topic Re: Guest WiFi + Network separation in Wireless

Guest WiFi + Network separation

RS19 — Mon, 05 Jul 2021 19:03:24 GMT

I am planning to implement guest WiFi access in my network.

Already we have the Cisco AP & WLC in place. The existing Cisco AP has 1 SSID for intra WiFi access.

The WLC is in the Data center & the APs are in branch locations.

I want to setup additional SSID for Guest Internet access.

For the internet Guest access it will have local breakout to Internet from the branch.

So would like to understand, how to achieve network segregation in this scenario.

The Guest VLAN should have access only to Internet.

No access to corporate network & the guest VLAN should be isolated.

How to achieve this ? Attached is the diagram for your reference.

Re: Guest WiFi + Network separation

JPavonM — Mon, 18 May 2020 06:45:51 GMT

What about using ACL's in the Guest SSID to deny access to RFC1918 local LAN (superseded by RFC5735)? Have you also considered splitting Guest traffic into a different VRF?

HTH
-Jesus
*** Please Rate Helpful Responses ***

Re: Guest WiFi + Network separation

Rasika Nayanajith — Mon, 18 May 2020 07:40:48 GMT

In the given context, you have to apply some ACL on vlan 100 (guest vlan) to prevent it from communicating with your internal network. You can permit to DNS/DHCP & then block to rest of your internal network. Then permit any.

If you want to completely isolate guest traffic, then you tunnel guest traffic to a DMZ WLC, where you do not terminate in your internal corporate switch network. Refer below for more details

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/WirelessNetwork_GuestAccessService.html

HTH

Rasika

*** Pls rate all useful responses ***

Re: Guest WiFi + Network separation

RS19 — Mon, 18 May 2020 23:51:06 GMT

ACL is one option which I am thinking now.

Regarding vrf currently it is not possible due to some restrictions in the hardware & the design

Re: Guest WiFi + Network separation

RS19 — Mon, 18 May 2020 23:53:54 GMT

Thanks. ACL is the option i am looking for. Regarding the WLC option It is not feasible since I dont have the anchor WLC & also I want to use the local internet in the branch locations to exit to Internet. I dont want my traffic to flow this DC and use Internet at DC .

Re: Guest WiFi + Network separation

RS19 — Sun, 31 May 2020 13:20:22 GMT

Further to the above discussions, I have updated the diagram as attached.

Below is the further explanation.

- In Each floor there is guest VLAN which needs internet access.

- For Each Guest VLAN, I will apply ACL so that It does not communicate with other internal segments.

Questions:

- On Core Switch(L3#1,L3#2) is it required to add default route pointing to R#1 & R#2 ?

- Is it possible to achieve without Default route in R#1 & R#2 ?

The reason for asking this is because if default route is added in L3#1 & L3#2, even other segments will have route to internet which I want to avoid

- I want to have route only to the Guest VLAN(Segment)

How to achieve this ? Is some kind of policy map or policy route in L3#1 & L3#2, will help in achieving this ?

Re: Guest WiFi + Network separation

RS19 — Mon, 01 Jun 2020 02:44:58 GMT

Any help regarding my query

Re: Guest WiFi + Network separation

patoberli — Wed, 03 Jun 2020 08:10:55 GMT

The route should automatically be set, if you have a vlan interface on your core switches. This is also the point (the router for the guest vlan) where you would apply the ACL to that vlan interface.