I am starting to research different ways to secure a Guest SSID that I want to rollout over the next week so that users can authenticate and only get out to the Internet. Currently I have the Cisco 5508 WLC with over 400 Cisco Aironet 3502 AP's at six locations to work with. So far I have read about having a second controller to setup a DMZ Anchor WLC which sounds great but I do not have a second controller.
How have others accomplished this without letting the users on the Guest SSID get access to areas on the network they shouldn't be? The only ideas I have so far is to allow traffic from this Guest SSID VLAN to only the DHCP server and issue out a IP with DNS servers from Google or OpenDNS. Then lock the VLAN down to that DHCP scope and put up VACL's to block that traffic from going anywhere but out to the Internet. Might not be the best idea but this is why I am here asking for input.
Wat ever u hv put in der is the easiest solution..
U can go for acls on wlc but i prefer it on the next hop device
Another option to be connecting a port from the switch to the wlc n configuring it as a access vlan which is guest vlan n isolate even further so that u r not allowing that guest vlan on the main mgnt mapped port
I concur with BG. Create a guest WLAN and map this WLAN to a wired side vlan. On the svi interface for this guest wired side vlan apply an ACL only allowing access to the internet. You will need to set up a dhcp scope on the server or controller. Then point users to an outside DNS like 22.214.171.124. You can also apply qos and throttle traffic for guest at the svi ..
Sent from Cisco Technical Support iPad App
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin