How to set up a guest LAN? (small business, simple environment)
First before getting into my actual post, please allow me to briefly express my sincere aggravation at this Cisco website for it's lack of proper IE 11 support. When I try to create a forum post, well, there is no way to do it. The old Create a Discussion link is gone (actually when I log into my profile, the entire Actions pane is gone). The Ask a Question thing you first see is terrible, it doesn't support IE 11 apparently because the message body field is just gone. I can put a Title, and tags, but there is no field. there's also no compatibility mode button anywhere in the IE 11 interface one this site. I was lucky in that the Actions pane shows up when you click on another person's post. I don't think Cisco realizes how absolutely annoying that kind of thing is.
I have a single 192.168.0.0/24 LAN with a single Cisco SG300 series switch to aggregate all the network connections, a single gateway firewall/router to the Internet, and a few wireless access points on the same LAN. These are the AP541N's. My goal is to set up guest Wi-Fi, but have it that guests cannot see or access the internal network.
Haven't not actually done this before, I have no idea where to proceed. I know I can create guest virtual AP's in the AP541N but that doesn't do anything to prevent a guest device from having full access to all of 192.168.0.0/24 computers.
What can I do? Do I have to put in completely new hardware? Should I be contacting the Cisco Small Business tech support group if the specifics are unique to the SG300 and AP541N models?
Any help is appreciated, both general advice but ideally a full solution reply can be possible :)
I first would like to apologize for the IE11 issues that you experienced. I have opened a case to address the IE11 issue you have.
In regards to your question regarding on how to set up a guest lan, I found this article in our knowledge base: http://sbkb.cisco.com/CiscoSB/Loginr.aspx?login=1&pid=4&app=vw&vw=1&kptester=1&articleid=3130
I am not sure if that is what you are looking for so I have also asked some of our experts to chime in to this post.
From what I understand you would like to have internet access for the wireless clients without them having the possibility to communicate with the other clients on the wired network for the same subnet. If this is the case unfortunately you cannot achieve the desired goal with the current hardware. What you could do is the following:
Create another subnet on your router for the wireless clients and then set up on the switch and AP accordingly new VLAN to which you'll bind the new SSID appropriate for those clients which doesn't need to have access to the 192.168.0.0 network. In the above scenario you need to consider that a trunk port connection will be needed going from the router to the switch and from the switch to the AP.
So by summarizing you need to have a router which supports multiple subnets and the hardware that you already have will do just fine.
Eventually if you're not using a cisco router I would highly recommend the RV100,200 series small business router which supports multiple subnets and a lot of other really nice features. For more info on the particular routers you could refer to the datasheet and administration guides which you can find on the cisco.com site. http://www.cisco.com/c/en/us/products/routers/small-business-rv-series-routers/index.html
Feel free to reply to me if any other information is needed regarding the suggested configuration.
HI Cindy, thanks for the info about he compatibility mode. I'll have a look at it soon - in this case I posted by ensuring I am first not logged into cisco.com, then clicking the "Log in or register" link at the bottom of your post - it then prompts me tot user/pw and afterwards opens a reply wikndow directly. So when this fails, it's when I'm already logged in viewing the thread and try to reply.
In terms of the issue itself, I still have to tackle this problem but may not be able to do so with the customer for a while, weeks at least. But meanwhile I have a question: Their one and only router and internet gateway is a watchguard device. It is set up to where the 5 or 6 switch ports on the LAN side are all joined together ina bridge, with a single LAN IP. What if I split off one of those ports to act on its own, and gave it a network ID thuat's different? In that case, can I assume that if I just set the guest WAP to an IP that matches this network ID, and then somehow ensure at the router that no routing occurs between these two networks (192.168.0.0/24 is the original/current network, lets say I put the guest at 10.0.0.0/24). Might that work?
Sx550X, Sx350X, Sx250: PSE will Supply Power to Catalyst PSE Ports
May 31, 2016
June 5, 2017
Configure Remote Network Monitoring (RMON) Events Control Settings on a Switch through the Command Line Interface (CLI)
Remote Network Monitoring (RMON) was developed by the Internet Engineering Task Force (IETF) to support...