Showing results for 
Search instead for 
Did you mean: 

Creating a "Guest" Wireless SSID that only has access to the internet and no other internal resources.

Given the following scenario what would be the best way to restrict the people connecting to this access point so that they can only access the internet and no other internal company resources like our exchange server, print server etc.


I have included a drawing of the setup.


I am going to use the following commands on the AP


AP# configure terminal

AP(config)# ip dhcp excluded-address

AP(config)# ip dhcp pool RemoteSite

AP(dhcp-config)# network

AP(dhcp-config)# lease 10

AP(dhcp-config)# default-router

AP(dhcp-config)# dns-server,

AP(dhcp-config)# end


And of course I will setup the SSID and WPA key and all that.


So what else do I need to do to accomplish my goal?

Rising star

Hi Brown,

Yeah.... You can setup Guest Wireless with the different IP stack from you LAN segment say you have all 192.168.x.x used for your company LAN...... on the WAP connected Switch you can have the ACL limting the Guest Users to access LAN... and further if you want more restrictions you can have much more ACL on the next layers of devices..... etc is one option...

on the AP connected Switch


say your gues VLAN is and your corporate LAN is

access-list 100 extended permit <tcp/udp> <dns/dhcp/auth server>

access-list 100 extended deny ip

access-list 100 extended permit tcp any eq www

access-list 100 extended permit tcp any eq https

access-list 100 extended permit udp any eq domain



access-list 100 extended deny ip any any


like the above ACL you can have the restrictions which is a simple way to do.


Please do rate for the helpful posts and do remember to select the correct answers.





So presumably I will have to add additional routing on the layer 3 switches and the core router as well as possibly the firewall correct?


I am using static routes on everything not RIP, OSPF or EIGRP.


This is the only site that needs to have a guest network so I could just make the guest subnet like 172.16.35.x right?


Then I would have to add routes to allow traffic from the 172.16.35.x network back through the infrastructure and out the internet?

Yes. Correct... without routing the wireless LAN through metro Ethernet towards corp site to exit to internet.....  You can control at 1st exit on the access point connected switch.... then you can filter in firewall as well and you can dedicate a separate NAT ip for the guest wireless.... then it will be good if you have spare public ip for that.... you have many methods.... but this is the simplest of all....




Content for Community-Ad