Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WAP121

Hi guys

I have a WAP121 AP, and i want to be able to setup a guest SSID along with my full access SSID. The guest network should only be able to access the internet.

I have the AP plugged into a single port on a Netgear GS728TP smart switch.

I know i have to setup a vlan, but i cannot seem to get the guest network to work.

I have noticed on the WAP121 there is an option under LAN settings: Untagged VLAN and Untagged VLAN ID.

I dont know if this is normal behaviour or not, but as soon as i change the Untagged VLAN ID from the default 1, to what i have set on the switch port, i lose connection to the AP and i have to factory reset it to get back in? I havent changed the management VLAN ID, which is still set to 1. My understanding is that in order to setup the guest network, i need to change this Untagged VLAN ID in the WAP121 to match the switch, and set that particular switch port to untagged and tag only the port that access's the router for that particular VLAN?

Does anyone have a quick guide on how to setup a guest SSID using a smart switch to create the VLANs?

 

Thanks

Andrew

 

1 REPLY
New Member

Hi Andrew I have the same

Hi Andrew I have the same setup as you, except that my switch is an SG300-24P from Cisco.

The configuration in my switch is this:

interface fastethernet1

 description WIRELESS

 switchport trunk allowed vlan add 25

 switchport trunk native vlan 90

 

Vlan 25 is my guest network and clan 90 is my default user network.

In your router you have to configure a simple ACL like this:

ip access-list extended guest-internet

 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.63

 deny   ip 192.168.1.0 0.0.0.255 10.0.10.0 0.0.0.63

 deny   ip 192.168.1.0 0.0.0.255 10.0.30.0 0.0.0.63

 deny   ip 192.168.1.0 0.0.0.255 10.0.50.0 0.0.0.63

 deny   ip 192.168.1.0 0.0.0.255 10.0.70.0 0.0.0.63

 deny   ip 192.168.1.0 0.0.0.255 10.0.90.0 0.0.0.63

 deny   ip any 10.0.0.0 0.0.0.63

 deny   ip any 10.0.10.0 0.0.0.63

 deny   ip any 10.0.30.0 0.0.0.63

 deny   ip any 10.0.50.0 0.0.0.63

 deny   ip any 10.0.70.0 0.0.0.63

 deny   ip any 10.0.90.0 0.0.0.63

 permit ip any any log

 

This will deny access to your private network and create a simple "guest" network.

In the AP121 you just have to assign two SSID each with different VLAN tag like in the attachment.

 

Goodluck!

324
Views
1
Helpful
1
Replies
CreatePlease login to create content