topic Secure Guest Access with 5508 controller in Wireless

Secure Guest Access with 5508 controller

Andy Johnson — Sun, 04 Jul 2021 04:56:08 GMT

Hi there,

Could someone point me in the right direction with regards to the following?

I have a requirement to set up a guest SSID for contractor so that they can use the internet while in the office.

Security say that all traffic on this SSID should be isolated and directed straight to the firewall, with no chance of contamination into the company network infrastructure.

With the 5508, my understanding is using the setting up a guest account functionality built in will achieve this, but all traffic would end up at the wireless controller. How do I then put a direct forward for all traffic to the firewall which will only affect the guest traffic?

Any help would be welcomed with delight and joy!!!

Andy

Secure Guest Access with 5508 controller

Surendra BG — Tue, 03 Apr 2012 08:20:07 GMT

Configure an ACL on the router of the ACL for that Guest VLAN so that, the Guest VLAN can only go out directly to the internet and not to communicate with any other VLAN..

Regards

Surendra

Re: Secure Guest Access with 5508 controller

braggb001 — Wed, 04 Apr 2012 02:17:08 GMT

The best way to accomplish this would be to have your internal controller anchor to another controller located in you DMZ. This would allow you to choose whatever SSID you want and have its traffic virtually terminate outside of your trusted network. If clients attached to this SSID needed access to internal resources they could use a VPN to come back in.

Sent from Cisco Technical Support iPad App

Re: Secure Guest Access with 5508 controller

George Stefanick — Wed, 04 Apr 2012 02:28:42 GMT

1. Drop the traffic at the WLC apply ACl

2. Anchor the traffic to the DMZ

3. Take one of the ports from the WLC and plug it into the FW

DONE...

Re: Secure Guest Access with 5508 controller

deshtikypshaq — Wed, 04 Apr 2012 03:54:40 GMT

to George Stefanick

Could you provide url of documentation how to implement third solution -

Take one of the ports from the WLC and plug it into the FW,

especialy configuration of WLC.

Re: Secure Guest Access with 5508 controller

blakekrone — Wed, 04 Apr 2012 04:02:12 GMT

There is no documentation for that, most don't do it and I've seen it not recommended before.

Anyways, all you do is setup a dynamic interface and select port 8 for example and plug that into your DMZ network or FW interface directly. This will only work if you are not doing LAG on the 5508.

Re: Secure Guest Access with 5508 controller

George Stefanick — Wed, 04 Apr 2012 04:06:32 GMT

As Blake pointed out its not supported, but it works. I have a customer set up like this and they are running fine.

Re: Secure Guest Access with 5508 controller

Scott Fella — Wed, 04 Apr 2012 11:41:20 GMT

I too have customers setup this way with no issues. I don't know why it wouldn't be supported... It was supported on the 4400's and even on the 2504's. Oh well... It works fine.

Thanks,

Scott Fella

Sent from my iPhone