Given the following scenario what would be the best way to restrict the people connecting to this access point so that they can only access the internet and no other internal company resources like our exchange server, print server etc.
I have included a drawing of the setup.
I am going to use the following commands on the AP
AP# configure terminal
AP(config)# ip dhcp excluded-address 192.168.3.1 192.168.3.219
AP(config)# ip dhcp pool RemoteSite
AP(dhcp-config)# network 192.168.3.0 255.255.255.0
AP(dhcp-config)# lease 10
AP(dhcp-config)# default-router 192.168.3.1
AP(dhcp-config)# dns-server 192.168.1.15, 184.108.40.206
And of course I will setup the SSID and WPA key and all that.
So what else do I need to do to accomplish my goal?
Yeah.... You can setup Guest Wireless with the different IP stack from you LAN segment say you have all 192.168.x.x used for your company LAN...... on the WAP connected Switch you can have the ACL limting the Guest Users to access LAN... and further if you want more restrictions you can have much more ACL on the next layers of devices..... etc is one option...
on the AP connected Switch
say your gues VLAN is 172.16.0.0/24 and your corporate LAN is 192.168.0.0/16
access-list 100 extended permit <tcp/udp> 172.16.0.0 255.255.255.0 <dns/dhcp/auth server>
access-list 100 extended deny ip 172.16.0.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list 100 extended permit tcp 172.16.0.0 255.255.255.0 any eq www
access-list 100 extended permit tcp 172.16.0.0 255.255.255.0 any eq https
access-list 100 extended permit udp 172.16.0.0 255.255.255.0 any eq domain
access-list 100 extended deny ip any any
like the above ACL you can have the restrictions which is a simple way to do.
Please do rate for the helpful posts and do remember to select the correct answers.
So presumably I will have to add additional routing on the layer 3 switches and the core router as well as possibly the firewall correct?
I am using static routes on everything not RIP, OSPF or EIGRP.
This is the only site that needs to have a guest network so I could just make the guest subnet like 172.16.35.x 255.255.255.0 right?
Then I would have to add routes to allow traffic from the 172.16.35.x network back through the infrastructure and out the internet?
Yes. Correct... without routing the wireless LAN through metro Ethernet towards corp site to exit to internet..... You can control at 1st exit on the access point connected switch.... then you can filter in firewall as well and you can dedicate a separate NAT ip for the guest wireless.... then it will be good if you have spare public ip for that.... you have many methods.... but this is the simplest of all....