Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
0
Helpful
3
Replies

wireless guest design + security

Gaj Anna
Level 1
Level 1

‎11-01-2011 03:49 AM - edited ‎07-03-2021 09:01 PM

Hi

Anyone could please advice a recommended way for guest wireless design.

The requirement is to only allow Internet for guest users. The guest user vlan is terminated in a L3 switch and the guest should not see LAN traffic or reach other vlans on the same switch. I tried using a PBR for the guest user vlan setting next hop as firewall but still the users were able to reach other LAN traffic.

The guest SSID is configured to use web authentication (user ID / password) using local user database on a 5500 series controller.

Please advice

Thanks in advance

Gaj

Labels:
0 Helpful
3 Replies 3

Surendra BG
Cisco Employee
Cisco Employee

‎11-01-2011 04:13 AM

Wat ever wireles config that you have need not be changed!! U need to go for Inter VLAN routing to be tweaked!!

That is..

The VLAN that ur using for GUEST should not communicate with rest of the VLANs and allow just Internet traffic, this can be acheived by creating a 2 liner ACL denying traffic for rest of the vlans and allowing the protocols that u need!!

The below may help u..

https://learningnetwork.cisco.com/thread/14122

Please dont forget to rate the usefull posts!! Rating will help others as well to get the right resource!!

Regards

Surendra

Regards
Surendra BG
0 Helpful

Gaj Anna
Level 1
Level 1
In response to Surendra BG

‎11-01-2011 09:49 PM

Thanks.

I was thinking how to seperate Guest traffic from the normal LAN traffic.Is there any other way we could seperate guest traffic without an anchor?

Gaj

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Gaj Anna

‎11-02-2011 05:54 AM

Just to add to this... you can, but if you have a layer 3 interface for your guest, you will need to create access lists.  What you also can do is not create a layer 3 interface for you guest and then connect that vlan into your dmz, if you have a dmz.

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card