Solved: Hi Takami,

riderfaiz · ‎06-04-2015

Hi everyone,

Hope you can help... I do not have much experience in design "this" before. We are going to setup a wireless network. However, my manager like to have the wifi to let both public and corporate to log on. For public users, they will be using only internet. But for corporate users, they will have access to our network / AD resources. Anyway.. what I try to do is to setup 2 vlans. One for public and one for corporate ( I will also setup 2 SSIDs for these two networks). Besides, we do not consider to buy a firewall yet. Besides, I also concern about the securities... for the corporate I try to implement ACS server, or at least having the wireless system to use Active Directory as an authentication server.

My questions are:

- How do I need to setup so that the public users can have only access to the internet? And they cannot access our other vlans? Do I need to use Access List, or vlan map to do it? If so any sample to show me how to do it?

- For the corporate network, how do I make sure the new wireless vlan access to other current vlans? I will setup this vlan (and the public vlan) in our core switch... I know how to setup vlans before but never setup vlan for wireless...wonder if there are any differences.

Finally, do you have other better design than the way I thought? Any opinions and inputs I will really appreciate it.

Thank you very much!

Takami Chiro

Seb Rupik · ‎06-05-2015

Hi Takami,

Use the below config as a template, changing interfaces as required:

!
hostname gw_router01
!
int gi0/0
  desc outside
  ip address dhcp
  ip nat outside
!
int gi0/1
  desc wifi_public
  ip address 10.0.10.254 255.255.255.0
  ip nat inside
!
int gi0/2
  desc wifi_corp
  ip address 10.0.20.254 255.255.255.0
  ip access-group 10 in
  ip nat inside
!
int gi0/3
  desc corp_vlanX
  ip address 10.10.10.254 255.255.255.0
  ip access-group 10 in
  ip nat inside
!
ip nat inside source list 20 interface gi0/0 overload
!
access-list 10 deny 10.0.10.0 0.0.0.255
access-list 10 permit any
!
access-list 20 permit 10.0.10.0 0.0.0.255
access-list 20 permit 10.0.20.0 0.0.0.255
access-list 20 permit 10.10.0.0 0.0.255.255
!

I have used routed interfaces in this design, but these could be changed for SVIs depending on your equipment. Public wifi users occupy the 10.0.10.0/24 subnet. An ACL (10) is applied to all other internal interfaces to deny traffic sourced ftom the 'wifi_public' subnet. Arguably you could use an extended ACL and apply it to Gi0/1 (ip access-group XX out) which would deny traffic destined for internal subnets.

The final piece is the NAT rule to overload all outbound traffic to Gi0/0.

It would make more sense to route the wireless traffic on a dedicated firewall than on a core switch, but if this is the equipment you have to hand then it is a good solution.

cheers,

Seb.

2921

View solution in original post

Seb Rupik · ‎06-05-2015

Hi Takami,

Use the below config as a template, changing interfaces as required:

!
hostname gw_router01
!
int gi0/0
  desc outside
  ip address dhcp
  ip nat outside
!
int gi0/1
  desc wifi_public
  ip address 10.0.10.254 255.255.255.0
  ip nat inside
!
int gi0/2
  desc wifi_corp
  ip address 10.0.20.254 255.255.255.0
  ip access-group 10 in
  ip nat inside
!
int gi0/3
  desc corp_vlanX
  ip address 10.10.10.254 255.255.255.0
  ip access-group 10 in
  ip nat inside
!
ip nat inside source list 20 interface gi0/0 overload
!
access-list 10 deny 10.0.10.0 0.0.0.255
access-list 10 permit any
!
access-list 20 permit 10.0.10.0 0.0.0.255
access-list 20 permit 10.0.20.0 0.0.0.255
access-list 20 permit 10.10.0.0 0.0.255.255
!

I have used routed interfaces in this design, but these could be changed for SVIs depending on your equipment. Public wifi users occupy the 10.0.10.0/24 subnet. An ACL (10) is applied to all other internal interfaces to deny traffic sourced ftom the 'wifi_public' subnet. Arguably you could use an extended ACL and apply it to Gi0/1 (ip access-group XX out) which would deny traffic destined for internal subnets.

The final piece is the NAT rule to overload all outbound traffic to Gi0/0.

It would make more sense to route the wireless traffic on a dedicated firewall than on a core switch, but if this is the equipment you have to hand then it is a good solution.

cheers,

Seb.

2921

riderfaiz · ‎06-08-2015

Hi Seb,

Thank you very much for your prompt response with the detailed template on Friday. That was very helpful :) I was sorry I was off on Friday but I got your message.

I would like to ask what the purpose of using NAT? Also, how would the "private" side vlan be able to communicate with the current vlans I have?

Thank you very much again.

Takami

Seb Rupik · ‎06-09-2015

Hi Takami,

The example given was a topology plucked from my head. You would need to change the subnets to fit your existing addressing scheme.

Regarding NAT, I assume you do not have a large number of public IPv4 addresses to spare, even less to use on 'public wifi'. NAT was included to make the example complete, showing how the internal (corporate & public wifi) would get out to the internet. Of course you will need to change this to fit with your existing core switch config.

If you uploaded your core switch config I could take a look at how to change it to faciliatate a limited access public wifi VLAN.

cheers,

Seb.

2 Vlans for public and corporate network