Solved: DHCP Scope For Guest Wireless

lopema2013 · ‎08-30-2018

I have a small branch office that is using a Cisco WAP571-AC/N for the wireless network. We are using Router On A Stick between our router and switch. I want to separate Guest users from internal users by creating a DHCP scope on the router instead of our local domain controller. Any help straightening me out is appreciated as I do not want overly complicate it if possible.

My questions are:

1. Will this DHCP scope config be sufficient?

2. Will this work?

3. Traffic needs to traverse the trunk and I am wondering how to keep Guest from talking to the internal VLANs, an ACL on the physical or sub-interface?

!!!ROUTER!!!

!

service dhcp
!
ip dhcp pool Guest WLAN
network 3.3.3.0 255.255.255.224
ip dhcp excluded-address 3.3.3.1 3.3.3.10
dns-server 8.8.8.8 8.8.4.4
default-router 3.3.3.1

Seb Rupik · ‎08-30-2018

Almost. The ACL is <source> <destination>, so:

!
ip access-list extended Guest_WLAN
  deny ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255 
  deny ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255  
  permit ip any any
!

It is worth noting that devices in VLAN1 and VLAN2 would be able to reach the wifi devices, but the return traffic would be blocked by the ACL. So ideally you would need an inbound ACL on the VLAN1 and VLAN2 L3 interfaces blocking traffic to 3.3.3.0/24 . As you can see this doesn't scale very well, and why a stateful firewall is better.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎08-30-2018

Hi there,

If "router" is also the device which will provde the Layer3 (3.3.3.1) interface for your guest wireless, then yes for points 1 and 2.

Typically you would place the Layer3 interface(s) used for the guest wireless in a seperate VRF from the rest of your network. You can then provide a default route directed at a firewall interface, providing a way of ensuring all inter-VRF traffic is policed via firewall.

If you don't have a firewall, then you will need to use an inbound ACL on the guest wireless L3 interface to provide the isolation you require.

cheers,

Seb.

lopema2013 · ‎08-30-2018

Excellent, thank you. We do not have a firewall onsite. I presume the inbound ACL on the L3 sub-interface on the router would look something like this.

L3 Interface subnets:

VLAN 1 on subnet 1.1.1.0/24

VLAN 2 on subnet 2.2.2.0/24:

ip access-list extended Guest WLAN

deny ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

deny ip 2.2.2.0 0.0.0.255 3.3.3.0 0.0.0.255

permit ip any any

Add ACL to L3 interface:

int g0/0/0.3

ip access-group Guest_WLAN in

Seb Rupik · ‎08-30-2018

Almost. The ACL is <source> <destination>, so:

!
ip access-list extended Guest_WLAN
  deny ip 3.3.3.0 0.0.0.255 1.1.1.0 0.0.0.255 
  deny ip 3.3.3.0 0.0.0.255 2.2.2.0 0.0.0.255  
  permit ip any any
!

It is worth noting that devices in VLAN1 and VLAN2 would be able to reach the wifi devices, but the return traffic would be blocked by the ACL. So ideally you would need an inbound ACL on the VLAN1 and VLAN2 L3 interfaces blocking traffic to 3.3.3.0/24 . As you can see this doesn't scale very well, and why a stateful firewall is better.

cheers,

Seb.

lopema2013 · ‎08-30-2018

Thank you. I agree that a stateful firewall would be best, but it is a small office so that may be cost prohibitive.

I was thinking the ACL placed inbound on the Guest L3 interface would have to have the L3 subnets blocked (Deny 2.2.2.x{source} to 3.3.3.x {destination})and let anything else back in.

I will write up my ACL the way you indicated and apply inbound and test.

Thanks again for the help, I appreciate it.

Seb Rupik · ‎08-30-2018

You want to place the Guest_WLAN ACL inbound on the routed interface which will be the default gateway for your Guest wifi devices, so the source would be 3.3.3.0/24.

If an IP header with a source address in 1.1.1.0/24 or 2.2.2.0/24 arrived inbound on gi0/0/0.3, then something has gone wrong with your network! :)

cheers,

Seb.

lopema2013 · ‎08-30-2018

Thanks again! That makes sense, I had it backwards in my head for some reason :-)