I have been searching for an easy explanaition on how to create a guest SSID and isolate them from accessing local LAN, however, they need (obviosly) to be able to use the default GW and DNS server on local LAN, as I can not se any way that the WAP321 can act as an dhcp server for individual SSID's and thus use external DNS and act as default GW for independant SSID's.
Please someone tell me straight forward how to do this.
I'd like to do this without using VLAN tagging.
Solved! Go to Solution.
Let me tell you how freakin' awesome you are! It turned out to be a stupid thing--I didn't enable Client Qos Mode--when I enabled that, the ACL started working perfectly, and I can't ping or access local wired resources anymore. You allowed me to accomplish what 2 Cisco techs told me cannot be done. You are the deal! Thank you so much.
But this is possible with VLAN Tagging :
I solved it by using ACL, a permit to default GW, then Deny to local subnet, then permit to everything else. (Not using Captive portal)
Could you please be more specific as to exactly how you set the acl settings to accomplish this. I need to isolate wireless clients from the LAN and a VLAN is not possible. I have called Cisco with your post in hand, but they say that what you did is not possible. Do you have screen prints of your ACL settings?
The idea I got was as follows:
Allow access to default GW (and DNS, if DNS is in local subnet, you must allow access here), then deny local subnet (important that allow comes before deny), then allow access to everything else. Did this at a customer site, (seems) to work, the guests can access internet, but not access local subnet (tested just with ping though)
See attached RTF doc
(BTW cisco, you could learn something from Aruba IAP here)
I was close in my setup, but now I have this exactly as you sent me in your awesome documentation, but I can't make this work. I can still ping and access the local wired computer. Can you think of anything I am missing other than what you have posted?
Strange, it seemed to work for me, I'll do an extra check next time i visit the customer site.
Do you have a possibilty (and trust me) to acces your system via ie. teamviwer, I can have a look.
I would love for you to take a look if you have a moment, as I'm at witts end with this issue. My Teamviewer id is 450602210, and the password is 7755.