Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Guest SSID Setup - Security


I am starting to research different ways to secure a Guest SSID that I want to rollout over the next week so that users can authenticate and only get out to the Internet. Currently I have the Cisco 5508 WLC with over 400 Cisco Aironet 3502 AP's at six locations to work with. So far I have read about having a second controller to setup a DMZ Anchor WLC which sounds great but I do not have a second controller.

How have others accomplished this without letting the users on the Guest SSID get access to areas on the network they shouldn't be? The only ideas I have so far is to allow traffic from this Guest SSID VLAN to only the DHCP server and issue out a IP with DNS servers from Google or OpenDNS. Then lock the VLAN down to that DHCP scope and put up VACL's to block that traffic from going anywhere but out to the Internet. Might not be the best idea but this is why I am here asking for input.

Any thoughts and input would be appreciated!



Cisco Employee

Re: Guest SSID Setup - Security


Wat ever u hv put in der is the easiest solution..

U can go for acls on wlc but i prefer it on the next hop device

Another option to be connecting a port from the switch to the wlc n configuring it as a access vlan which is guest vlan n isolate even further so that u r not allowing that guest vlan on the main mgnt mapped port

Sent from Cisco Technical Support iPhone App

Re: Guest SSID Setup - Security

I concur with BG. Create a guest WLAN and map this WLAN to a wired side vlan. On the svi interface for this guest wired side vlan apply an ACL only allowing access to the internet. You will need to set up a dhcp scope on the server or controller. Then point users to an outside DNS like You can also apply qos and throttle traffic for guest at the svi ..

Sent from Cisco Technical Support iPad App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________