I am having some difficulties setting up public wifi for a customer. They currently are using AP1121G access points to provide wifi for corporate users. They would like to add a public SSID to allow visitors to access the internet only (no access to the corporate network).
There are no issues creating the new SSID and VLAN, but blocking access to the corporate network is causing issues with DHCP for the public wifi users. A Catalyst 3560 is providing layer 2 and 3 routing for the corporate LAN. On that Catalyst I have added an access list to block traffic from the public wifi VLAN to the internal networks, while permitting traffic to the internet. This ACL is applied to the public wifi VLAN.
access-list 103 deny ip 192.168.70.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.70.0 0.0.0.255 any
ip access-group 103 in
where VLAN70 (192.168.70.0 /24) is the public wifi subnet, and VLAN10 (192.168.10.0 /24) is the corporate network.
This works fine except to for one issue: The public wifi clients can't get a DHCP address assignment (if they have a static address in the 192.168.70.0 network, everything works fine). Apparently the ACL is blocking traffic from the clients to the DHCP server (which is the Catalyst switch - interface VLAN70 is assigned address 192.168.70.1).
In short, how do I design an ACL that will block access to the internal network, but allow access to the internet and allow clients to request/receive a DHCP address from the Catalyst switch?
I have also tried using the AP1121G as a DHCP server for the public wifi, but could not get it to work.
Any suggestions? Thanks in advance for any replies.
Can you post the complete configuration on the AP and the switch? I think the issue is with the configuration. Once we have a look at the complete configuration we should be able to narrow down and resolve the issue.
An edited config for the WAP and the switch are attached. I have removed the password info and some parts of the config that I believe are not relevant (QOS settings, static routes, BGP, OSPF, the configs for switch ports used by other devices).
VLAN30 is the native VLAN used for device management.
VLAN10 is the VLAN used for the corporate LAN.
VLAN70 is the VLAN to be used for the public wifi.
We use Cisco WAPs, but have Nortel switch gear. On our Nortel stuff, a DHCP proxy must be set up to route DHCP requests (broadcasts) because broadcasts don;t go between networks unless there is a Layer 3 device configured to do so.
Again, I can't help with the actual commands because I don't have Cisco gear, but hopefully the concept will help.
We do the same thing with a public wifi VLAN, and assign that VLAN an IP address on the core switch. Then, on that core switch, I set up a DHCP proxy to forward all DHCP requests to the DHCP server on the corporate LAN. It is assumed that even though an ACL blocks all other traffic, DHCP requests are passed.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...