Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

WAP321 Isolate guest from local LAN

I have been searching for an easy explanaition on how to create a guest SSID and isolate them from accessing local LAN, however, they need (obviosly) to be able to use the default GW and DNS server on local LAN, as I can not se any way that the WAP321 can act as an dhcp server for individual SSID's and thus use external DNS and act as default GW for independant SSID's.


Please someone tell me straight forward how to do this.

I'd like to do this without using VLAN tagging.




  • Getting Started with Wireless
Everyone's tags (1)

Accepted Solutions
New Member

Let me tell you how freakin'

Let me tell you how freakin' awesome you are!  It turned out to be a stupid thing--I didn't enable Client Qos Mode--when I enabled that, the ACL started working perfectly, and I can't ping or access local wired resources anymore.  You allowed me to accomplish what 2 Cisco techs told me cannot be done.  You are the deal!  Thank you so much.


But this is possible with

My initial post said: I'd

My initial post said:


I'd like to do this without using VLAN tagging.



I solved it by using ACL, a

I solved it by using ACL, a permit to default GW, then Deny to local subnet, then permit to everything else. (Not using Captive portal)



New Member

Could you please be more

Could you please be more specific as to exactly how you set the acl settings to accomplish this.  I need to isolate wireless clients from the LAN and a VLAN is not possible.  I have called Cisco with your post in hand, but they say that what you did is not possible.  Do you have screen prints of your ACL settings?

HelloThe idea I got was as


The idea I got was as follows:

Allow access to default GW (and DNS, if DNS is in local subnet, you must allow access here), then deny local subnet (important that allow comes before deny), then allow access to everything else. Did this at a customer site, (seems) to work, the guests can access internet, but not access local subnet (tested just with ping though)

See attached RTF doc

(BTW cisco, you could learn something from Aruba IAP here)



New Member

I was close in my setup, but

I was close in my setup, but now I have this exactly as you sent me in your awesome documentation, but I can't make this work.  I can still ping and access the local wired computer.  Can you think of anything I am missing other than what you have posted?

Strange, it seemed to work

Strange, it seemed to work for me, I'll do an extra check next time i visit the customer site.

Do you have a possibilty (and trust me) to acces your system via ie. teamviwer, I can have a look.


New Member

I would love for you to take

I would love for you to take a look if you have a moment, as I'm at witts end with this issue.  My Teamviewer id is 450602210, and the password is 7755. 

I'll conect hkl

I'll conect



This widget could not be displayed.