Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

LAN routing question

My company is using the 10.x.x.x IP range internally. Management is wanting me to implement a wireless solution using IP addresses in that range.  The trick is that they want to use one of the subnets, say 10.1.2.x/24, for guest access on its own SSID.  Is there a set of commands that I can put on our core L3 switches running CatOS to force any traffic from the guest VLAN to go directly to the Internet, thusly preventing them from accessing internal resources?

1 ACCEPTED SOLUTION

Accepted Solutions

LAN routing question

You could do the following.

1) Go to the interface vlan of the 10.1.2.x/24 network.

2) Create an access list that denies all traffic from the wireless network to local networks.

3) Apply this list in the inbound direction on the interface vlan.

Example

------------

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.4.0 0.0.0.255

etc

access-list 101 permit ip any any

That way traffic from the wireless vlan going to internal vlans will be blocked.

Depending on how you implement wireless, they could be other ways as well.

3 REPLIES

LAN routing question

You could do the following.

1) Go to the interface vlan of the 10.1.2.x/24 network.

2) Create an access list that denies all traffic from the wireless network to local networks.

3) Apply this list in the inbound direction on the interface vlan.

Example

------------

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.4.0 0.0.0.255

etc

access-list 101 permit ip any any

That way traffic from the wireless vlan going to internal vlans will be blocked.

Depending on how you implement wireless, they could be other ways as well.

New Member

LAN routing question

private vlans is one option

New Member

LAN routing question

A Cisco Wireless LAN Controller actually solves that problem - it will tunnel the "Guest" traffic through the LAN back out to your DMZ (where you have another Controller to terminate the tunnel).

So if you are using a Cisco solution, you will find it incorporates this requirement with no additional design work from you.

255
Views
5
Helpful
3
Replies