Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

wireless guest design + security

Hi

Anyone could please advice a recommended way for guest wireless design.

The requirement is to only allow Internet for guest users. The guest user vlan is terminated in a L3 switch and the guest should not see LAN traffic or reach other vlans on the same switch. I tried using a PBR for the guest user vlan setting next hop as firewall but still the users were able to reach other LAN traffic.

The guest SSID is configured to use web authentication (user ID / password) using local user database on a 5500 series controller.

Please advice

Thanks in advance

Gaj

3 REPLIES
Cisco Employee

wireless guest design + security

Wat ever wireles config that you have need not be changed!! U need to go for Inter VLAN routing to be tweaked!!

That is..

The VLAN that ur using for GUEST should not communicate with rest of the VLANs and allow just Internet traffic, this can be acheived by creating a 2 liner ACL denying traffic for rest of the vlans and allowing the protocols that u need!!

The below may help u..

https://learningnetwork.cisco.com/thread/14122

Please dont forget to rate the usefull posts!! Rating will help others as well to get the right resource!!

Regards

Surendra

Community Member

wireless guest design + security

Thanks.

I was thinking how to seperate Guest traffic from the normal LAN traffic.Is there any other way we could seperate guest traffic without an anchor?

Gaj

Hall of Fame Super Silver

wireless guest design + security

Just to add to this... you can, but if you have a layer 3 interface for your guest, you will need to create access lists.  What you also can do is not create a layer 3 interface for you guest and then connect that vlan into your dmz, if you have a dmz.

-Scott
*** Please rate helpful posts ***
717
Views
0
Helpful
3
Replies
CreatePlease to create content