Using a Cisco Aironet 1200 series router for two networks

BonnyvdBovenkamp · ‎01-23-2017

Hello! I'm a first-time poster and I'm here for some tips.

First what we want to achieve:

We want a network with a windows server that gives DHCP, attached to that we have a switch and then the Cisco Aironet 1200 series router that we want to use as an access point. We want the access point to give two SSID's. A guest network and a 'private' network. The guest network has to be able to reach internet, but nothing else.

The private network has to be able to see all the other devices. The problem here is that if the guest network is not allowed to see the server, it won't get to the DHCP server.

My question is simple; how would you solve a problem like this? I read some things about firewalls of VLAN's. But I'm quite new to this so I'm not sure what it means or how to configure it on this router.

I hope someone is so kind to help me with this issue, thank you in advance!

Brandon Buffin · ‎01-23-2017

Take a look at this doc regarding configuring multiple VLANs.

https://supportforums.cisco.com/document/55561/multiple-ssid-multiple-vlans-configuration-example-cisco-aironet-aps

You could then use an ACL that allows only DHCP/DNS from the guest network to your server. The ACL should block other traffic. Here's an example.

https://supportforums.cisco.com/discussion/12200356/guest-vlan-acl

Your network topology could be different, but this should give you a start in the right direction.

Brandon

DJX995 · ‎01-23-2017

The way I accomplished this is with a separate VLAN and an ACL on my core switch (layer 3 router). Assign the Guest SSID to the Guest VLAN on the AP and apply the Guest ACL to the Guest VLAN on the core switch. The ACL on my core switch looks like this (Note: VLAN 101 is my Guest VLAN):

Extended IP access list VLAN101-IPv4-In
permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain
permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq www
permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 443
permit tcp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 554
permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq domain
permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq bootps
permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 5004
permit udp 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255 eq 5005
deny ip 172.16.101.0 0.0.0.255 172.16.1.0 0.0.0.255
deny ip 172.16.101.0 0.0.0.255 172.16.2.0 0.0.0.255
deny ip 172.16.101.0 0.0.0.255 172.16.10.0 0.0.0.255
deny ip 172.16.101.0 0.0.0.255 172.16.100.0 0.0.0.255
permit ip any any

Extended IP access list VLAN101-IPv4-Out
permit tcp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255
permit tcp 172.16.10.0 0.0.0.255 eq www 172.16.101.0 0.0.0.255
permit tcp 172.16.10.0 0.0.0.255 eq 443 172.16.101.0 0.0.0.255
permit tcp 172.16.10.0 0.0.0.255 eq 554 172.16.101.0 0.0.0.255
permit udp 172.16.10.0 0.0.0.255 eq domain 172.16.101.0 0.0.0.255
permit udp 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255 eq bootpc
permit udp 172.16.10.0 0.0.0.255 eq 5004 172.16.101.0 0.0.0.255
permit udp 172.16.10.0 0.0.0.255 eq 5005 172.16.101.0 0.0.0.255
deny ip 172.16.1.0 0.0.0.255 172.16.101.0 0.0.0.255
deny ip 172.16.2.0 0.0.0.255 172.16.101.0 0.0.0.255
deny ip 172.16.10.0 0.0.0.255 172.16.101.0 0.0.0.255
deny ip 172.16.100.0 0.0.0.255 172.16.101.0 0.0.0.255
permit ip any any

This allows the traffic that is necessary on the 172.16.10.X subnet then blocks anything else on that subnet as well as a few others

Note, here I allowed the guest VLAN to access HTTP/HTTPS and some RTSP stuff on the 172.16.10.X subnet.

If you don't want that, just look at the ports and remove those lines.

Also, you must specifically block every other subnet/VLAN because your last statement is to allow the Internet.