06-02-2009 02:50 PM
What is the best and CCA compatible way to setup a guest wireless?
I have created a beacon SSID: Guest, Vlan2 (10.1.11.0), DHCP Server for Vlan2 and the laptop connects no problem. The vlan2 has access to the inside network vlan75 (192.168.1.0, which I dont want) and internet access.
How do I keep vlan2 as a guest vlan and out of our inside network? I know its an access-list but how can I do it in a way that does not render me unable to use CCA in the future?
What is the correct way? Please suggest an access-list that would prevent traffic between the two vlans. I am unsure of how to get the vlan2 to use the access-list after I create it.
Thanks
06-02-2009 04:49 PM
This document should help answer the majority of your questions.
http://www.cisco.com/en/US/docs/wireless/controller/526/1.5/configuration/guide/7_guest_access.html
06-02-2009 05:27 PM
I am not using a wireless controller in this case. When creating the ssid for the SR520 there is no option for guest.
06-03-2009 06:42 AM
Hi eoncablewire -
I do understand that the option for an ssid is not present, but the procedure is generally the same. This document provides the building blocks for creating a guest setup that can be applied to the SR520.
You need to:
-create a new VLAN
-create an SSID
-choose security for the connection (or leave it open if that's what you want)
06-03-2009 09:01 AM
I appreciate your help in this matter. Have you worked with the SR520 yet? The CCA options are nowhere near the same as for the wireless controller and there is NO option for guest wlan, wireless users, or otherwise in the configuration pages within CCA. You can create an SSID and assign a vlan and thats pretty much it.
Everything else with the SR520 is CLI. If you have setup an SR520 with CCA please send me a screen shot so I can see what you are seeing.
Thanks
06-03-2009 10:58 AM
You're welcome. I answered quickly earlier before I headed to some meetings, but I'll try to provide some more details here.
Creating a guest wireless network is basically the same as creating any other VLAN / SSID combination.
The steps here will walk you through the exact screens you will see in CCA.
https://www.myciscocommunity.com/docs/DOC-1763
While you will not see 'guest' as a default option, you can follow these directions except you simply add the VLAN-SSID setup manually.
You may want to setup:
VLAN 25
SSID Cisco-Guest
DHCP Scope for VLAN 25 192.168.25.0 255.255.255.0
As for wireless security, its up to you whether you want it open or prefer to have it secured and then give guest a password.
Hopefully that makes a little more sense, but just let me know.
06-05-2009 11:00 AM
It seems you are giving me instructions on how to setup a WLAN. That part is simple. Now I need to restrict the access between the guest WLAN and the corporate network. What do you suggest there?
06-05-2009 12:18 PM
The problem has been solved. The question was involving access-lists and what to create and how to apply it.
The guest vlan is vlan2 with an ip of 10.1.10.1 and the corporate vlan is vlan75 with an IP address of 192.168.75.1
So two access-lists were made
access-list 198
10 deny ip any 10.1.10.0 0.0.0.255 in
20 permit ip any any
access-list 199
10 deny ip any 192.168.75.0 0.0.0.255 in
20 permit ip any any
Then add the ACL to the BVI interfaces
Bvi2 - Add 'ip access-group 199 in'
Bvi75 - Add 'ip access-group 198 in'
That was it. Now the guest users have no access to the router or the corporate network.
I knew roughly what the ACL should be but my biggest problem was not know where to add the ip access-group XXX in statement. I wasnt sure if it needed to be addes to Vlan2, or BVI2
Thanks
06-05-2009 01:00 PM
Great news!
I was digging through ACL commands to recommend to you but this looks good.
07-17-2009 08:14 AM
ok. here are the steps that I have done.
on the UC520
created VLAN 25
ip address 192.168.2.1 255.255.255.0
default gateway: 192.168.1.1 (the UC520)
dhcp pool AnQ_Guest
192.168.2.0 255.255.255.0
ip helper-address 192.168.1.1
fastEthernet 0/1/7
switchport access vlan 25 (needs access to native vlan (1) also)
on the 521AP
SSID AnQ_guest (broadcast)
vlan 25
WEP Key
SSID Anderson and Quill (non-broadcast)
vlan 1 (native)
open authenication ( for now. will be radius)
I can see both networks from a wireless card and can conntect to Anderson and Quill fine. I can connect to the AnQ_guest, but i do not recieve an ip address and it times out with limited or no connectivity.
any help would be greatly appreciated.
I have attached the config
thanks,
07-24-2009 07:22 AM
The connection between the AP and the UC500 should be a trunk, so do not make that port an access port for VLAN 25. If you use CCA, you can use smartport role "AP" and this should work...
Thanks,
Marcos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide