Solved: Re: Wireless and Wireless Guest

jjnewbill · ‎12-07-2012

Hello,

I am looking to configure a wired and wireless guest network. I have industrial barcode scanners that connect to one SSID and then there is the business network on the office SSID (no vlan seperation for these devices just different SSIDs). There is not really a need to seperate the business network from the scanners in any case. However, there are needs for a guest network and this needs to be seperated. At the bare minumum I would like to have the wireless guest network. Here is what I have:

2125 Wireless LAN controller managing 18 LAPs (1 indoor and 17 outdoors)
Cisco Cat 2950 switches (2 x 24 port and soon to be replaced with 2 x 48 port 2960's with 802.1x capability)
Sonicwall TZ210 firewall
One existing wired and trunked vlan for PLC infrastructure.
One ESXi hosting Windows server guests (soon to be 2 with vMotion)

The reason for the wired guest access network is tp prevent anyone from plugging into the wall jack in the office with thier home laptops or anyone else from being on the same subnet as our domain machines. Granted they would be unathenticaed but there would be no layer 2 seperation and that is what I think would be best.

How would I go about doing this on the wireless controller without an anchor controller just using my existing hardware? I would like to have the Guest SSID only availible in the front office. Is it possible to offer a guest network while still servicing the business network SSID on the same access point? Then might I be able to have the guest network be treated as it should at the controller? However this might present another issue altogether as the guest traffic will be over the same wire as the business SSID until it hits the controller for management. Please advise.

Any help appreciated and if I missed anything I will provide more information.

Thanks,

Jeff

ALIAOF_ · ‎12-07-2012

Well there are multiple ways to do it but first I'm not understanding your wired access theory. You should be protecting your switch ports with the mac address of the actual corporate computers. I've always setup ports to shut down if they detect a different mac and more than one mac. Any un used ports should be turned off. So this policy should take care of the wired access. You can also put the unused ports on a guest VLAN if you like so if some one does connect and somehow that port is not turned off they will only be on the guest VLAN.

For the wireless do the same use that guest VLAN, not sure how SonicWall works but you can put the guest VLAN in a DMZ. By the way Cisco WLC uses ACL's too so you can also use those ACL's. However I personally don't like the idea of using ACL's on the WLC I'd much rather use the Firewall for that purpose.

View solution in original post

ALIAOF_ · ‎12-07-2012

Well there are multiple ways to do it but first I'm not understanding your wired access theory. You should be protecting your switch ports with the mac address of the actual corporate computers. I've always setup ports to shut down if they detect a different mac and more than one mac. Any un used ports should be turned off. So this policy should take care of the wired access. You can also put the unused ports on a guest VLAN if you like so if some one does connect and somehow that port is not turned off they will only be on the guest VLAN.

For the wireless do the same use that guest VLAN, not sure how SonicWall works but you can put the guest VLAN in a DMZ. By the way Cisco WLC uses ACL's too so you can also use those ACL's. However I personally don't like the idea of using ACL's on the WLC I'd much rather use the Firewall for that purpose.