https://community.cisco.com/t5/wireless/case-study-wireless-and-wired-network/m-p/712279#M29492 <HTML><HEAD></HEAD><BODY><P>Most of what you want to do can be done by associating an SSDI to a given VLAN. </P><P></P><P>You can prevent one wireless client from talking to anther by enabling "Public Secure Packet Forwarding" (PSPF) on the APs. </P><P></P><P>If you use RADIUS (or TACACS+, I believe) you can do authentication / filtering by MAC address at the AP (or you can still do it later in the network, if you want).</P><P></P><P>Cisco ACS would be a good choice for authentication and authorization. It can do the MAC auth, it can access credentials from external databases (i.e., Microsoft AD, Novell Directory, LDAP, SQL ...)</P><P></P><P>You may also want to use some flavor of "captive portal" (Cisco's is "BBSM") which will force guest users to acknowledge the company's "guest usage policy" before proceeding. </P><P></P><P>Are you looking to use standalone (Aironet) or LWAP (Airespace)? </P><P>You could use either, but depending on which you choose may change the back-end setup / infrastructure. </P><P></P><P>Good Luck</P><P></P><P>Scott</P><P></P></BODY></HTML> Sun, 26 Nov 2006 15:52:22 GMT scottmac 2006-11-26T15:52:22Z https://community.cisco.com/t5/wireless/case-study-wireless-and-wired-network/m-p/712278#M29491 <P>Good night,</P><P></P><P>My company need to do a network project. The topology is the following:</P><P></P><P>- Around two hundred units each one at a distinct subnet. One unit may not to communicate with other, only with router.</P><P></P><P>- It's have wireless signal at any local. For this will be used access points.</P><P></P><P>Three user types will exist: 1 - The no registred ones; 2 - The registered ones but with only internet access; 3 - The registered ones with full network access. It's have 3 buildings and one CPD (building 2).</P><P></P><P>The security is the most concern (at layer 2). One idea that I have was use VLAN, one per unit. Each unit access only switch port and router port (multi-vlan port). With 3560 series switches it's possible? One cluster where one switch see others VLAN?</P><P></P><P>The idea is all unit or access point arrive at router first and there the MAC address will be denied or will not.</P><P></P><P>I only have experience at to divide networks using layer 3 (per IP address). VLAN I did only in the same switch.</P><P></P><P>Sorry my english, it's not my native language. </P><P></P><P>Thanks for help.</P> Sat, 03 Jul 2021 20:17:19 GMT https://community.cisco.com/t5/wireless/case-study-wireless-and-wired-network/m-p/712278#M29491 faustopaiva27 2021-07-03T20:17:19Z https://community.cisco.com/t5/wireless/case-study-wireless-and-wired-network/m-p/712279#M29492 <HTML><HEAD></HEAD><BODY><P>Most of what you want to do can be done by associating an SSDI to a given VLAN. </P><P></P><P>You can prevent one wireless client from talking to anther by enabling "Public Secure Packet Forwarding" (PSPF) on the APs. </P><P></P><P>If you use RADIUS (or TACACS+, I believe) you can do authentication / filtering by MAC address at the AP (or you can still do it later in the network, if you want).</P><P></P><P>Cisco ACS would be a good choice for authentication and authorization. It can do the MAC auth, it can access credentials from external databases (i.e., Microsoft AD, Novell Directory, LDAP, SQL ...)</P><P></P><P>You may also want to use some flavor of "captive portal" (Cisco's is "BBSM") which will force guest users to acknowledge the company's "guest usage policy" before proceeding. </P><P></P><P>Are you looking to use standalone (Aironet) or LWAP (Airespace)? </P><P>You could use either, but depending on which you choose may change the back-end setup / infrastructure. </P><P></P><P>Good Luck</P><P></P><P>Scott</P><P></P></BODY></HTML> Sun, 26 Nov 2006 15:52:22 GMT https://community.cisco.com/t5/wireless/case-study-wireless-and-wired-network/m-p/712279#M29492 scottmac 2006-11-26T15:52:22Z