suggestions on creating 2nd network for guests

saidfrh18 · ‎10-12-2009

We would like to provide guests access to the Internet. The guests would need IP through DHCP and not have access to the LAN where servers reside, thus by default they would reside on a different subnet. We have a perimeter router, ASA firewall with DMZ, L2 and L3 switches.

Any suggestions would be appreciated on allowing guests to access the Internet, without access to servers.

Joseph W. Doherty · ‎10-12-2009

Should be possible to provide separate internal subnets for guests for which you control access both in and out of. This generally isn't two difficult if you dedicate wired ports and/or wireless AP SSID for guests, can be become much more complex if you want to support dynamic wired port mapping and/or multiple AP SSID access.

At L2 guest subnet(s) would also usually map to guest VLAN(s). At L3 you can control access via ACLs and/or using VRFs.

saidfrh18 · ‎10-12-2009

How to configure the firewall with multiple internal networks? We are using active directory for DHCP to hosts, can the ASA give DHCP address to the guest network?

Joseph W. Doherty · ‎10-12-2009

I'm unfamilar with the capabilities of both AD DHCP and ASAs. If someone else doesn't post answers, you might post the ASA question on one of the security forums (e.g. Security - Firewalling). Cisco routers can usually also do DHCP, don't know what your other options are.