06-25-2014 07:23 AM - edited 03-10-2019 12:14 AM
Given the following scenario what would be the best way to restrict the people connecting to this access point so that they can only access the internet and no other internal company resources like our exchange server, print server etc.
I have included a drawing of the setup.
I am going to use the following commands on the AP
AP# configure terminal
AP(config)# ip dhcp excluded-address 192.168.3.1 192.168.3.219
AP(config)# ip dhcp pool RemoteSite
AP(dhcp-config)# network 192.168.3.0 255.255.255.0
AP(dhcp-config)# lease 10
AP(dhcp-config)# default-router 192.168.3.1
AP(dhcp-config)# dns-server 192.168.1.15, 8.8.8.8
AP(dhcp-config)# end
And of course I will setup the SSID and WPA key and all that.
So what else do I need to do to accomplish my goal?
06-25-2014 11:25 PM
Hi Brown,
Yeah.... You can setup Guest Wireless with the different IP stack from you LAN segment say you have all 192.168.x.x used for your company LAN...... on the WAP connected Switch you can have the ACL limting the Guest Users to access LAN... and further if you want more restrictions you can have much more ACL on the next layers of devices..... etc is one option...
on the AP connected Switch
========================
say your gues VLAN is 172.16.0.0/24 and your corporate LAN is 192.168.0.0/16
access-list 100 extended permit <tcp/udp> 172.16.0.0 255.255.255.0 <dns/dhcp/auth server>
access-list 100 extended deny ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list 100 extended permit tcp 172.16.0.0 255.255.255.0 any eq www
access-list 100 extended permit tcp 172.16.0.0 255.255.255.0 any eq https
access-list 100 extended permit udp 172.16.0.0 255.255.255.0 any eq domain
.
.
access-list 100 extended deny ip any any
like the above ACL you can have the restrictions which is a simple way to do.
Please do rate for the helpful posts and do remember to select the correct answers.
Regards
Karthik
06-26-2014 08:55 AM
So presumably I will have to add additional routing on the layer 3 switches and the core router as well as possibly the firewall correct?
I am using static routes on everything not RIP, OSPF or EIGRP.
This is the only site that needs to have a guest network so I could just make the guest subnet like 172.16.35.x 255.255.255.0 right?
Then I would have to add routes to allow traffic from the 172.16.35.x network back through the infrastructure and out the internet?
06-26-2014 09:35 AM
Yes. Correct... without routing the wireless LAN through metro Ethernet towards corp site to exit to internet..... You can control at 1st exit on the access point connected switch.... then you can filter in firewall as well and you can dedicate a separate NAT ip for the guest wireless.... then it will be good if you have spare public ip for that.... you have many methods.... but this is the simplest of all....
Regards
Karthik
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: