Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
769
Views
0
Helpful
7
Replies

VLAN/switch setup - segmented internal and guest Wi-Fi on same APs

AndrewTaylor
Level 1
Level 1

‎03-30-2022 12:59 AM - edited ‎03-30-2022 01:01 AM

We have many APs that broadcast two SSIDs: Internal and Guest. Let's tag these as vlan 101 and 301 respectively.

 

The internal network goes through an internal firewall to a DMZ, which then leaves through a DMZ firewall. Tracerouting from internal would look like:

  • vl-101-swc1.internal.example.com
  • fwinternal1.internal.example.com
  • fwdmz1.dmz.example.com
  • edge1.transit.example.com
  • ...

 

The goal is for the Guest Wi-Fi to not be visible or able to communicate with the internal network. A traceroute from a guest wi-fi device should not show the internal firewall and the traffic should be tunneled through it somehow.

 

VLAN 301:

 ip address 10.5.144.1 255.255.240.0
 ip helper-address 10.5.1.1

VLAN 124 (created as a 'transport' vlan for guest to DMZ)

ip address 10.5.250.0 255.255.255.254

idea for the above is to make this some sort of special gateway for guest wifi traffic to use - this is just a thought in progress for now

Interface hosting the internal firewall:

 description fwinternal1-site.internal pfSense
 switchport access vlan 123 ## (this is the same as 124 above but for internal traffic, works fine)
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 123
 switchport trunk allowed vlan 123,124
 switchport mode trunk

Example interface config hosting an AP:

 description ap2-site (server room)
 switchport access vlan 301
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 101
 switchport trunk allowed vlan 101,301
 switchport mode trunk

 

  • Internal network: 10.0.0.0/14
  • DMZ network: 10.4.0.0/14
  • GW of last resort: internal firewall, patched directly into switch
  • Switch: Cisco 3750X with IP license (layer 3, routing enabled)
  • APs: UniFi (supports vlan tagging, set up already for 101 and 301)
  • Firewalls: PFSense (supports vlan tagging, not set up)
Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎03-30-2022 04:39 AM

if the port trunk and you allowed with list you do not need below line :  (remove access vlan config and test it)

 

switchport access vlan 301

 

Note : not sure this fix the information, we need high level network diagram how these connected.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Flavio Miranda
VIP
VIP

‎03-30-2022 05:31 AM

"The goal is for the Guest Wi-Fi to not be visible or able to communicate with the internal network. A traceroute from a guest wi-fi device should not show the internal firewall and the traffic should be tunneled through it somehow."

 

The best design for you is to use Anchor WLC.  With Anchoring wlc, you put another WLC on the DMZ and create a tunnel between your Corp WLC and the Anchor WLC.

This way, guests clients might be connected on the same Access Point as Corporates clients, but from the network point of view, they will be in a different WLC and the  traceroute will be client > WLC > Internet

 

0 Helpful

AndrewTaylor
Level 1
Level 1
In response to Flavio Miranda

‎03-30-2022 06:56 AM

I don't have a Cisco wireless infrastructure though, so cannot use the WLC anchoring to DMZ approach.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to AndrewTaylor

‎03-30-2022 09:23 AM

 

Just put the L3 interface for the guest vlan on the firewall you want it to go through ie. if you don;t want it to go via the internal firewall then don't send it that way. 

 

Jon

0 Helpful

AndrewTaylor
Level 1
Level 1
In response to Jon Marshall

‎03-30-2022 09:39 AM

The DMZ firewall is not directly reachable by the switch (it is not connected to it like the internal firewall is). You need to pass through the internal firewall. The internal firewall supports vlans and tunnels - I'd like to invisibly send guest vlan traffic through the internal firewall so it hops out on the DMZ lan. Does this make sense?

 

wifi ap <--> core switch <-->  internal fw <--> dmz fw <--> edge router

 

the goal is this:

 

Guest WiFi if tagged as vlan 301 by the AP:

wifi ap <--> core switch <-----------------> dmz fw

 

 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to AndrewTaylor

‎03-30-2022 09:43 AM

 

Is there no way you can run a cable from the core switch direct to the DMZ firewall ? 

 

Jon

0 Helpful

paul driver
VIP
VIP

‎03-31-2022 04:13 PM

Hello

@AndrewTaylor wrote:

Guest WiFi if tagged as vlan 301 by the AP:

wifi ap <--> core switch <-----------------> dmz fw

On the core switch you could create a vrf for the guest L3 interface to segregate and deny communication to/from all other vlans or apply an access-list to do the same.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Top