Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Wireless -> VPN clarification

A client has a AP350 - my goal is to have it be open (so that visitors could use their WLAN to connect to their own company sites, email, surf) so what I was hoping to accomplish was something like this.

Setup the AP350 with an external static IP address (not in the NAT / internal network range). Have the client site employees use the VPN client to connect to the internal network via a PIX.

This would leave the visitors no access to the client site but would just keep right on going.

Although I'm confident in my networking skills, I'm new to WLAN. This seems to be a good idea but what are the flaws in this idea, am I missing something?

Practical question: *if* this is a valid idea - DHCP is not an option on AP350 but each user would need an IP address when they initially connect to the AP350... so how would you handle giving out IP addresses to each group of users?

Thanks for any suggestions you can offer.

Cisco Employee

Re: Wireless -> VPN clarification

The Aironet products are all layer 2 devices as they do NOT have DHCP (the 1100 is an exception on DHCP but has limitations) or NAT functions.

The VPN set up is good for layer 3 and above network security but means anyone can associate to the AP and if wanted to could reduce the data throughput to netxt to nothing by creating a broadcast storm.

A better option in this case is to configure VLANs on the AP.

Have one VLAN open for guests

The second VLAN can be for all your company users. If you authenticate them via EAP on this VLAN then you can also have the ACS server control VLAN asignment. You can have a DHCP server on the etherent side in each VLAN to keep the guests and company staff on different subnets. You can also use VPN for your company as a added level of security if you wanted but I dont think this is needed.

Here is a link on how to set up VLANs

Security features including EAP



CreatePlease login to create content