What is the best and CCA compatible way to setup a guest wireless?
I have created a beacon SSID: Guest, Vlan2 (10.1.11.0), DHCP Server for Vlan2 and the laptop connects no problem. The vlan2 has access to the inside network vlan75 (192.168.1.0, which I dont want) and internet access.
How do I keep vlan2 as a guest vlan and out of our inside network? I know its an access-list but how can I do it in a way that does not render me unable to use CCA in the future?
What is the correct way? Please suggest an access-list that would prevent traffic between the two vlans. I am unsure of how to get the vlan2 to use the access-list after I create it.
This document should help answer the majority of your questions.
Hi eoncablewire -
I do understand that the option for an ssid is not present, but the procedure is generally the same. This document provides the building blocks for creating a guest setup that can be applied to the SR520.
You need to:
-create a new VLAN
-create an SSID
-choose security for the connection (or leave it open if that's what you want)
I appreciate your help in this matter. Have you worked with the SR520 yet? The CCA options are nowhere near the same as for the wireless controller and there is NO option for guest wlan, wireless users, or otherwise in the configuration pages within CCA. You can create an SSID and assign a vlan and thats pretty much it.
Everything else with the SR520 is CLI. If you have setup an SR520 with CCA please send me a screen shot so I can see what you are seeing.
You're welcome. I answered quickly earlier before I headed to some meetings, but I'll try to provide some more details here.
Creating a guest wireless network is basically the same as creating any other VLAN / SSID combination.
The steps here will walk you through the exact screens you will see in CCA.
While you will not see 'guest' as a default option, you can follow these directions except you simply add the VLAN-SSID setup manually.
You may want to setup:
DHCP Scope for VLAN 25 192.168.25.0 255.255.255.0
As for wireless security, its up to you whether you want it open or prefer to have it secured and then give guest a password.
Hopefully that makes a little more sense, but just let me know.
It seems you are giving me instructions on how to setup a WLAN. That part is simple. Now I need to restrict the access between the guest WLAN and the corporate network. What do you suggest there?
The problem has been solved. The question was involving access-lists and what to create and how to apply it.
The guest vlan is vlan2 with an ip of 10.1.10.1 and the corporate vlan is vlan75 with an IP address of 192.168.75.1
So two access-lists were made
10 deny ip any 10.1.10.0 0.0.0.255 in
20 permit ip any any
10 deny ip any 192.168.75.0 0.0.0.255 in
20 permit ip any any
Then add the ACL to the BVI interfaces
Bvi2 - Add 'ip access-group 199 in'
Bvi75 - Add 'ip access-group 198 in'
That was it. Now the guest users have no access to the router or the corporate network.
I knew roughly what the ACL should be but my biggest problem was not know where to add the ip access-group XXX in statement. I wasnt sure if it needed to be addes to Vlan2, or BVI2
ok. here are the steps that I have done.
on the UC520
created VLAN 25
ip address 192.168.2.1 255.255.255.0
default gateway: 192.168.1.1 (the UC520)
dhcp pool AnQ_Guest
ip helper-address 192.168.1.1
switchport access vlan 25 (needs access to native vlan (1) also)
on the 521AP
SSID AnQ_guest (broadcast)
SSID Anderson and Quill (non-broadcast)
vlan 1 (native)
open authenication ( for now. will be radius)
I can see both networks from a wireless card and can conntect to Anderson and Quill fine. I can connect to the AnQ_guest, but i do not recieve an ip address and it times out with limited or no connectivity.
any help would be greatly appreciated.
I have attached the config
The connection between the AP and the UC500 should be a trunk, so do not make that port an access port for VLAN 25. If you use CCA, you can use smartport role "AP" and this should work...