security i am still evaluating to go with WPA2. Restricting the bandwidth to 2MB for example for SSID 'Smartphone' to be done on WLC or vlan interface. which is preferred.
Also restricting this vlan to communicate with other vlan should be done on vlan interface
Configuration On WLC
SSID - SmartPhone
Vlan 5
Configuration on Layer 3 switch
vlan 5
name smartphone Vlan
int vlan 5
description vlan for smartphone
ip address 10.10.10.1 255.255.255.0
ip access-group ACL in
interface vlan 6
description server vlan
ip address 192.168.1.1 255.255.255.0
ip access-list extended ACL
deny ip 192.168.1.0 255.255.255.0
permit ip any any
02-01-2012 12:36 AM
You are better off doing the bandwidth limitation on the vlan not on the wlc. On the wlc, you can limit how much per user, but not total. I don't think smartphones use up bandwidth that much since its usually http or email traffic.
Thanks,
Scott Fella
Sent from my iPhone
02-04-2012 03:50 AM
Thanks
02-04-2012 05:17 AM
No problem Anthony... Thanks for the rating.
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: