Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
5
Helpful
3
Replies

LAN routing question

Go to solution
sanmantim
Level 1
Level 1

‎01-10-2012 11:01 AM - edited ‎03-07-2019 04:16 AM

My company is using the 10.x.x.x IP range internally. Management is wanting me to implement a wireless solution using IP addresses in that range.  The trick is that they want to use one of the subnets, say 10.1.2.x/24, for guest access on its own SSID.  Is there a set of commands that I can put on our core L3 switches running CatOS to force any traffic from the guest VLAN to go directly to the Internet, thusly preventing them from accessing internal resources?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JohnTylerPearce
Level 7
Level 7

‎01-10-2012 11:18 AM

You could do the following.

1) Go to the interface vlan of the 10.1.2.x/24 network.

2) Create an access list that denies all traffic from the wireless network to local networks.

3) Apply this list in the inbound direction on the interface vlan.

Example

------------

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.4.0 0.0.0.255

etc

access-list 101 permit ip any any

That way traffic from the wireless vlan going to internal vlans will be blocked.

Depending on how you implement wireless, they could be other ways as well.

View solution in original post

3 Replies 3

Go to solution
JohnTylerPearce
Level 7
Level 7

‎01-10-2012 11:18 AM

You could do the following.

1) Go to the interface vlan of the 10.1.2.x/24 network.

2) Create an access list that denies all traffic from the wireless network to local networks.

3) Apply this list in the inbound direction on the interface vlan.

Example

------------

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.4.0 0.0.0.255

etc

access-list 101 permit ip any any

That way traffic from the wireless vlan going to internal vlans will be blocked.

Depending on how you implement wireless, they could be other ways as well.

Go to solution
r-godden
Level 1
Level 1

‎01-10-2012 03:21 PM

private vlans is one option

0 Helpful

Go to solution
mcollaery
Level 1
Level 1

‎01-10-2012 06:45 PM

A Cisco Wireless LAN Controller actually solves that problem - it will tunnel the "Guest" traffic through the LAN back out to your DMZ (where you have another Controller to terminate the tunnel).

So if you are using a Cisco solution, you will find it incorporates this requirement with no additional design work from you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card