Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.


SR520 Guest Wireless setup

What is the best and CCA compatible way to setup a guest wireless?

I have created a beacon SSID: Guest, Vlan2 (, DHCP Server for Vlan2 and the laptop connects no problem. The vlan2 has access to the inside network vlan75 (, which I dont want) and internet access.

How do I keep vlan2 as a guest vlan and out of our inside network? I know its an access-list but how can I do it in a way that does not render me unable to use CCA in the future?

What is the correct way? Please suggest an access-list that would prevent traffic between the two vlans. I am unsure of how to get the vlan2 to use the access-list after I create it.



This document should help answer the majority of your questions.

I am not using a wireless controller in this case. When creating the ssid for the SR520 there is no option for guest.

Hi eoncablewire -

I do understand that the option for an ssid is not present, but the procedure is generally the same. This document provides the building blocks for creating a guest setup that can be applied to the SR520.

You need to:

-create a new VLAN

-create an SSID

-choose security for the connection (or leave it open if that's what you want)

I appreciate your help in this matter. Have you worked with the SR520 yet? The CCA options are nowhere near the same as for the wireless controller and there is NO option for guest wlan, wireless users, or otherwise in the configuration pages within CCA. You can create an SSID and assign a vlan and thats pretty much it.

Everything else with the SR520 is CLI. If you have setup an SR520 with CCA please send me a screen shot so I can see what you are seeing.


You're welcome. I answered quickly earlier before I headed to some meetings, but I'll try to provide some more details here.

Creating a guest wireless network is basically the same as creating any other VLAN / SSID combination.

The steps here will walk you through the exact screens you will see in CCA.

While you will not see 'guest' as a default option, you can follow these directions except you simply add the VLAN-SSID setup manually.

You may want to setup:


SSID Cisco-Guest

DHCP Scope for VLAN 25

As for wireless security, its up to you whether you want it open or prefer to have it secured and then give guest a password.

Hopefully that makes a little more sense, but just let me know.

It seems you are giving me instructions on how to setup a WLAN. That part is simple. Now I need to restrict the access between the guest WLAN and the corporate network. What do you suggest there?

The problem has been solved. The question was involving access-lists and what to create and how to apply it.

The guest vlan is vlan2 with an ip of and the corporate vlan is vlan75 with an IP address of

So two access-lists were made

access-list 198

10 deny ip any in

20 permit ip any any

access-list 199

10 deny ip any in

20 permit ip any any

Then add the ACL to the BVI interfaces

Bvi2 - Add 'ip access-group 199 in'

Bvi75 - Add 'ip access-group 198 in'

That was it. Now the guest users have no access to the router or the corporate network.

I knew roughly what the ACL should be but my biggest problem was not know where to add the ip access-group XXX in statement. I wasnt sure if it needed to be addes to Vlan2, or BVI2


Great news!

I was digging through ACL commands to recommend to you but this looks good.

ok.  here are the steps that I have done.

on the UC520

created VLAN 25

ip address

default gateway: (the UC520)

dhcp pool AnQ_Guest

ip helper-address

fastEthernet 0/1/7

switchport access vlan 25 (needs access to native vlan (1) also)

on the 521AP

SSID AnQ_guest (broadcast)

vlan 25


SSID Anderson and Quill (non-broadcast)

vlan 1 (native)

open authenication ( for now. will be radius)

I can see both networks from a wireless card and can conntect to Anderson and Quill fine.  I can connect to the AnQ_guest, but i do not recieve an ip address and it times out with limited or no connectivity.

any help would be greatly appreciated.

I have attached the config


The connection between the AP and the UC500 should be a trunk, so do not make that port an access port for VLAN 25. If you use CCA, you can use smartport role "AP" and this should work...