I've run into a bit of a problem with restricting access on our guest wireless network in one of our branch offices. Essentially the set up we have is 4400 WLC's in our DC with the AP's in the branches registered against them and using H-REAP to place devices into either the corporate wireless network or guest wireless network. Now the standard approach for us is to have the guest wireless network on a layer2-only VLAN on the switches and the layer3 gateway being a simple Internet router. That way it keeps guests away from our corporate network. However, we have a site which was implemented by a third party on our behalf due to resource issues who have implemented things in a very poor way. Essentially there is no guest Internet router and the guest Internet traffic is routed via the guest VLAN as it has been configured as layer3. So guest Internet traffic is routing onto our corporate network and using our corporate Internet link. What's worse is there are NO RESTRICTIONS at the moment so once someone is on the guest network they have carte blanche access to our entire network. Needless to say when I found about this I was livid but I need to sort this ASAP. My goal is to fix this by removing the layer3 VLAN interface and place an Internet router to handle guest Internet access and DHCP but as this office is thousands of miles away I can't do this straight away.
What I would like to do is place an ACL on the layer3 VLAN interface that is the guest VLAN on the corporate switches. I want to block anything towards the corporate network, i.e. 10.0.0.0/8 and allow anything else, i.e. the Internet. The problem is I've tried implementing this and when I do guests are no longer sent to the WLC's Web Authentication page in order for them to log in and continue. I've got logs against the Deny rules in the ACL's but nothing is showing up and there are no hits either. As soon as I take away the ACL users can then attempt to browse to any website and are forwarded to the Web Authentication page first.
I'm hoping someone on here has a simple answer to what is required on a guest network ACL so I can get the guest wireless up and running and more secure at the same time. Here is the ACL as it stands:
Extended IP access list 140
10 permit udp any any eq bootps (325 matches)
20 permit udp any any eq bootpc
30 permit ip any host 10.xxx.xxx.62 ! Default Gateway (layer3-VLAN)
40 deny ip any 10.0.0.0 0.255.255.255 log (4 matches)
Your guest clients are unable to reach your WLC to download the web auth page.
A centrally switched VLAN allows the remote wireless traffic to be tunneled across your network and placed on a VLAN directly connected to the WLC. You can apply that same ACL on that VLAN and it should work.
Or before doing that, perhaps you can alter the ACL on your existing guest wireless VLAN to allow http access to your WLC.
I will try opening access to the WLC's from the guest VLAN first.
I'm not keen to send the guest traffic across our WAN to the WLC's VLAN as this is very low priority traffic and I don't want it interfering with corporate traffic on the MPLS. I know I could implement QoS and so on but I don't want to overcook this.