01-10-2012 11:01 AM - edited 03-07-2019 04:16 AM
My company is using the 10.x.x.x IP range internally. Management is wanting me to implement a wireless solution using IP addresses in that range. The trick is that they want to use one of the subnets, say 10.1.2.x/24, for guest access on its own SSID. Is there a set of commands that I can put on our core L3 switches running CatOS to force any traffic from the guest VLAN to go directly to the Internet, thusly preventing them from accessing internal resources?
Solved! Go to Solution.
01-10-2012 11:18 AM
You could do the following.
1) Go to the interface vlan of the 10.1.2.x/24 network.
2) Create an access list that denies all traffic from the wireless network to local networks.
3) Apply this list in the inbound direction on the interface vlan.
Example
------------
access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.4.0 0.0.0.255
etc
access-list 101 permit ip any any
That way traffic from the wireless vlan going to internal vlans will be blocked.
Depending on how you implement wireless, they could be other ways as well.
01-10-2012 11:18 AM
You could do the following.
1) Go to the interface vlan of the 10.1.2.x/24 network.
2) Create an access list that denies all traffic from the wireless network to local networks.
3) Apply this list in the inbound direction on the interface vlan.
Example
------------
access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.4.0 0.0.0.255
etc
access-list 101 permit ip any any
That way traffic from the wireless vlan going to internal vlans will be blocked.
Depending on how you implement wireless, they could be other ways as well.
01-10-2012 03:21 PM
private vlans is one option
01-10-2012 06:45 PM
A Cisco Wireless LAN Controller actually solves that problem - it will tunnel the "Guest" traffic through the LAN back out to your DMZ (where you have another Controller to terminate the tunnel).
So if you are using a Cisco solution, you will find it incorporates this requirement with no additional design work from you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide