I have a client whose network uses sonicwall as their firewall. In order for client to get out to the Internet you must install the McAfee Anti-Virus software. I can make exceptions to this rule in the Sonicwall web interface by IP addresses.
Well I now have a situation where I want to put a wireless access point on one of the Cisco 3550 switches and basically create a seperate network off of that access point. Then I would give the access point's interface connecting to the 3550 a static ip address and therefore exclude all traffic coming from that ip address from having to download the McAfee AV software.
I also do not want any of the clients connection to the WAP to be able to communicate with the internal network. The ideal situation is the clients would connect to the access point then the access point would only be able to communicate with the default gateway of the network. The access point will be providing a DHCP address that is seperate from the internal network and then receive a NAT address that is on the same subnet as the internal network.
The WAP is a sonicwall Tz170. I am going to configure its WAN port to be 172.31.1.15 and connect this port to the 3550. The TZ170 will then give out a DHCP address of 192.168.10.X to all clients connecting to it. The default gateway of the internal network is 172.31.1.253.
Any advice on how to do this would be greatly appreciated. Thank you.
if the AP is going to perform NAT for it's clients, then all you would need is a few VACLs to keep the WAP clients from talking to anything but the internet.
to keep WAP clients from communicating to the rest of the network, you should use VACLs/ACLs at the switch/router levels to allow or restrict subnets from talking to one another. this way you can tell the WAP clients all they can do is goto the internet, not internal network devices.
the default-gateway for your WAP devices will not be the 172.31.1.253 address. instead it will be the 192.168.10.x address assigned to the routing interface that is able to communicate with the rest of the VLANs (or at least the internet subnet/VLAN)
the default-GW for the WAP device can be the INSIDE interface if it is connected to the same subnet as the inside interface. (otherwise it will be the router interface for the subnet/VLAN that it resides on)
some info on 3550 VLAN & routing is at the link below:
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...