Solved: Guest vlan on single AP

James Hoggard · ‎10-23-2013

Hi,

I have got a single Cisco AP 1142N and want to setup a guest WIFI. We have our production one working but don't want clients to connect to this.

I have got a basic config as shown attached.

i want to make the guest network in 172.16 range.

when looking around on cisco forums i have seen configs but they have not worked for me. I have tried the link below

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml

this ap will connect to a layer 2 2960 then into an ASA out to the internet.

Thanks

James

Stephen Rodriguez · ‎10-29-2013

you should be able to ACL that, but you might want to ask that question on the FW forums.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Stephen Rodriguez · ‎10-23-2013

what you need to do is add dot1q subinterfaces and VLAN to the SSID for this to work.

as a for example

dot11 ssid corp

vlan 10

dot11 ssid guest

vlan 20

dot0.10

encapsulation dot1q 10 native

dot0.20

encapsulation dot1q 20

Gig010

encapsulation dot1q 10 native

gig020

encapsualtion dot1q 20

Which ever vlan you call "native" is where the AP will pull its IP address from.

Rinse repeat that for all SSID and Radio.

Then on the switch port change it from access to a trunk an call the native vlan

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

James Hoggard · ‎10-29-2013

I got the guest vlans working which i used as vlan 10 and the production vlan 1 ( native )

Im plugging direct into a Cisco ASA 5505 POE port7

i want just to allow the guest network to have internet and not be able to access the internal.

the ASA will act as the DHCP range for both vlans

vlan 1 will 192.168.70.0 /24

vlan 10 guest 172.16.10.0 /24

if this possible with the ASA 5505 as i know you don't have any sub interfaces so confused on how to do this?

Stephen Rodriguez · ‎10-29-2013

it should work if you can dot1q trunk the interface on the ASA

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

James Hoggard · ‎10-29-2013

am i correct in saying we cannot do this as the 5505 ports are all layer 2?

James Hoggard · ‎10-29-2013

All setup and working. Now i need users from the guest vlan to access the printer in the production which is on 192.168.70.20 and nothing else. Can this be done? have tried access list and it doesn't seem to be working?

Stephen Rodriguez · ‎10-29-2013

you should be able to ACL that, but you might want to ask that question on the FW forums.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

James Hoggard · ‎10-30-2013

Thanks. I have now opened this in the FW forums. i will update with the correct anwser shortly.