cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2903
Views
5
Helpful
3
Replies

Creating a "Guest" Wireless SSID that only has access to the internet and no other internal resources.

kbrown001
Level 1
Level 1

Given the following scenario what would be the best way to restrict the people connecting to this access point so that they can only access the internet and no other internal company resources like our exchange server, print server etc.

 

I have included a drawing of the setup.

 

I am going to use the following commands on the AP

 

AP# configure terminal

AP(config)# ip dhcp excluded-address 192.168.3.1 192.168.3.219

AP(config)# ip dhcp pool RemoteSite

AP(dhcp-config)# network 192.168.3.0 255.255.255.0

AP(dhcp-config)# lease 10

AP(dhcp-config)# default-router 192.168.3.1

AP(dhcp-config)# dns-server 192.168.1.15, 8.8.8.8

AP(dhcp-config)# end

 

And of course I will setup the SSID and WPA key and all that.

 

So what else do I need to do to accomplish my goal?

3 Replies 3

nkarthikeyan
Level 7
Level 7

Hi Brown,

Yeah.... You can setup Guest Wireless with the different IP stack from you LAN segment say you have all 192.168.x.x used for your company LAN...... on the WAP connected Switch you can have the ACL limting the Guest Users to access LAN... and further if you want more restrictions you can have much more ACL on the next layers of devices..... etc is one option...

on the AP connected Switch

========================

say your gues VLAN is 172.16.0.0/24 and your corporate LAN is 192.168.0.0/16

access-list 100 extended permit <tcp/udp> 172.16.0.0 255.255.255.0 <dns/dhcp/auth server>

access-list 100 extended deny ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list 100 extended permit tcp 172.16.0.0 255.255.255.0 any eq www

access-list 100 extended permit tcp 172.16.0.0 255.255.255.0 any eq https

access-list 100 extended permit udp 172.16.0.0 255.255.255.0 any eq domain

.

.

access-list 100 extended deny ip any any

 

like the above ACL you can have the restrictions which is a simple way to do.

 

Please do rate for the helpful posts and do remember to select the correct answers.

Regards

Karthik

 

 

So presumably I will have to add additional routing on the layer 3 switches and the core router as well as possibly the firewall correct?

 

I am using static routes on everything not RIP, OSPF or EIGRP.

 

This is the only site that needs to have a guest network so I could just make the guest subnet like 172.16.35.x 255.255.255.0 right?

 

Then I would have to add routes to allow traffic from the 172.16.35.x network back through the infrastructure and out the internet?

Yes. Correct... without routing the wireless LAN through metro Ethernet towards corp site to exit to internet.....  You can control at 1st exit on the access point connected switch.... then you can filter in firewall as well and you can dedicate a separate NAT ip for the guest wireless.... then it will be good if you have spare public ip for that.... you have many methods.... but this is the simplest of all....

 

Regards

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: